This is the mail archive of the
libc-help@sourceware.org
mailing list for the glibc project.
Finding all the places a variant of close() is called
- From: Justin McCann <jneilm+libc at gmail dot com>
- To: libc-help at sourceware dot org
- Date: Fri, 19 Aug 2011 12:02:31 -0400
- Subject: Finding all the places a variant of close() is called
For a research project, I've been working on tracking socket-related
system calls in Linux. I've been relatively successful doing library
interposition using LD_PRELOAD and intercepting socket(), close(),
bind(), accept(), connect(), listen(), etc. However, I've run into
several cases where it appears the libc close() function isn't being
called, but the file descriptor is clearly being returned to the
operating system.
I've also intercepted __close(), __res_nclose(), and __res_iclose()
since some of those appeared to be used within libc itself during DNS
lookups.
It seems that there are still some cases that I miss. Other than
taking another approach (ptrace, kernel module, etc), what other
functions should I intercept to make sure I have all the ways a
program might close a file descriptor?
Am I screwing up by not also intercepting fopen, fdopen, freopen, and fclose?
Unfortunately, strace isn't of much use here, since it catches the
syscall trap and reports close(), even though it's really some other
(hidden?) libc function at the higher layer.
My problem is basically the same as described here (sorry for the
ad-laden link):
http://forum.soft32.com/linux2/LD_PRELOAD-Sockets-ftopict13597.html
Thanks for your help,
Justin