skip to content

Reading a syscall, end to end

category: Kerneldate: 1 min read
#kernel#syscalls#linux#vfs

Syscalls feel like function calls. They aren't. A syscall is a controlled privilege transition: userland puts a number in a register, executes a special instruction, and the CPU lands in a fixed kernel entry point. Everything between is the kernel deciding whether to trust you.

C
SYSCALL_DEFINE3(openat, int, dfd, const char __user *, filename, int, flags)
{
/* 1. copy user pointer safely */
/* 2. resolve path against dfd */
/* 3. check capability + permissions */
/* 4. allocate struct file, fd */
/* 5. install into files_struct */
return do_sys_open(dfd, filename, flags, 0);
}

Every syscall is a negotiation. The kernel never assumes userland is telling the truth about anything — including the pointer it handed you.

  • copy_from_user is not memcpy. It's a safety boundary.
  • The fd table is the kernel's memory of what you're allowed to touch.
  • Reading entry_64.S once is worth a hundred blog posts.