From 0db324e2e5d9d3347ea0e93138372fb65aac09e6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 21:41:09 +0200 Subject: Merging upstream version 6.7. Signed-off-by: Daniel Baumann --- man2/ptrace.2 | 348 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 180 insertions(+), 168 deletions(-) (limited to 'man2/ptrace.2') diff --git a/man2/ptrace.2 b/man2/ptrace.2 index 4149a32..1cd9966 100644 --- a/man2/ptrace.2 +++ b/man2/ptrace.2 @@ -83,7 +83,7 @@ .\" .\" and others that can be found in the arch/*/include/uapi/asm/ptrace files .\" -.TH ptrace 2 2023-03-30 "Linux man-pages 6.05.01" +.TH ptrace 2 2024-03-03 "Linux man-pages 6.7" .SH NAME ptrace \- process trace .SH LIBRARY @@ -92,8 +92,8 @@ Standard C library .SH SYNOPSIS .nf .B #include -.PP -.BI "long ptrace(enum __ptrace_request " request ", pid_t " pid , +.P +.BI "long ptrace(enum __ptrace_request " op ", pid_t " pid , .BI " void *" addr ", void *" data ); .fi .SH DESCRIPTION @@ -104,7 +104,7 @@ may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. It is primarily used to implement breakpoint debugging and system call tracing. -.PP +.P A tracee first needs to be attached to the tracer. Attachment and subsequent commands are per thread: in a multithreaded process, @@ -115,23 +115,23 @@ Therefore, "tracee" always means "(one) thread", never "a (possibly multithreaded) process". Ptrace commands are always sent to a specific tracee using a call of the form -.PP +.P .in +4n .EX ptrace(PTRACE_foo, pid, ...) .EE .in -.PP +.P where .I pid is the thread ID of the corresponding Linux thread. -.PP +.P (Note that in this page, a "multithreaded process" means a thread group consisting of threads created using the .BR clone (2) .B CLONE_THREAD flag.) -.PP +.P A process can initiate a trace by calling .BR fork (2) and having the resulting child do a @@ -142,7 +142,7 @@ Alternatively, one process may commence tracing another process using .B PTRACE_ATTACH or .BR PTRACE_SEIZE . -.PP +.P While being traced, the tracee will stop each time a signal is delivered, even if the signal is being ignored. (An exception is @@ -155,11 +155,11 @@ The tracer will be notified at its next call to value containing information that indicates the cause of the stop in the tracee. While the tracee is stopped, -the tracer can use various ptrace requests to inspect and modify the tracee. +the tracer can use various ptrace operations to inspect and modify the tracee. The tracer then causes the tracee to continue, optionally ignoring the delivered signal (or even delivering a different signal instead). -.PP +.P If the .B PTRACE_O_TRACEEXEC option is not in effect, all successful calls to @@ -169,18 +169,18 @@ by the traced process will cause it to be sent a signal, giving the parent a chance to gain control before the new program begins execution. -.PP +.P When the tracer is finished tracing, it can cause the tracee to continue executing in a normal, untraced mode via .BR PTRACE_DETACH . -.PP +.P The value of -.I request -determines the action to be performed: +.I op +determines the operation to be performed: .TP .B PTRACE_TRACEME Indicate that this process is to be traced by its parent. -A process probably shouldn't make this request if its parent +A process probably shouldn't make this operation if its parent isn't expecting to trace it. .RI ( pid , .IR addr , @@ -190,12 +190,12 @@ are ignored.) .IP The .B PTRACE_TRACEME -request is used only by the tracee; -the remaining requests are used only by the tracer. -In the following requests, +operation is used only by the tracee; +the remaining operations are used only by the tracer. +In the following operations, .I pid specifies the thread ID of the tracee to be acted on. -For requests other than +For operations other than .BR PTRACE_ATTACH , .BR PTRACE_SEIZE , .BR PTRACE_INTERRUPT , @@ -203,14 +203,16 @@ and .BR PTRACE_KILL , the tracee must be stopped. .TP -.BR PTRACE_PEEKTEXT ", " PTRACE_PEEKDATA +.B PTRACE_PEEKTEXT +.TQ +.B PTRACE_PEEKDATA Read a word at the address .I addr in the tracee's memory, returning the word as the result of the .BR ptrace () call. Linux does not have separate text and data address spaces, -so these two requests are currently equivalent. +so these two operations are currently equivalent. .RI ( data is ignored; but see NOTES.) .TP @@ -232,7 +234,9 @@ See NOTES. .RI ( data is ignored; but see NOTES.) .TP -.BR PTRACE_POKETEXT ", " PTRACE_POKEDATA +.B PTRACE_POKETEXT +.TQ +.B PTRACE_POKEDATA Copy the word .I data to the address @@ -242,7 +246,7 @@ As for .B PTRACE_PEEKTEXT and .BR PTRACE_PEEKDATA , -these two requests are currently equivalent. +these two operations are currently equivalent. .TP .B PTRACE_POKEUSER .\" PTRACE_POKEUSR in kernel source, but glibc uses PTRACE_POKEUSER, @@ -260,7 +264,9 @@ some modifications to the USER area are disallowed. .\" FIXME In the preceding sentence, which modifications are disallowed, .\" and when they are disallowed, how does user space discover that fact? .TP -.BR PTRACE_GETREGS ", " PTRACE_GETFPREGS +.B PTRACE_GETREGS +.TQ +.B PTRACE_GETFPREGS Copy the tracee's general-purpose or floating-point registers, respectively, to the address .I data @@ -304,7 +310,9 @@ On return, the kernel modifies .B iov.len to indicate the actual number of bytes returned. .TP -.BR PTRACE_SETREGS ", " PTRACE_SETFPREGS +.B PTRACE_SETREGS +.TQ +.B PTRACE_SETFPREGS Modify the tracee's general-purpose or floating-point registers, respectively, from the address .I data @@ -391,7 +399,7 @@ field includes information .RB ( __SI_CHLD , .BR __SI_FAULT , etc.) that are not otherwise exposed to user space. -.PP +.P .in +4n .EX struct ptrace_peeksiginfo_args { @@ -696,7 +704,9 @@ whether a signal sent to the tracee is delivered or not. .RI ( addr is ignored.) .TP -.BR PTRACE_SYSCALL ", " PTRACE_SINGLESTEP +.B PTRACE_SYSCALL +.TQ +.B PTRACE_SINGLESTEP Restart the stopped tracee as for .BR PTRACE_CONT , but arrange for the tracee to be stopped at @@ -730,7 +740,7 @@ argument. The .I addr argument is ignored. -This request is currently +This operation is currently .\" As of 4.19-rc2 supported only on arm (and arm64, though only for backwards compatibility), .\" commit 27aa55c5e5123fa8b8ad0156559d34d7edff58ca @@ -740,7 +750,9 @@ system call number in). .\" see change_syscall in tools/testing/selftests/seccomp/seccomp_bpf.c .\" and also strace's linux/*/set_scno.c files. .TP -.BR PTRACE_SYSEMU ", " PTRACE_SYSEMU_SINGLESTEP " (since Linux 2.6.14)" +.B PTRACE_SYSEMU +.TQ +.BR PTRACE_SYSEMU_SINGLESTEP " (since Linux 2.6.14)" For .BR PTRACE_SYSEMU , continue and stop on entry to the next system call, @@ -758,7 +770,7 @@ argument is treated as for The .I addr argument is ignored. -These requests are currently +These operations are currently .\" As at 3.7 supported only on x86. .TP @@ -1130,7 +1142,7 @@ all threads exit. Tracees report their death to their tracer(s). Notification of this event is delivered via .BR waitpid (2). -.PP +.P Note that the killing signal will first cause signal-delivery-stop (on one tracee only), and only after it is injected by the tracer @@ -1139,7 +1151,7 @@ will death from the signal happen on .I all tracees within a multithreaded process. (The term "signal-delivery-stop" is explained below.) -.PP +.P .B SIGKILL does not generate signal-delivery-stop and therefore the tracer can't suppress it. @@ -1151,16 +1163,16 @@ The net effect is that .B SIGKILL always kills the process (all its threads), even if some threads of the process are ptraced. -.PP +.P When the tracee calls .BR _exit (2), it reports its death to its tracer. Other threads are not affected. -.PP +.P When any thread executes .BR exit_group (2), every tracee in its thread group reports its death to its tracer. -.PP +.P If the .B PTRACE_O_TRACEEXIT option is on, @@ -1175,7 +1187,7 @@ depending on the kernel version; see BUGS below), and when threads are torn down on .BR execve (2) in a multithreaded process. -.PP +.P The tracer cannot assume that the ptrace-stopped tracee exists. There are many scenarios when the tracee may die while stopped (such as .BR SIGKILL ). @@ -1199,8 +1211,8 @@ ptrace operation returned .I waitpid(WNOHANG) may return 0 instead. In other words, the tracee may be "not yet fully dead", -but already refusing ptrace requests. -.PP +but already refusing ptrace operations. +.P The tracer can't assume that the tracee .I always ends its life by reporting @@ -1236,11 +1248,11 @@ in group-stop before it will not respond to signals until .B SIGCONT is received. -.PP +.P There are many kinds of states when the tracee is stopped, and in ptrace discussions they are often conflated. Therefore, it is important to use precise terms. -.PP +.P In this manual page, any stopped state in which the tracee is ready to accept ptrace commands from the tracer is called .IR ptrace-stop . @@ -1252,18 +1264,18 @@ be further subdivided into .IR "PTRACE_EVENT stops" , and so on. These stopped states are described in detail below. -.PP +.P When the running tracee enters ptrace-stop, it notifies its tracer using .BR waitpid (2) (or one of the other "wait" system calls). Most of this manual page assumes that the tracer waits with: -.PP +.P .in +4n .EX pid = waitpid(pid_or_minus_1, &status, __WALL); .EE .in -.PP +.P Ptrace-stopped tracees are reported as returns with .I pid greater than 0 and @@ -1275,7 +1287,7 @@ true. .\" rules different if user wants to use waitid? Will waitid require .\" WEXITED? .\" -.PP +.P The .B __WALL flag does not include the @@ -1283,14 +1295,14 @@ flag does not include the and .B WEXITED flags, but implies their functionality. -.PP +.P Setting the .B WCONTINUED flag when calling .BR waitpid (2) is not recommended: the "continued" state is per-process and consuming it can confuse the real parent of the tracee. -.PP +.P Use of the .B WNOHANG flag may cause @@ -1298,7 +1310,7 @@ flag may cause to return 0 ("no wait results available yet") even if the tracer knows there should be a notification. Example: -.PP +.P .in +4n .EX errno = 0; @@ -1313,7 +1325,7 @@ if (errno == ESRCH) { .\" FIXME . .\" waitid usage? WNOWAIT? .\" describe how wait notifications queue (or not queue) -.PP +.P The following kinds of ptrace-stops exist: signal-delivery-stops, group-stops, .B PTRACE_EVENT @@ -1343,7 +1355,7 @@ If the selected thread is traced, it enters signal-delivery-stop. At this point, the signal is not yet delivered to the process, and can be suppressed by the tracer. If the tracer doesn't suppress the signal, -it passes the signal to the tracee in the next ptrace restart request. +it passes the signal to the tracee in the next ptrace restart operation. This second step of signal delivery is called .I "signal injection" in this manual page. @@ -1352,7 +1364,7 @@ signal-delivery-stop doesn't happen until the signal is unblocked, with the usual exception that .B SIGSTOP can't be blocked. -.PP +.P Signal-delivery-stop is observed by the tracer as .BR waitpid (2) returning with @@ -1369,16 +1381,16 @@ returns a stopping signal, this may be a group-stop; see below. .SS Signal injection and suppression After signal-delivery-stop is observed by the tracer, the tracer should restart the tracee with the call -.PP +.P .in +4n .EX ptrace(PTRACE_restart, pid, 0, sig) .EE .in -.PP +.P where .B PTRACE_restart -is one of the restarting ptrace requests. +is one of the restarting ptrace operations. If .I sig is 0, then a signal is not delivered. @@ -1388,13 +1400,13 @@ is delivered. This operation is called .I "signal injection" in this manual page, to distinguish it from signal-delivery-stop. -.PP +.P The .I sig value may be different from the .I WSTOPSIG(status) value: the tracer can cause a different signal to be injected. -.PP +.P Note that a suppressed signal still causes system calls to return prematurely. In this case, system calls will be restarted: the tracer will @@ -1410,7 +1422,7 @@ signal is suppressed; however, kernel bugs exist which cause some system calls to fail with .B EINTR even though no observable signal is injected to the tracee. -.PP +.P Restarting ptrace commands issued in ptrace-stops other than signal-delivery-stop are not guaranteed to inject a signal, even if .I sig @@ -1421,26 +1433,26 @@ may simply be ignored. Ptrace users should not try to "create a new signal" this way: use .BR tgkill (2) instead. -.PP -The fact that signal injection requests may be ignored +.P +The fact that signal injection operations may be ignored when restarting the tracee after ptrace stops that are not signal-delivery-stops is a cause of confusion among ptrace users. One typical scenario is that the tracer observes group-stop, mistakes it for signal-delivery-stop, restarts the tracee with -.PP +.P .in +4n .EX ptrace(PTRACE_restart, pid, 0, stopsig) .EE .in -.PP +.P with the intention of injecting .IR stopsig , but .I stopsig gets ignored and the tracee continues to run. -.PP +.P The .B SIGCONT signal has a side effect of waking up (all threads of) @@ -1460,11 +1472,11 @@ was delivered. In other words, .B SIGCONT may be not the first signal observed by the tracee after it was sent. -.PP +.P Stopping signals cause (all threads of) a process to enter group-stop. This side effect happens after signal injection, and therefore can be suppressed by the tracer. -.PP +.P In Linux 2.4 and earlier, the .B SIGSTOP signal can't be injected. @@ -1474,7 +1486,7 @@ signal can't be injected. .\" /* The debugger continued. Ignore SIGSTOP. */ .\" if (signr == SIGSTOP) .\" continue; -.PP +.P .B PTRACE_GETSIGINFO can be used to retrieve a .I siginfo_t @@ -1503,7 +1515,7 @@ will group-stop be initiated on tracees within the multithreaded process. As usual, every tracee reports its group-stop separately to the corresponding tracer. -.PP +.P Group-stop is observed by the tracer as .BR waitpid (2) returning with @@ -1512,13 +1524,13 @@ true, with the stopping signal available via .IR WSTOPSIG(status) . The same result is returned by some other classes of ptrace-stops, therefore the recommended practice is to perform the call -.PP +.P .in +4n .EX ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo) .EE .in -.PP +.P The call can be avoided if the signal is not .BR SIGSTOP , .BR SIGTSTP , @@ -1539,7 +1551,7 @@ then it is definitely a group-stop. ("no such process") if a .B SIGKILL killed the tracee.) -.PP +.P If tracee was attached using .BR PTRACE_SEIZE , group-stop is indicated by @@ -1549,7 +1561,7 @@ This allows detection of group-stops without requiring an extra .B PTRACE_GETSIGINFO call. -.PP +.P As of Linux 2.6.38, after the tracer sees the tracee ptrace-stop and until it restarts or kills it, the tracee will not run, @@ -1558,7 +1570,7 @@ and will not send notifications (except death) to the tracer, even if the tracer enters into another .BR waitpid (2) call. -.PP +.P The kernel behavior described in the previous paragraph causes a problem with transparent handling of stopping signals. If the tracer restarts the tracee after group-stop, @@ -1572,7 +1584,7 @@ signals will not be reported to the tracer; this would cause the .B SIGCONT signals to have no effect on the tracee. -.PP +.P Since Linux 3.4, there is a method to overcome this problem: instead of .BR PTRACE_CONT , a @@ -1589,7 +1601,7 @@ If the tracer sets options, the tracee will enter ptrace-stops called .B PTRACE_EVENT stops. -.PP +.P .B PTRACE_EVENT stops are observed by the tracer as .BR waitpid (2) @@ -1606,13 +1618,13 @@ An additional bit is set in the higher byte of the status word: the value .I status>>8 will be -.PP +.P .in +4n .EX ((PTRACE_EVENT_foo<<8) | SIGTRAP). .EE .in -.PP +.P The following events exist: .TP .B PTRACE_EVENT_VFORK @@ -1649,7 +1661,7 @@ with the .B CLONE_VFORK flag, but after the child unblocked this tracee by exiting or execing. -.PP +.P For all four stops described above, the stop occurs in the parent (i.e., the tracee), not in the newly created thread. @@ -1698,7 +1710,7 @@ portion of the seccomp filter rule) can be retrieved with .BR PTRACE_GETEVENTMSG . The semantics of this stop are described in detail in a separate section below. -.PP +.P .B PTRACE_GETSIGINFO on .B PTRACE_EVENT @@ -1737,7 +1749,7 @@ Note that all mentions .B PTRACE_SYSEMU apply equally to .BR PTRACE_SYSEMU_SINGLESTEP . -.PP +.P However, even if the tracee was continued using .BR PTRACE_SYSCALL , it is not guaranteed that the next stop will be a syscall-exit-stop. @@ -1754,7 +1766,7 @@ or die silently (if it is a thread group leader, the happened in another thread, and that thread is not traced by the same tracer; this situation is discussed later). -.PP +.P Syscall-enter-stop and syscall-exit-stop are observed by the tracer as .BR waitpid (2) returning with @@ -1769,7 +1781,7 @@ option was set by the tracer, then .I WSTOPSIG(status) will give the value .IR "(SIGTRAP\ |\ 0x80)" . -.PP +.P Syscall-stops can be distinguished from signal-delivery-stop with .B SIGTRAP by querying @@ -1786,7 +1798,7 @@ for example, a system call etc.), expiration of a POSIX timer, change of state on a POSIX message queue, -or completion of an asynchronous I/O request. +or completion of an asynchronous I/O operation. .TP .IR si_code " == SI_KERNEL (0x80)" .B SIGTRAP @@ -1794,12 +1806,12 @@ was sent by the kernel. .TP .IR si_code " == SIGTRAP or " si_code " == (SIGTRAP|0x80)" This is a syscall-stop. -.PP +.P However, syscall-stops happen very often (twice per system call), and performing .B PTRACE_GETSIGINFO for every syscall-stop may be somewhat expensive. -.PP +.P Some architectures allow the cases to be distinguished by examining registers. For example, on x86, @@ -1822,13 +1834,13 @@ looks like "syscall-stop which is not syscall-enter-stop"; in other words, it looks like a "stray syscall-exit-stop" and can be detected this way. But such detection is fragile and is best avoided. -.PP +.P Using the .B PTRACE_O_TRACESYSGOOD option is the recommended method to distinguish syscall-stops from other kinds of ptrace-stops, since it is reliable and does not incur a performance penalty. -.PP +.P Syscall-enter-stop and syscall-exit-stop are indistinguishable from each other by the tracer. The tracer needs to keep track of the sequence of @@ -1843,12 +1855,12 @@ However, note that seccomp stops (see below) can cause syscall-exit-stops, without preceding syscall-entry-stops. If seccomp is in use, care needs to be taken not to misinterpret such stops as syscall-entry-stops. -.PP +.P If after syscall-enter-stop, the tracer uses a restarting command other than .BR PTRACE_SYSCALL , syscall-exit-stop is not generated. -.PP +.P .B PTRACE_GETSIGINFO on syscall-stops returns .B SIGTRAP @@ -1869,7 +1881,7 @@ of ptrace stops has changed between kernel versions. This documents the behavior from their introduction until Linux 4.7 (inclusive). The behavior in later kernel versions is documented in the next section. -.PP +.P A .B PTRACE_EVENT_SECCOMP stop occurs whenever a @@ -1879,7 +1891,7 @@ This is independent of which methods was used to restart the system call. Notably, seccomp still runs even if the tracee was restarted using .B PTRACE_SYSEMU and this system call is unconditionally skipped. -.PP +.P Restarts from this stop will behave as if the stop had occurred right before the system call in question. In particular, both @@ -1909,7 +1921,7 @@ Note that seccomp no longer runs (and no .B PTRACE_EVENT_SECCOMP will be reported) if the system call is skipped due to .BR PTRACE_SYSEMU . -.PP +.P Functionally, a .B PTRACE_EVENT_SECCOMP stop functions comparably @@ -1920,7 +1932,7 @@ the system call number may be changed and any other modified registers are visible to the to-be-executed system call as well). Note that there may be, but need not have been a preceding syscall-entry-stop. -.PP +.P After a .B PTRACE_EVENT_SECCOMP stop, seccomp will be rerun, with a @@ -1947,12 +1959,12 @@ and .BR PTRACE_KILL ) require the tracee to be in a ptrace-stop, otherwise they fail with .BR ESRCH . -.PP +.P When the tracee is in ptrace-stop, the tracer can read and write data to the tracee using informational commands. These commands leave the tracee in ptrace-stopped state: -.PP +.P .in +4n .EX ptrace(PTRACE_PEEKTEXT/PEEKDATA/PEEKUSER, pid, addr, 0); @@ -1967,7 +1979,7 @@ ptrace(PTRACE_GETEVENTMSG, pid, 0, &long_var); ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags); .EE .in -.PP +.P Note that some errors are not reported. For example, setting signal information .RI ( siginfo ) @@ -1978,15 +1990,15 @@ querying .B PTRACE_GETEVENTMSG may succeed and return some random value if current ptrace-stop is not documented as returning a meaningful event message. -.PP +.P The call -.PP +.P .in +4n .EX ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags); .EE .in -.PP +.P affects one tracee. The tracee's current flags are replaced. Flags are inherited by new tracees created and "auto-attached" via active @@ -1995,16 +2007,16 @@ Flags are inherited by new tracees created and "auto-attached" via active or .B PTRACE_O_TRACECLONE options. -.PP +.P Another group of commands makes the ptrace-stopped tracee run. They have the form: -.PP +.P .in +4n .EX ptrace(cmd, pid, 0, sig); .EE .in -.PP +.P where .I cmd is @@ -2027,21 +2039,21 @@ recommended practice is to always pass 0 in .IR sig .) .SS Attaching and detaching A thread can be attached to the tracer using the call -.PP +.P .in +4n .EX ptrace(PTRACE_ATTACH, pid, 0, 0); .EE .in -.PP +.P or -.PP +.P .in +4n .EX ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_flags); .EE .in -.PP +.P .B PTRACE_ATTACH sends .B SIGSTOP @@ -2065,14 +2077,14 @@ may race and the concurrent may be lost. .\" .\" FIXME Describe how to attach to a thread which is already group-stopped. -.PP +.P Since attaching sends .B SIGSTOP and the tracer usually suppresses it, this may cause a stray .B EINTR return from the currently executing system call in the tracee, as described in the "Signal injection and suppression" section. -.PP +.P Since Linux 3.4, .B PTRACE_SEIZE can be used instead of @@ -2084,30 +2096,30 @@ it after attach (or at any other time) without sending it any signals, use .B PTRACE_INTERRUPT command. -.PP -The request -.PP +.P +The operation +.P .in +4n .EX ptrace(PTRACE_TRACEME, 0, 0, 0); .EE .in -.PP +.P turns the calling thread into a tracee. The thread continues to run (doesn't enter ptrace-stop). A common practice is to follow the .B PTRACE_TRACEME with -.PP +.P .in +4n .EX raise(SIGSTOP); .EE .in -.PP +.P and allow the parent (which is our tracer now) to observe our signal-delivery-stop. -.PP +.P If the .BR PTRACE_O_TRACEFORK , .BR PTRACE_O_TRACEVFORK , @@ -2131,15 +2143,15 @@ are automatically attached to the same tracer which traced their parent. .B SIGSTOP is delivered to the children, causing them to enter signal-delivery-stop after they exit the system call which created them. -.PP +.P Detaching of the tracee is performed by: -.PP +.P .in +4n .EX ptrace(PTRACE_DETACH, pid, 0, sig); .EE .in -.PP +.P .B PTRACE_DETACH is a restarting operation; therefore it requires the tracee to be in ptrace-stop. @@ -2147,7 +2159,7 @@ If the tracee is in signal-delivery-stop, a signal can be injected. Otherwise, the .I sig parameter may be silently ignored. -.PP +.P If the tracee is running when the tracer wants to detach it, the usual solution is to send .B SIGSTOP @@ -2171,7 +2183,7 @@ because no signal delivery happens while it is\[em]not even .BR SIGSTOP . .\" FIXME Describe how to detach from a group-stopped tracee so that it .\" doesn't run, but continues to wait for SIGCONT. -.PP +.P If the tracer dies, all tracees are automatically detached and restarted, unless they were in group-stop. Handling of restart from group-stop is currently buggy, @@ -2243,10 +2255,10 @@ If the thread group leader was not traced .BR execve (2) it will appear as if it has become a tracee of the tracer of the execing tracee. -.PP +.P All of the above effects are the artifacts of the thread ID change in the tracee. -.PP +.P The .B PTRACE_O_TRACEEXEC option is the recommended tool for dealing with this situation. @@ -2266,13 +2278,13 @@ option disables legacy .B SIGTRAP generation on .BR execve (2). -.PP +.P When the tracer receives .B PTRACE_EVENT_EXEC stop notification, it is guaranteed that except this tracee and the thread group leader, no other threads from the process are alive. -.PP +.P On receiving the .B PTRACE_EVENT_EXEC stop notification, @@ -2280,17 +2292,17 @@ the tracer should clean up all its internal data structures describing the threads of this process, and retain only one data structure\[em]one which describes the single still running tracee, with -.PP +.P .in +4n .EX thread ID == thread group ID == process ID. .EE .in -.PP +.P Example: two threads call .BR execve (2) at the same time: -.PP +.P .nf *** we get syscall-enter-stop in thread 1: ** PID1 execve("/bin/foo", "foo" @@ -2302,7 +2314,7 @@ PID2 execve("/bin/bar", "bar" *** we get syscall-exit-stop for PID0: ** PID0 <... execve resumed> ) = 0 .fi -.PP +.P If the .B PTRACE_O_TRACEEXEC option is @@ -2329,7 +2341,7 @@ set to 0 .RI ( SI_USER ). This signal may be blocked by signal mask, and thus may be delivered (much) later. -.PP +.P Usually, the tracer (for example, .BR strace (1)) would not want to show this extra post-execve @@ -2357,10 +2369,10 @@ This used to cause the real parent of the process to stop receiving several kinds of .BR waitpid (2) notifications when the child process is traced by some other process. -.PP +.P Many of these bugs have been fixed, but as of Linux 2.6.38 several still exist; see BUGS below. -.PP +.P As of Linux 2.6.38, the following is believed to work correctly: .IP \[bu] 3 exit/death by signal is reported first to the tracer, then, @@ -2373,21 +2385,21 @@ the report is sent only once. .SH RETURN VALUE On success, the .B PTRACE_PEEK* -requests return the requested data (but see NOTES), +operations return the requested data (but see NOTES), the .B PTRACE_SECCOMP_GET_FILTER -request returns the number of instructions in the BPF program, +operation returns the number of instructions in the BPF program, the .B PTRACE_GET_SYSCALL_INFO -request returns the number of bytes available to be written by the kernel, -and other requests return zero. -.PP -On error, all requests return \-1, and +operation returns the number of bytes available to be written by the kernel, +and other operations return zero. +.P +On error, all operations return \-1, and .I errno is set to indicate the error. Since the value returned by a successful .B PTRACE_PEEK* -request may be \-1, the caller must clear +operation may be \-1, the caller must clear .I errno before the call, and then check it afterward to determine whether or not an error occurred. @@ -2411,11 +2423,11 @@ more or less arbitrarily. An attempt was made to set an invalid option. .TP .B EIO -.I request +.I op is invalid, or an attempt was made to read from or write to an invalid area in the tracer's or the tracee's memory, or there was a word-alignment violation, -or an invalid signal was specified during a restart request. +or an invalid signal was specified during a restart operation. .TP .B EPERM The specified process cannot be traced. @@ -2433,12 +2445,12 @@ or (before Linux 2.6.26) be .B ESRCH The specified process does not exist, or is not currently being traced by the caller, or is not stopped -(for requests that require a stopped tracee). +(for operations that require a stopped tracee). .SH STANDARDS None. .SH HISTORY SVr4, 4.3BSD. -.PP +.P Before Linux 2.6.26, .\" See commit 00cd5c37afd5f431ac186dd131705048c0a11fdb .BR init (1), @@ -2450,7 +2462,7 @@ are interpreted according to the prototype given, glibc currently declares .BR ptrace () as a variadic function with only the -.I request +.I op argument fixed. It is recommended to always supply four arguments, even if the requested operation does not use them, @@ -2458,20 +2470,20 @@ setting unused/ignored arguments to .I 0L or .IR "(void\ *)\ 0". -.PP +.P A tracees parent continues to be the tracer even if that tracer calls .BR execve (2). -.PP +.P The layout of the contents of memory and the USER area are quite operating-system- and architecture-specific. The offset supplied, and the data returned, might not entirely match with the definition of .IR "struct user" . .\" See http://lkml.org/lkml/2008/5/8/375 -.PP +.P The size of a "word" is determined by the operating-system variant (e.g., for 32-bit Linux it is 32 bits). -.PP +.P This page documents the way the .BR ptrace () call works currently in Linux. @@ -2497,7 +2509,7 @@ whether or not the "target" process is dumpable, and the results of checks performed by any enabled Linux Security Module (LSM)\[em]for example, SELinux, Yama, or Smack\[em]and by the commoncap LSM (which is always invoked). -.PP +.P Prior to Linux 2.6.27, all access checks were of a single type. Since Linux 2.6.27, .\" commit 006ebb40d3d65338bd74abb03b945f8d60e362bd @@ -2541,7 +2553,7 @@ was effectively the default before Linux 2.6.27.) .\" about proper handling of /proc/pid/fd. Arguably that one might belong .\" back in the _ATTACH camp. .\" -.PP +.P Since Linux 4.5, .\" commit caaee6234d05a58c5b4d05e7bf766131b810a657 the above access mode checks are combined (ORed) with @@ -2555,7 +2567,7 @@ or effective capabilities for LSM checks. .B PTRACE_MODE_REALCREDS Use the caller's real UID and GID or permitted capabilities for LSM checks. This was effectively the default before Linux 4.5. -.PP +.P Because combining one of the credential modifiers with one of the aforementioned access modes is typical, some macros are defined in the kernel sources for the combinations: @@ -2575,7 +2587,7 @@ Defined as .B PTRACE_MODE_ATTACH_REALCREDS Defined as .BR "PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS" . -.PP +.P One further modifier can be ORed with the access mode: .TP .BR PTRACE_MODE_NOAUDIT " (since Linux 3.3)" @@ -2591,7 +2603,7 @@ In these cases, accessing the file is not a security violation and there is no reason to generate a security audit record. This modifier suppresses the generation of such an audit record for the particular access check. -.PP +.P Note that all of the .B PTRACE_MODE_* constants described in this subsection are kernel-internal, @@ -2602,7 +2614,7 @@ and accesses to various pseudofiles (e.g., under .IR /proc ). These names are used in other manual pages to provide a simple shorthand for labeling the different kernel checks. -.PP +.P The algorithm employed for ptrace access mode checking determines whether the calling process is allowed to perform the corresponding action on the target process. @@ -2724,7 +2736,7 @@ a compromised process can ptrace-attach to other sensitive processes (e.g., a GPG agent or an SSH session) owned by the user in order to gain additional credentials that may exist in memory and thus expand the scope of the attack. -.PP +.P More precisely, the Yama LSM limits two types of operations: .IP \[bu] 3 Any operation that performs a ptrace access mode @@ -2736,7 +2748,7 @@ check\[em]for example, .IP \[bu] .BR ptrace () .BR PTRACE_TRACEME . -.PP +.P A process that has the .B CAP_SYS_PTRACE capability can update the @@ -2796,7 +2808,7 @@ operations or trace children that employ .BR PTRACE_TRACEME . .IP Once this value has been written to the file, it cannot be changed. -.PP +.P With respect to values 1 and 2, note that creating a new user namespace effectively removes the protection offered by Yama. @@ -2817,7 +2829,7 @@ At the system call level, the .BR PTRACE_PEEKDATA , and .B PTRACE_PEEKUSER -requests have a different API: they store the result +operations have a different API: they store the result at the address specified by the .I data parameter, and the return value is the error flag. @@ -2834,10 +2846,10 @@ This can be worked around by redefining to .BR PTRACE_OLDSETOPTIONS , if that is defined. -.PP +.P Group-stop notifications are sent to the tracer, but not to real parent. Last confirmed on 2.6.38.6. -.PP +.P If a thread group leader is traced and exits by calling .BR _exit (2), .\" Note from Denys Vlasenko: @@ -2868,7 +2880,7 @@ One possible workaround is to the thread group leader instead of restarting it in this case. Last confirmed on 2.6.38.6. .\" FIXME . need to test/verify this scenario -.PP +.P A .B SIGKILL signal may still cause a @@ -2878,7 +2890,7 @@ This may be changed in the future; .B SIGKILL is meant to always immediately kill tasks even under ptrace. Last confirmed on Linux 3.13. -.PP +.P Some system calls return with .B EINTR if a signal was sent to a tracee, but delivery was suppressed by the tracer. @@ -2896,40 +2908,40 @@ from an file descriptor. The usual symptom of this bug is that when you attach to a quiescent process with the command -.PP +.P .in +4n .EX strace \-p .EE .in -.PP +.P then, instead of the usual and expected one-line output such as -.PP +.P .in +4n .EX restart_syscall(<... resuming interrupted call ...>_ .EE .in -.PP +.P or -.PP +.P .in +4n .EX select(6, [5], NULL, [5], NULL_ .EE .in -.PP +.P ('_' denotes the cursor position), you observe more than one line. For example: -.PP +.P .in +4n .EX clock_gettime(CLOCK_MONOTONIC, {15370, 690928118}) = 0 epoll_wait(4,_ .EE .in -.PP +.P What is not visible here is that the process was blocked in .BR epoll_wait (2) before @@ -2949,7 +2961,7 @@ again. errors may behave in an unintended way upon an .BR strace (1) attach.) -.PP +.P Contrary to the normal rules, the glibc wrapper for .BR ptrace () can set -- cgit v1.2.3