summaryrefslogtreecommitdiffstats
path: root/man2/ptrace.2
diff options
context:
space:
mode:
Diffstat (limited to 'man2/ptrace.2')
-rw-r--r--man2/ptrace.2348
1 files changed, 180 insertions, 168 deletions
diff --git a/man2/ptrace.2 b/man2/ptrace.2
index 4149a32..1cd9966 100644
--- a/man2/ptrace.2
+++ b/man2/ptrace.2
@@ -83,7 +83,7 @@
.\"
.\" and others that can be found in the arch/*/include/uapi/asm/ptrace files
.\"
-.TH ptrace 2 2023-03-30 "Linux man-pages 6.05.01"
+.TH ptrace 2 2024-03-03 "Linux man-pages 6.7"
.SH NAME
ptrace \- process trace
.SH LIBRARY
@@ -92,8 +92,8 @@ Standard C library
.SH SYNOPSIS
.nf
.B #include <sys/ptrace.h>
-.PP
-.BI "long ptrace(enum __ptrace_request " request ", pid_t " pid ,
+.P
+.BI "long ptrace(enum __ptrace_request " op ", pid_t " pid ,
.BI " void *" addr ", void *" data );
.fi
.SH DESCRIPTION
@@ -104,7 +104,7 @@ may observe and control the execution of another process (the "tracee"),
and examine and change the tracee's memory and registers.
It is primarily used to implement breakpoint debugging and system
call tracing.
-.PP
+.P
A tracee first needs to be attached to the tracer.
Attachment and subsequent commands are per thread:
in a multithreaded process,
@@ -115,23 +115,23 @@ Therefore, "tracee" always means "(one) thread",
never "a (possibly multithreaded) process".
Ptrace commands are always sent to
a specific tracee using a call of the form
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_foo, pid, ...)
.EE
.in
-.PP
+.P
where
.I pid
is the thread ID of the corresponding Linux thread.
-.PP
+.P
(Note that in this page, a "multithreaded process"
means a thread group consisting of threads created using the
.BR clone (2)
.B CLONE_THREAD
flag.)
-.PP
+.P
A process can initiate a trace by calling
.BR fork (2)
and having the resulting child do a
@@ -142,7 +142,7 @@ Alternatively, one process may commence tracing another process using
.B PTRACE_ATTACH
or
.BR PTRACE_SEIZE .
-.PP
+.P
While being traced, the tracee will stop each time a signal is delivered,
even if the signal is being ignored.
(An exception is
@@ -155,11 +155,11 @@ The tracer will be notified at its next call to
value containing information that indicates
the cause of the stop in the tracee.
While the tracee is stopped,
-the tracer can use various ptrace requests to inspect and modify the tracee.
+the tracer can use various ptrace operations to inspect and modify the tracee.
The tracer then causes the tracee to continue,
optionally ignoring the delivered signal
(or even delivering a different signal instead).
-.PP
+.P
If the
.B PTRACE_O_TRACEEXEC
option is not in effect, all successful calls to
@@ -169,18 +169,18 @@ by the traced process will cause it to be sent a
signal,
giving the parent a chance to gain control before the new program
begins execution.
-.PP
+.P
When the tracer is finished tracing, it can cause the tracee to continue
executing in a normal, untraced mode via
.BR PTRACE_DETACH .
-.PP
+.P
The value of
-.I request
-determines the action to be performed:
+.I op
+determines the operation to be performed:
.TP
.B PTRACE_TRACEME
Indicate that this process is to be traced by its parent.
-A process probably shouldn't make this request if its parent
+A process probably shouldn't make this operation if its parent
isn't expecting to trace it.
.RI ( pid ,
.IR addr ,
@@ -190,12 +190,12 @@ are ignored.)
.IP
The
.B PTRACE_TRACEME
-request is used only by the tracee;
-the remaining requests are used only by the tracer.
-In the following requests,
+operation is used only by the tracee;
+the remaining operations are used only by the tracer.
+In the following operations,
.I pid
specifies the thread ID of the tracee to be acted on.
-For requests other than
+For operations other than
.BR PTRACE_ATTACH ,
.BR PTRACE_SEIZE ,
.BR PTRACE_INTERRUPT ,
@@ -203,14 +203,16 @@ and
.BR PTRACE_KILL ,
the tracee must be stopped.
.TP
-.BR PTRACE_PEEKTEXT ", " PTRACE_PEEKDATA
+.B PTRACE_PEEKTEXT
+.TQ
+.B PTRACE_PEEKDATA
Read a word at the address
.I addr
in the tracee's memory, returning the word as the result of the
.BR ptrace ()
call.
Linux does not have separate text and data address spaces,
-so these two requests are currently equivalent.
+so these two operations are currently equivalent.
.RI ( data
is ignored; but see NOTES.)
.TP
@@ -232,7 +234,9 @@ See NOTES.
.RI ( data
is ignored; but see NOTES.)
.TP
-.BR PTRACE_POKETEXT ", " PTRACE_POKEDATA
+.B PTRACE_POKETEXT
+.TQ
+.B PTRACE_POKEDATA
Copy the word
.I data
to the address
@@ -242,7 +246,7 @@ As for
.B PTRACE_PEEKTEXT
and
.BR PTRACE_PEEKDATA ,
-these two requests are currently equivalent.
+these two operations are currently equivalent.
.TP
.B PTRACE_POKEUSER
.\" PTRACE_POKEUSR in kernel source, but glibc uses PTRACE_POKEUSER,
@@ -260,7 +264,9 @@ some modifications to the USER area are disallowed.
.\" FIXME In the preceding sentence, which modifications are disallowed,
.\" and when they are disallowed, how does user space discover that fact?
.TP
-.BR PTRACE_GETREGS ", " PTRACE_GETFPREGS
+.B PTRACE_GETREGS
+.TQ
+.B PTRACE_GETFPREGS
Copy the tracee's general-purpose or floating-point registers,
respectively, to the address
.I data
@@ -304,7 +310,9 @@ On return, the kernel modifies
.B iov.len
to indicate the actual number of bytes returned.
.TP
-.BR PTRACE_SETREGS ", " PTRACE_SETFPREGS
+.B PTRACE_SETREGS
+.TQ
+.B PTRACE_SETFPREGS
Modify the tracee's general-purpose or floating-point registers,
respectively, from the address
.I data
@@ -391,7 +399,7 @@ field includes information
.RB ( __SI_CHLD ,
.BR __SI_FAULT ,
etc.) that are not otherwise exposed to user space.
-.PP
+.P
.in +4n
.EX
struct ptrace_peeksiginfo_args {
@@ -696,7 +704,9 @@ whether a signal sent to the tracee is delivered or not.
.RI ( addr
is ignored.)
.TP
-.BR PTRACE_SYSCALL ", " PTRACE_SINGLESTEP
+.B PTRACE_SYSCALL
+.TQ
+.B PTRACE_SINGLESTEP
Restart the stopped tracee as for
.BR PTRACE_CONT ,
but arrange for the tracee to be stopped at
@@ -730,7 +740,7 @@ argument.
The
.I addr
argument is ignored.
-This request is currently
+This operation is currently
.\" As of 4.19-rc2
supported only on arm (and arm64, though only for backwards compatibility),
.\" commit 27aa55c5e5123fa8b8ad0156559d34d7edff58ca
@@ -740,7 +750,9 @@ system call number in).
.\" see change_syscall in tools/testing/selftests/seccomp/seccomp_bpf.c
.\" and also strace's linux/*/set_scno.c files.
.TP
-.BR PTRACE_SYSEMU ", " PTRACE_SYSEMU_SINGLESTEP " (since Linux 2.6.14)"
+.B PTRACE_SYSEMU
+.TQ
+.BR PTRACE_SYSEMU_SINGLESTEP " (since Linux 2.6.14)"
For
.BR PTRACE_SYSEMU ,
continue and stop on entry to the next system call,
@@ -758,7 +770,7 @@ argument is treated as for
The
.I addr
argument is ignored.
-These requests are currently
+These operations are currently
.\" As at 3.7
supported only on x86.
.TP
@@ -1130,7 +1142,7 @@ all threads exit.
Tracees report their death to their tracer(s).
Notification of this event is delivered via
.BR waitpid (2).
-.PP
+.P
Note that the killing signal will first cause signal-delivery-stop
(on one tracee only),
and only after it is injected by the tracer
@@ -1139,7 +1151,7 @@ will death from the signal happen on
.I all
tracees within a multithreaded process.
(The term "signal-delivery-stop" is explained below.)
-.PP
+.P
.B SIGKILL
does not generate signal-delivery-stop and
therefore the tracer can't suppress it.
@@ -1151,16 +1163,16 @@ The net effect is that
.B SIGKILL
always kills the process (all its threads),
even if some threads of the process are ptraced.
-.PP
+.P
When the tracee calls
.BR _exit (2),
it reports its death to its tracer.
Other threads are not affected.
-.PP
+.P
When any thread executes
.BR exit_group (2),
every tracee in its thread group reports its death to its tracer.
-.PP
+.P
If the
.B PTRACE_O_TRACEEXIT
option is on,
@@ -1175,7 +1187,7 @@ depending on the kernel version; see BUGS below),
and when threads are torn down on
.BR execve (2)
in a multithreaded process.
-.PP
+.P
The tracer cannot assume that the ptrace-stopped tracee exists.
There are many scenarios when the tracee may die while stopped (such as
.BR SIGKILL ).
@@ -1199,8 +1211,8 @@ ptrace operation returned
.I waitpid(WNOHANG)
may return 0 instead.
In other words, the tracee may be "not yet fully dead",
-but already refusing ptrace requests.
-.PP
+but already refusing ptrace operations.
+.P
The tracer can't assume that the tracee
.I always
ends its life by reporting
@@ -1236,11 +1248,11 @@ in group-stop before
it will not respond to signals until
.B SIGCONT
is received.
-.PP
+.P
There are many kinds of states when the tracee is stopped, and in ptrace
discussions they are often conflated.
Therefore, it is important to use precise terms.
-.PP
+.P
In this manual page, any stopped state in which the tracee is ready
to accept ptrace commands from the tracer is called
.IR ptrace-stop .
@@ -1252,18 +1264,18 @@ be further subdivided into
.IR "PTRACE_EVENT stops" ,
and so on.
These stopped states are described in detail below.
-.PP
+.P
When the running tracee enters ptrace-stop, it notifies its tracer using
.BR waitpid (2)
(or one of the other "wait" system calls).
Most of this manual page assumes that the tracer waits with:
-.PP
+.P
.in +4n
.EX
pid = waitpid(pid_or_minus_1, &status, __WALL);
.EE
.in
-.PP
+.P
Ptrace-stopped tracees are reported as returns with
.I pid
greater than 0 and
@@ -1275,7 +1287,7 @@ true.
.\" rules different if user wants to use waitid? Will waitid require
.\" WEXITED?
.\"
-.PP
+.P
The
.B __WALL
flag does not include the
@@ -1283,14 +1295,14 @@ flag does not include the
and
.B WEXITED
flags, but implies their functionality.
-.PP
+.P
Setting the
.B WCONTINUED
flag when calling
.BR waitpid (2)
is not recommended: the "continued" state is per-process and
consuming it can confuse the real parent of the tracee.
-.PP
+.P
Use of the
.B WNOHANG
flag may cause
@@ -1298,7 +1310,7 @@ flag may cause
to return 0 ("no wait results available yet")
even if the tracer knows there should be a notification.
Example:
-.PP
+.P
.in +4n
.EX
errno = 0;
@@ -1313,7 +1325,7 @@ if (errno == ESRCH) {
.\" FIXME .
.\" waitid usage? WNOWAIT?
.\" describe how wait notifications queue (or not queue)
-.PP
+.P
The following kinds of ptrace-stops exist: signal-delivery-stops,
group-stops,
.B PTRACE_EVENT
@@ -1343,7 +1355,7 @@ If the selected thread is traced, it enters signal-delivery-stop.
At this point, the signal is not yet delivered to the process,
and can be suppressed by the tracer.
If the tracer doesn't suppress the signal,
-it passes the signal to the tracee in the next ptrace restart request.
+it passes the signal to the tracee in the next ptrace restart operation.
This second step of signal delivery is called
.I "signal injection"
in this manual page.
@@ -1352,7 +1364,7 @@ signal-delivery-stop doesn't happen until the signal is unblocked,
with the usual exception that
.B SIGSTOP
can't be blocked.
-.PP
+.P
Signal-delivery-stop is observed by the tracer as
.BR waitpid (2)
returning with
@@ -1369,16 +1381,16 @@ returns a stopping signal, this may be a group-stop; see below.
.SS Signal injection and suppression
After signal-delivery-stop is observed by the tracer,
the tracer should restart the tracee with the call
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_restart, pid, 0, sig)
.EE
.in
-.PP
+.P
where
.B PTRACE_restart
-is one of the restarting ptrace requests.
+is one of the restarting ptrace operations.
If
.I sig
is 0, then a signal is not delivered.
@@ -1388,13 +1400,13 @@ is delivered.
This operation is called
.I "signal injection"
in this manual page, to distinguish it from signal-delivery-stop.
-.PP
+.P
The
.I sig
value may be different from the
.I WSTOPSIG(status)
value: the tracer can cause a different signal to be injected.
-.PP
+.P
Note that a suppressed signal still causes system calls to return
prematurely.
In this case, system calls will be restarted: the tracer will
@@ -1410,7 +1422,7 @@ signal is suppressed;
however, kernel bugs exist which cause some system calls to fail with
.B EINTR
even though no observable signal is injected to the tracee.
-.PP
+.P
Restarting ptrace commands issued in ptrace-stops other than
signal-delivery-stop are not guaranteed to inject a signal, even if
.I sig
@@ -1421,26 +1433,26 @@ may simply be ignored.
Ptrace users should not try to "create a new signal" this way: use
.BR tgkill (2)
instead.
-.PP
-The fact that signal injection requests may be ignored
+.P
+The fact that signal injection operations may be ignored
when restarting the tracee after
ptrace stops that are not signal-delivery-stops
is a cause of confusion among ptrace users.
One typical scenario is that the tracer observes group-stop,
mistakes it for signal-delivery-stop, restarts the tracee with
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_restart, pid, 0, stopsig)
.EE
.in
-.PP
+.P
with the intention of injecting
.IR stopsig ,
but
.I stopsig
gets ignored and the tracee continues to run.
-.PP
+.P
The
.B SIGCONT
signal has a side effect of waking up (all threads of)
@@ -1460,11 +1472,11 @@ was delivered.
In other words,
.B SIGCONT
may be not the first signal observed by the tracee after it was sent.
-.PP
+.P
Stopping signals cause (all threads of) a process to enter group-stop.
This side effect happens after signal injection, and therefore can be
suppressed by the tracer.
-.PP
+.P
In Linux 2.4 and earlier, the
.B SIGSTOP
signal can't be injected.
@@ -1474,7 +1486,7 @@ signal can't be injected.
.\" /* The debugger continued. Ignore SIGSTOP. */
.\" if (signr == SIGSTOP)
.\" continue;
-.PP
+.P
.B PTRACE_GETSIGINFO
can be used to retrieve a
.I siginfo_t
@@ -1503,7 +1515,7 @@ will group-stop be initiated on
tracees within the multithreaded process.
As usual, every tracee reports its group-stop separately
to the corresponding tracer.
-.PP
+.P
Group-stop is observed by the tracer as
.BR waitpid (2)
returning with
@@ -1512,13 +1524,13 @@ true, with the stopping signal available via
.IR WSTOPSIG(status) .
The same result is returned by some other classes of ptrace-stops,
therefore the recommended practice is to perform the call
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo)
.EE
.in
-.PP
+.P
The call can be avoided if the signal is not
.BR SIGSTOP ,
.BR SIGTSTP ,
@@ -1539,7 +1551,7 @@ then it is definitely a group-stop.
("no such process") if a
.B SIGKILL
killed the tracee.)
-.PP
+.P
If tracee was attached using
.BR PTRACE_SEIZE ,
group-stop is indicated by
@@ -1549,7 +1561,7 @@ This allows detection of group-stops
without requiring an extra
.B PTRACE_GETSIGINFO
call.
-.PP
+.P
As of Linux 2.6.38,
after the tracer sees the tracee ptrace-stop and until it
restarts or kills it, the tracee will not run,
@@ -1558,7 +1570,7 @@ and will not send notifications (except
death) to the tracer, even if the tracer enters into another
.BR waitpid (2)
call.
-.PP
+.P
The kernel behavior described in the previous paragraph
causes a problem with transparent handling of stopping signals.
If the tracer restarts the tracee after group-stop,
@@ -1572,7 +1584,7 @@ signals will not be reported to the tracer;
this would cause the
.B SIGCONT
signals to have no effect on the tracee.
-.PP
+.P
Since Linux 3.4, there is a method to overcome this problem: instead of
.BR PTRACE_CONT ,
a
@@ -1589,7 +1601,7 @@ If the tracer sets
options, the tracee will enter ptrace-stops called
.B PTRACE_EVENT
stops.
-.PP
+.P
.B PTRACE_EVENT
stops are observed by the tracer as
.BR waitpid (2)
@@ -1606,13 +1618,13 @@ An additional bit is set in the higher byte of the status word:
the value
.I status>>8
will be
-.PP
+.P
.in +4n
.EX
((PTRACE_EVENT_foo<<8) | SIGTRAP).
.EE
.in
-.PP
+.P
The following events exist:
.TP
.B PTRACE_EVENT_VFORK
@@ -1649,7 +1661,7 @@ with the
.B CLONE_VFORK
flag,
but after the child unblocked this tracee by exiting or execing.
-.PP
+.P
For all four stops described above,
the stop occurs in the parent (i.e., the tracee),
not in the newly created thread.
@@ -1698,7 +1710,7 @@ portion of the seccomp filter rule) can be retrieved with
.BR PTRACE_GETEVENTMSG .
The semantics of this stop are described in
detail in a separate section below.
-.PP
+.P
.B PTRACE_GETSIGINFO
on
.B PTRACE_EVENT
@@ -1737,7 +1749,7 @@ Note that all mentions
.B PTRACE_SYSEMU
apply equally to
.BR PTRACE_SYSEMU_SINGLESTEP .
-.PP
+.P
However, even if the tracee was continued using
.BR PTRACE_SYSCALL ,
it is not guaranteed that the next stop will be a syscall-exit-stop.
@@ -1754,7 +1766,7 @@ or die silently (if it is a thread group leader, the
happened in another thread,
and that thread is not traced by the same tracer;
this situation is discussed later).
-.PP
+.P
Syscall-enter-stop and syscall-exit-stop are observed by the tracer as
.BR waitpid (2)
returning with
@@ -1769,7 +1781,7 @@ option was set by the tracer, then
.I WSTOPSIG(status)
will give the value
.IR "(SIGTRAP\ |\ 0x80)" .
-.PP
+.P
Syscall-stops can be distinguished from signal-delivery-stop with
.B SIGTRAP
by querying
@@ -1786,7 +1798,7 @@ for example, a system call
etc.),
expiration of a POSIX timer,
change of state on a POSIX message queue,
-or completion of an asynchronous I/O request.
+or completion of an asynchronous I/O operation.
.TP
.IR si_code " == SI_KERNEL (0x80)"
.B SIGTRAP
@@ -1794,12 +1806,12 @@ was sent by the kernel.
.TP
.IR si_code " == SIGTRAP or " si_code " == (SIGTRAP|0x80)"
This is a syscall-stop.
-.PP
+.P
However, syscall-stops happen very often (twice per system call),
and performing
.B PTRACE_GETSIGINFO
for every syscall-stop may be somewhat expensive.
-.PP
+.P
Some architectures allow the cases to be distinguished
by examining registers.
For example, on x86,
@@ -1822,13 +1834,13 @@ looks like "syscall-stop which is not syscall-enter-stop";
in other words, it looks like a
"stray syscall-exit-stop" and can be detected this way.
But such detection is fragile and is best avoided.
-.PP
+.P
Using the
.B PTRACE_O_TRACESYSGOOD
option is the recommended method to distinguish syscall-stops
from other kinds of ptrace-stops,
since it is reliable and does not incur a performance penalty.
-.PP
+.P
Syscall-enter-stop and syscall-exit-stop are
indistinguishable from each other by the tracer.
The tracer needs to keep track of the sequence of
@@ -1843,12 +1855,12 @@ However, note that seccomp stops (see below) can cause syscall-exit-stops,
without preceding syscall-entry-stops.
If seccomp is in use, care needs
to be taken not to misinterpret such stops as syscall-entry-stops.
-.PP
+.P
If after syscall-enter-stop,
the tracer uses a restarting command other than
.BR PTRACE_SYSCALL ,
syscall-exit-stop is not generated.
-.PP
+.P
.B PTRACE_GETSIGINFO
on syscall-stops returns
.B SIGTRAP
@@ -1869,7 +1881,7 @@ of ptrace stops has changed between kernel versions.
This documents the behavior
from their introduction until Linux 4.7 (inclusive).
The behavior in later kernel versions is documented in the next section.
-.PP
+.P
A
.B PTRACE_EVENT_SECCOMP
stop occurs whenever a
@@ -1879,7 +1891,7 @@ This is independent of which methods was used to restart the system call.
Notably, seccomp still runs even if the tracee was restarted using
.B PTRACE_SYSEMU
and this system call is unconditionally skipped.
-.PP
+.P
Restarts from this stop will behave as if the stop had occurred right
before the system call in question.
In particular, both
@@ -1909,7 +1921,7 @@ Note that seccomp no longer runs (and no
.B PTRACE_EVENT_SECCOMP
will be reported) if the system call is skipped due to
.BR PTRACE_SYSEMU .
-.PP
+.P
Functionally, a
.B PTRACE_EVENT_SECCOMP
stop functions comparably
@@ -1920,7 +1932,7 @@ the system call number may be changed and any other modified registers
are visible to the to-be-executed system call as well).
Note that there may be,
but need not have been a preceding syscall-entry-stop.
-.PP
+.P
After a
.B PTRACE_EVENT_SECCOMP
stop, seccomp will be rerun, with a
@@ -1947,12 +1959,12 @@ and
.BR PTRACE_KILL )
require the tracee to be in a ptrace-stop, otherwise they fail with
.BR ESRCH .
-.PP
+.P
When the tracee is in ptrace-stop,
the tracer can read and write data to
the tracee using informational commands.
These commands leave the tracee in ptrace-stopped state:
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_PEEKTEXT/PEEKDATA/PEEKUSER, pid, addr, 0);
@@ -1967,7 +1979,7 @@ ptrace(PTRACE_GETEVENTMSG, pid, 0, &long_var);
ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
.EE
.in
-.PP
+.P
Note that some errors are not reported.
For example, setting signal information
.RI ( siginfo )
@@ -1978,15 +1990,15 @@ querying
.B PTRACE_GETEVENTMSG
may succeed and return some random value if current ptrace-stop
is not documented as returning a meaningful event message.
-.PP
+.P
The call
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
.EE
.in
-.PP
+.P
affects one tracee.
The tracee's current flags are replaced.
Flags are inherited by new tracees created and "auto-attached" via active
@@ -1995,16 +2007,16 @@ Flags are inherited by new tracees created and "auto-attached" via active
or
.B PTRACE_O_TRACECLONE
options.
-.PP
+.P
Another group of commands makes the ptrace-stopped tracee run.
They have the form:
-.PP
+.P
.in +4n
.EX
ptrace(cmd, pid, 0, sig);
.EE
.in
-.PP
+.P
where
.I cmd
is
@@ -2027,21 +2039,21 @@ recommended practice is to always pass 0 in
.IR sig .)
.SS Attaching and detaching
A thread can be attached to the tracer using the call
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_ATTACH, pid, 0, 0);
.EE
.in
-.PP
+.P
or
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_flags);
.EE
.in
-.PP
+.P
.B PTRACE_ATTACH
sends
.B SIGSTOP
@@ -2065,14 +2077,14 @@ may race and the concurrent
may be lost.
.\"
.\" FIXME Describe how to attach to a thread which is already group-stopped.
-.PP
+.P
Since attaching sends
.B SIGSTOP
and the tracer usually suppresses it, this may cause a stray
.B EINTR
return from the currently executing system call in the tracee,
as described in the "Signal injection and suppression" section.
-.PP
+.P
Since Linux 3.4,
.B PTRACE_SEIZE
can be used instead of
@@ -2084,30 +2096,30 @@ it after attach (or at any other time) without sending it any signals,
use
.B PTRACE_INTERRUPT
command.
-.PP
-The request
-.PP
+.P
+The operation
+.P
.in +4n
.EX
ptrace(PTRACE_TRACEME, 0, 0, 0);
.EE
.in
-.PP
+.P
turns the calling thread into a tracee.
The thread continues to run (doesn't enter ptrace-stop).
A common practice is to follow the
.B PTRACE_TRACEME
with
-.PP
+.P
.in +4n
.EX
raise(SIGSTOP);
.EE
.in
-.PP
+.P
and allow the parent (which is our tracer now) to observe our
signal-delivery-stop.
-.PP
+.P
If the
.BR PTRACE_O_TRACEFORK ,
.BR PTRACE_O_TRACEVFORK ,
@@ -2131,15 +2143,15 @@ are automatically attached to the same tracer which traced their parent.
.B SIGSTOP
is delivered to the children, causing them to enter
signal-delivery-stop after they exit the system call which created them.
-.PP
+.P
Detaching of the tracee is performed by:
-.PP
+.P
.in +4n
.EX
ptrace(PTRACE_DETACH, pid, 0, sig);
.EE
.in
-.PP
+.P
.B PTRACE_DETACH
is a restarting operation;
therefore it requires the tracee to be in ptrace-stop.
@@ -2147,7 +2159,7 @@ If the tracee is in signal-delivery-stop, a signal can be injected.
Otherwise, the
.I sig
parameter may be silently ignored.
-.PP
+.P
If the tracee is running when the tracer wants to detach it,
the usual solution is to send
.B SIGSTOP
@@ -2171,7 +2183,7 @@ because no signal delivery happens while it is\[em]not even
.BR SIGSTOP .
.\" FIXME Describe how to detach from a group-stopped tracee so that it
.\" doesn't run, but continues to wait for SIGCONT.
-.PP
+.P
If the tracer dies, all tracees are automatically detached and restarted,
unless they were in group-stop.
Handling of restart from group-stop is currently buggy,
@@ -2243,10 +2255,10 @@ If the thread group leader was not traced
.BR execve (2)
it will appear as if it has become a tracee of
the tracer of the execing tracee.
-.PP
+.P
All of the above effects are the artifacts of
the thread ID change in the tracee.
-.PP
+.P
The
.B PTRACE_O_TRACEEXEC
option is the recommended tool for dealing with this situation.
@@ -2266,13 +2278,13 @@ option disables legacy
.B SIGTRAP
generation on
.BR execve (2).
-.PP
+.P
When the tracer receives
.B PTRACE_EVENT_EXEC
stop notification,
it is guaranteed that except this tracee and the thread group leader,
no other threads from the process are alive.
-.PP
+.P
On receiving the
.B PTRACE_EVENT_EXEC
stop notification,
@@ -2280,17 +2292,17 @@ the tracer should clean up all its internal
data structures describing the threads of this process,
and retain only one data structure\[em]one which
describes the single still running tracee, with
-.PP
+.P
.in +4n
.EX
thread ID == thread group ID == process ID.
.EE
.in
-.PP
+.P
Example: two threads call
.BR execve (2)
at the same time:
-.PP
+.P
.nf
*** we get syscall-enter-stop in thread 1: **
PID1 execve("/bin/foo", "foo" <unfinished ...>
@@ -2302,7 +2314,7 @@ PID2 execve("/bin/bar", "bar" <unfinished ...>
*** we get syscall-exit-stop for PID0: **
PID0 <... execve resumed> ) = 0
.fi
-.PP
+.P
If the
.B PTRACE_O_TRACEEXEC
option is
@@ -2329,7 +2341,7 @@ set to 0
.RI ( SI_USER ).
This signal may be blocked by signal mask,
and thus may be delivered (much) later.
-.PP
+.P
Usually, the tracer (for example,
.BR strace (1))
would not want to show this extra post-execve
@@ -2357,10 +2369,10 @@ This used to cause the real parent of the process to stop receiving
several kinds of
.BR waitpid (2)
notifications when the child process is traced by some other process.
-.PP
+.P
Many of these bugs have been fixed, but as of Linux 2.6.38 several still
exist; see BUGS below.
-.PP
+.P
As of Linux 2.6.38, the following is believed to work correctly:
.IP \[bu] 3
exit/death by signal is reported first to the tracer, then,
@@ -2373,21 +2385,21 @@ the report is sent only once.
.SH RETURN VALUE
On success, the
.B PTRACE_PEEK*
-requests return the requested data (but see NOTES),
+operations return the requested data (but see NOTES),
the
.B PTRACE_SECCOMP_GET_FILTER
-request returns the number of instructions in the BPF program,
+operation returns the number of instructions in the BPF program,
the
.B PTRACE_GET_SYSCALL_INFO
-request returns the number of bytes available to be written by the kernel,
-and other requests return zero.
-.PP
-On error, all requests return \-1, and
+operation returns the number of bytes available to be written by the kernel,
+and other operations return zero.
+.P
+On error, all operations return \-1, and
.I errno
is set to indicate the error.
Since the value returned by a successful
.B PTRACE_PEEK*
-request may be \-1, the caller must clear
+operation may be \-1, the caller must clear
.I errno
before the call, and then check it afterward
to determine whether or not an error occurred.
@@ -2411,11 +2423,11 @@ more or less arbitrarily.
An attempt was made to set an invalid option.
.TP
.B EIO
-.I request
+.I op
is invalid, or an attempt was made to read from or
write to an invalid area in the tracer's or the tracee's memory,
or there was a word-alignment violation,
-or an invalid signal was specified during a restart request.
+or an invalid signal was specified during a restart operation.
.TP
.B EPERM
The specified process cannot be traced.
@@ -2433,12 +2445,12 @@ or (before Linux 2.6.26) be
.B ESRCH
The specified process does not exist, or is not currently being traced
by the caller, or is not stopped
-(for requests that require a stopped tracee).
+(for operations that require a stopped tracee).
.SH STANDARDS
None.
.SH HISTORY
SVr4, 4.3BSD.
-.PP
+.P
Before Linux 2.6.26,
.\" See commit 00cd5c37afd5f431ac186dd131705048c0a11fdb
.BR init (1),
@@ -2450,7 +2462,7 @@ are interpreted according to the prototype given,
glibc currently declares
.BR ptrace ()
as a variadic function with only the
-.I request
+.I op
argument fixed.
It is recommended to always supply four arguments,
even if the requested operation does not use them,
@@ -2458,20 +2470,20 @@ setting unused/ignored arguments to
.I 0L
or
.IR "(void\ *)\ 0".
-.PP
+.P
A tracees parent continues to be the tracer even if that tracer calls
.BR execve (2).
-.PP
+.P
The layout of the contents of memory and the USER area are
quite operating-system- and architecture-specific.
The offset supplied, and the data returned,
might not entirely match with the definition of
.IR "struct user" .
.\" See http://lkml.org/lkml/2008/5/8/375
-.PP
+.P
The size of a "word" is determined by the operating-system variant
(e.g., for 32-bit Linux it is 32 bits).
-.PP
+.P
This page documents the way the
.BR ptrace ()
call works currently in Linux.
@@ -2497,7 +2509,7 @@ whether or not the "target" process is dumpable,
and the results of checks performed by any enabled Linux Security Module
(LSM)\[em]for example, SELinux, Yama, or Smack\[em]and by the commoncap LSM
(which is always invoked).
-.PP
+.P
Prior to Linux 2.6.27, all access checks were of a single type.
Since Linux 2.6.27,
.\" commit 006ebb40d3d65338bd74abb03b945f8d60e362bd
@@ -2541,7 +2553,7 @@ was effectively the default before Linux 2.6.27.)
.\" about proper handling of /proc/pid/fd. Arguably that one might belong
.\" back in the _ATTACH camp.
.\"
-.PP
+.P
Since Linux 4.5,
.\" commit caaee6234d05a58c5b4d05e7bf766131b810a657
the above access mode checks are combined (ORed) with
@@ -2555,7 +2567,7 @@ or effective capabilities for LSM checks.
.B PTRACE_MODE_REALCREDS
Use the caller's real UID and GID or permitted capabilities for LSM checks.
This was effectively the default before Linux 4.5.
-.PP
+.P
Because combining one of the credential modifiers with one of
the aforementioned access modes is typical,
some macros are defined in the kernel sources for the combinations:
@@ -2575,7 +2587,7 @@ Defined as
.B PTRACE_MODE_ATTACH_REALCREDS
Defined as
.BR "PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS" .
-.PP
+.P
One further modifier can be ORed with the access mode:
.TP
.BR PTRACE_MODE_NOAUDIT " (since Linux 3.3)"
@@ -2591,7 +2603,7 @@ In these cases, accessing the file is not a security violation and
there is no reason to generate a security audit record.
This modifier suppresses the generation of
such an audit record for the particular access check.
-.PP
+.P
Note that all of the
.B PTRACE_MODE_*
constants described in this subsection are kernel-internal,
@@ -2602,7 +2614,7 @@ and accesses to various pseudofiles (e.g., under
.IR /proc ).
These names are used in other manual pages to provide a simple
shorthand for labeling the different kernel checks.
-.PP
+.P
The algorithm employed for ptrace access mode checking determines whether
the calling process is allowed to perform the corresponding action
on the target process.
@@ -2724,7 +2736,7 @@ a compromised process can ptrace-attach to other sensitive processes
(e.g., a GPG agent or an SSH session) owned by the user in order
to gain additional credentials that may exist in memory
and thus expand the scope of the attack.
-.PP
+.P
More precisely, the Yama LSM limits two types of operations:
.IP \[bu] 3
Any operation that performs a ptrace access mode
@@ -2736,7 +2748,7 @@ check\[em]for example,
.IP \[bu]
.BR ptrace ()
.BR PTRACE_TRACEME .
-.PP
+.P
A process that has the
.B CAP_SYS_PTRACE
capability can update the
@@ -2796,7 +2808,7 @@ operations or trace children that employ
.BR PTRACE_TRACEME .
.IP
Once this value has been written to the file, it cannot be changed.
-.PP
+.P
With respect to values 1 and 2,
note that creating a new user namespace effectively removes the
protection offered by Yama.
@@ -2817,7 +2829,7 @@ At the system call level, the
.BR PTRACE_PEEKDATA ,
and
.B PTRACE_PEEKUSER
-requests have a different API: they store the result
+operations have a different API: they store the result
at the address specified by the
.I data
parameter, and the return value is the error flag.
@@ -2834,10 +2846,10 @@ This can be worked around by redefining
to
.BR PTRACE_OLDSETOPTIONS ,
if that is defined.
-.PP
+.P
Group-stop notifications are sent to the tracer, but not to real parent.
Last confirmed on 2.6.38.6.
-.PP
+.P
If a thread group leader is traced and exits by calling
.BR _exit (2),
.\" Note from Denys Vlasenko:
@@ -2868,7 +2880,7 @@ One possible workaround is to
the thread group leader instead of restarting it in this case.
Last confirmed on 2.6.38.6.
.\" FIXME . need to test/verify this scenario
-.PP
+.P
A
.B SIGKILL
signal may still cause a
@@ -2878,7 +2890,7 @@ This may be changed in the future;
.B SIGKILL
is meant to always immediately kill tasks even under ptrace.
Last confirmed on Linux 3.13.
-.PP
+.P
Some system calls return with
.B EINTR
if a signal was sent to a tracee, but delivery was suppressed by the tracer.
@@ -2896,40 +2908,40 @@ from an
file descriptor.
The usual symptom of this bug is that when you attach to
a quiescent process with the command
-.PP
+.P
.in +4n
.EX
strace \-p <process\-ID>
.EE
.in
-.PP
+.P
then, instead of the usual
and expected one-line output such as
-.PP
+.P
.in +4n
.EX
restart_syscall(<... resuming interrupted call ...>_
.EE
.in
-.PP
+.P
or
-.PP
+.P
.in +4n
.EX
select(6, [5], NULL, [5], NULL_
.EE
.in
-.PP
+.P
('_' denotes the cursor position), you observe more than one line.
For example:
-.PP
+.P
.in +4n
.EX
clock_gettime(CLOCK_MONOTONIC, {15370, 690928118}) = 0
epoll_wait(4,_
.EE
.in
-.PP
+.P
What is not visible here is that the process was blocked in
.BR epoll_wait (2)
before
@@ -2949,7 +2961,7 @@ again.
errors may behave in an unintended way upon an
.BR strace (1)
attach.)
-.PP
+.P
Contrary to the normal rules, the glibc wrapper for
.BR ptrace ()
can set
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-10 00:01:02 +0000