Reading a syscall, end to end
category: Kerneldate: 1 min read
#kernel#syscalls#linux#vfs
Syscalls feel like function calls. They aren't. A syscall is a controlled privilege transition: userland puts a number in a register, executes a special instruction, and the CPU lands in a fixed kernel entry point. Everything between is the kernel deciding whether to trust you.
C
SYSCALL_DEFINE3(openat, int, dfd, const char __user *, filename, int, flags){ /* 1. copy user pointer safely */ /* 2. resolve path against dfd */ /* 3. check capability + permissions */ /* 4. allocate struct file, fd */ /* 5. install into files_struct */ return do_sys_open(dfd, filename, flags, 0);}Every syscall is a negotiation. The kernel never assumes userland is telling the truth about anything — including the pointer it handed you.
copy_from_useris notmemcpy. It's a safety boundary.- The fd table is the kernel's memory of what you're allowed to touch.
- Reading
entry_64.Sonce is worth a hundred blog posts.
end of file · reading-a-syscall.md