From list of LSM hook definitions https://github.com/torvalds/linux/blob/v5.18/include/linux/lsm_hook_defs.h#L179 I can see file_open
hook.
I looked into definition of openat
syscall https://elixir.bootlin.com/linux/v5.18/source/fs/open.c#L1233
Then I tried looked into functions that it calls, do_sys_op
-> do_sys_openat
. From there, it becomes harder to determine where the hook is actually called. And I'm actually not sure how security_file_open
is called.
Is there a general way to determine if a syscall has an LSM hook?
Probably the easiest way is to use in kernel function graph profiler. It can be used via trace-cmd wrapper, or directly via tracefs.
trace-cmd
Directly via tracefs
trace-cmd
is just a wrapper overftrace
API, and the same could be achieved without it, only less convenient.Although, I suggest you use
trace-cmd
since it's much more convenient.perf ftrace
Another option would be
perf ftrace
command, which also usesftrace
withfunction_graph
profiler.As an output, you'll get a function call graph from a kernel. Obviously, you will not see inlined or static functions in this graph.
Then you can just search functions that start with
security_
prefix and in this call graph you'll be able to determine by which function it were called and in what order, since many syscalls trigger more than a single LSM hook.