>#include /* Specifically, a module */
>/* Deal with CONFIG_MODVERSIONS */
>#if CONFIG_MODVERSIONS==1
>#define MODVERSIONS
>#include
>#endif
>#include /* The list of system calls */
>/* For the current (process) structure, we need
>* this to know who the current user is. */
>#include
>/* In 2.2.3 /usr/include/linux/version.h includes a
>* macro for this, but 2.0.35 doesn't - so I add it
>* here if necessary. */
>#ifndef KERNEL_VERSION
>#define KERNEL_VERSION(a,b,c) ((a)*65536+(b)*256+(c))
>#endif
>#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0)
>#include
>#endif
>/* The system call table (a table of functions). We
>* just define this as external, and the kernel will
>* fill it up for us when we are insmod'ed */
>extern void *sys_call_table[];
>/* UID we want to spy on - will be filled from the command line */
>int uid;
>#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,2,0)
>MODULE_PARM(uid, "i");
>#endif
>/* A pointer to the original system call. The reason
>* we keep this, rather than call the original function
>* (sys_open), is because somebody else might have
>* replaced the system call before us. Note that this
>* is not 100% safe, because if another module
>* replaced sys_open before us, then when we're inserted
>* we'll call the function in that module - and it
>* might be removed before we are.
>*
>* Another reason for this is that we can't get sys_open.
>* It's a static variable, so it is not exported. */
>asmlinkage int (*original_call)(const char *, int, int);
>/* For some reason, in 2.2.3 current->uid gave me
>* zero, not the real user ID. I tried to find what went
>* wrong, but I couldn't do it in a short time, and
>* I'm lazy - so I'll just use the system call to get the
>* uid, the way a process would.
>*
>* For some reason, after I recompiled the kernel this
>* problem went away.
>*/
>asmlinkage int (*getuid_call)();
>/* The function we'll replace sys_open (the function
>* called when you call the open system call) with. To
>* find the exact prototype, with the number and type
>* of arguments, we find the original function first
>* (it's at fs/open.c).
>*
>* In theory, this means that we're tied to the
>* current version of the kernel. In practice, the
>* system calls almost never change (it would wreck havoc
>* and require programs to be recompiled, since the system
>* calls are the interface between the kernel and the processes). */
