The boundary between user-space and kernel-space can be crossed using system calls (aka syscalls). These are the functions that are supported by the kernel. They can be split into some categories:
- filesystem management
- processes management
For example, to execute a binary file, the
execve syscall should be used.
We can see what system calls are invoked by any program by running
strace ls will show the system calls invoked by the
System calls are not C functions. They don’t use the call stack. Instead, we run them via interrupts on CPU. We have to set an appropriate number in registers, provide required arguments, and then we can invoke the interrupt. Linux kernel registers handler for that interrupt and it is able to act on the system call. That execution is the kernel-mode operation.
User-space programs can invoke system calls via abstraction provided by the standard C library (like glibc, musl, or other). Such a library covers the whole spectrum of syscalls that the kernel supports.
We can see which libc functions are being used by a program by using