Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp48470imu; Wed, 7 Nov 2018 12:46:28 -0800 (PST) X-Google-Smtp-Source: AJdET5ddDmVIFhnG4VpBYkBMugVqqOng34PDI16KY0f8P6++IDEoZjKSTAOlGNFoLH3vewwKig4x X-Received: by 2002:a17:902:aa84:: with SMTP id d4-v6mr1822303plr.25.1541623588043; Wed, 07 Nov 2018 12:46:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541623588; cv=none; d=google.com; s=arc-20160816; b=juArnxTzvA5RQ78zEAhFGU+KWUD8a+CSUbpSFPjkJmot633PI0g8kNe90QJkpg7IQr nJmKzrzRkW/Le9u16YTKyCwd70av2+AxVCG7SvMPGtsNPs+w+CXLeXfLNhEPe+O+chY7 4/3Nx3+Qz5YUEG7V8DjPj4Kq+hS+wiL2vndGwYSYy3blEzL+hxdKg5wGn/IeaUjDrNoi mlbrzhZyiuO3BZK6bKYP8FTSWicqvOZvjs+dxzW5QmEBCqcGLlMIqMTz9qpI2avVYxgl 2JtwqHuXP0fzEs/zWRsXcTL8+pqwVjxmMSdVABAJ02s97DzWmEgszLCrOkbRqZBYyOaB kvGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=SXs9ZV5oB3593FsfsJaciXDvjqrK+plUgyT/N6tfJWc=; b=X2lK19t9q5bD0pBh2lFihO+KOEnb+RDSzO/A3WM46KiFDlFWBak1eLHmPV8j8X+Zk6 NFJVBbOVhIMLeALh9E/eZpqVBo0AMJ/QrXJMCVi/QXqk5YpflF2HwMLHUtnjhKVqdAI/ O6rP+sfSU4deKkngBkLVo3TzYVBeA/mcGc2eKljuN4/gPuJpC8R08Q0rks+0f/Juz3Jw H9f68aBdPs8WnpLQZOxRoaYtwYXAomeTWw55Ue283en3XKAMo/CjI+GtS9t7eS0ifUzV nUHV6HbEmjUvVGLDRGd8tcKcyt3X378ysIoaDKr0R8H6W27Vynh2GFzqobZCqbDQhOXj JUqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iXGMmccz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d16-v6si1530143pgd.555.2018.11.07.12.46.13; Wed, 07 Nov 2018 12:46:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iXGMmccz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727341AbeKHGRR (ORCPT + 99 others); Thu, 8 Nov 2018 01:17:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:37386 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726932AbeKHGRQ (ORCPT ); Thu, 8 Nov 2018 01:17:16 -0500 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6B0CA20818 for ; Wed, 7 Nov 2018 20:45:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541623511; bh=sYAG5qSkNjkdVgQXlXDaMklo4lLlxNQp41L/8eGK9GM=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=iXGMmcczzWFpdyNLchEdjKWD1asjTbouQdXbI/ytz46q82qDEF5DH4Jwz5TnJv+sY WyMWpDe8rBaV+3Bmd+r3vUAEfPAtXU15S8mf/7uEVjhQWYB8OQPJdKlEqRwV0D85Sj 1u+Zgxl+py44TdOOhGQCYAtwhvyArVCeMr1fFQgY= Received: by mail-wr1-f50.google.com with SMTP id x12-v6so18852667wrw.8 for ; Wed, 07 Nov 2018 12:45:11 -0800 (PST) X-Gm-Message-State: AGRZ1gJMCt9VdrAN34IuP6rls0DHH0B512jneLEyOXKsL/jr1z44RRzv km4nsszpxi71I2Pxrm+II7rOqDjD+6QUYIoNjjujQQ== X-Received: by 2002:a5d:4450:: with SMTP id x16-v6mr1614172wrr.308.1541623509888; Wed, 07 Nov 2018 12:45:09 -0800 (PST) MIME-Version: 1.0 References: <20181107042751.3b519062@akathisia> In-Reply-To: <20181107042751.3b519062@akathisia> From: Andy Lutomirski Date: Wed, 7 Nov 2018 12:44:58 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH] ptrace: add PTRACE_GET_SYSCALL_INFO request To: lineprinter@altlinux.org Cc: Oleg Nesterov , Steven Rostedt , Ingo Molnar , LKML , "Dmitry V. Levin" , Eugene Syromiatnikov , Andrew Lutomirski , strace-devel@lists.strace.io Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Nov 6, 2018, at 7:27 PM, Elvira Khabirova w= rote: > > PTRACE_GET_SYSCALL_INFO lets ptracer obtain details of the syscall > the tracee is blocked in. The request returns meaningful data only > when the tracee is in a syscall-enter-stop or a syscall-exit-stop. > > There are two reasons for a special syscall-related ptrace request. > > Firstly, with the current ptrace API there are cases when ptracer cannot > retrieve necessary information about syscalls. Some examples include: > * The notorious int-0x80-from-64-bit-task issue. See [1] for details. > In short, if a 64-bit task performs a syscall through int 0x80, its trace= r > has no reliable means to find out that the syscall was, in fact, > a compat syscall, and misidentifies it. > * Syscall-enter-stop and syscall-exit-stop look the same for the tracer. > Common practice is to keep track of the sequence of ptrace-stops in order > not to mix the two syscall-stops up. But it is not as simple as it looks; > for example, strace had a (just recently fixed) long-standing bug where > attaching strace to a tracee that is performing the execve system call > led to the tracer identifying the following syscall-exit-stop as > syscall-enter-stop, which messed up all the state tracking. > * Since the introduction of commit 84d77d3f06e7e8dea057d10e8ec77ad71f721b= e3 > ("ptrace: Don't allow accessing an undumpable mm"), both PTRACE_PEEKDATA > and process_vm_readv become unavailable when the process dumpable flag > is cleared. On ia64 this results in all syscall arguments being unavailab= le. > > Secondly, ptracers also have to support a lot of arch-specific code for > obtaining information about the tracee. For some architectures, this > requires a ptrace(PTRACE_PEEKUSER, ...) invocation for every syscall > argument and return value. > > PTRACE_GET_SYSCALL_INFO returns the following structure: > > struct ptrace_syscall_info { > __u8 op; /* 0 for entry, 1 for exit */ Please consider adding another op for a seccomp stop. > __u8 __pad0[7]; > union { > struct { > __u64 nr; > __u64 ip; > __u64 args[6]; > __u8 is_compat; > __u8 __pad1[7]; > } entry_info; > struct { > __s64 rval; > __u8 is_error; > __u8 __pad2[7]; > } exit_info; > }; > }; > > The structure was chosen according to [2], except for two changes. > First: instead of an arch field with a value of AUDIT_ARCH_*, a boolean > is_compat value is returned, because a) not all arches have an AUDIT_ARCH= _* > defined for them, b) the tracer already knows what *arch* it is running o= n, > but it does not know whether the tracee/syscall is in compat mode or not. I don=E2=80=99t like this for a few reasons: 1. A 32-bit tracer can=E2=80=99t readily tell what is_compat =3D=3D 0 means= . 2. There is no actual guarantee that there are only two syscall architectures available. In fact, I think that arm64 is seriously considering adding a third. x86 ought to have three, but, for arguably dubious historical reasons, it only has two, and x32 is distinguished only by nr. 3. Your patch will be a whole lot shorter if you use syscall_get_arch(). You'd have to add syscall_get_arch() implementations for the remaining architectures, but that's still less code. > Second: a boolean is_error value is added to rval. This way the tracer ca= n > more reliably distinguish a return value from an error value. Sounds reasonable to me. Also, maybe use the extra parameter to ptrace to have userspace pass in the size of the structure so that more fields can be added later if needed.