I am trying to document PTRACE_SETOPTIONS and I can't figure out what
the option PTRACE_O_TRACESYSGOOD is used for. Google is no help;
I can't find an explanation for _why_ it's there. All I can see is that
it causes ptrace() to deliver syscall stops with SIGTRAP | 0x80
instead of just SIGTRAP and it can be used with PTRACE_SYSEMU.
--
Chuck
"Penguins don't come from next door, they come from the Antarctic!"
On Tue, 2006-03-14 at 05:26 -0500, Chuck Ebbert wrote:
> I am trying to document PTRACE_SETOPTIONS and I can't figure out what
> the option PTRACE_O_TRACESYSGOOD is used for. Google is no help;
> I can't find an explanation for _why_ it's there. All I can see is that
> it causes ptrace() to deliver syscall stops with SIGTRAP | 0x80
> instead of just SIGTRAP and it can be used with PTRACE_SYSEMU.
Chuck,
The PTRACE_O_TRACESYSGOOD is useful, because it allows you to
differentiate between a standard SIGTRAP and a system call entry or
exit. For example, if you have a ptrace monitor and receive a SIGTRAP,
without O_SYSGOOD, it isn't clear if the kernel returned from wait (1)
because someone did kill -TRAP pid, or (2) the process was entering a
system call.
Charles
On Tue, Mar 14, 2006 at 05:26:52AM -0500, Chuck Ebbert wrote:
> I am trying to document PTRACE_SETOPTIONS and I can't figure out what
> the option PTRACE_O_TRACESYSGOOD is used for.
It makes it easier to distinguish between the child receiving a
SIGTRAP and making a system call. On x86, without TRACESYSGOOD, you
can see if orig_eax == -1 to check for a real SIGTRAP. I'm not sure
about the other arches, but it's nice to have an arch-independent way
of doing it, even if there are equivalents in every arch.
Jeff
On ?t 14-03-06 05:26:52, Chuck Ebbert wrote:
> I am trying to document PTRACE_SETOPTIONS and I can't figure out what
> the option PTRACE_O_TRACESYSGOOD is used for. Google is no help;
> I can't find an explanation for _why_ it's there. All I can see is that
> it causes ptrace() to deliver syscall stops with SIGTRAP | 0x80
> instead of just SIGTRAP and it can be used with PTRACE_SYSEMU.
Yes.. and unless you deliver ptrace() syscall stops with different
signal, you can't tell difference between syscall stop and real
SIGTRAP.
See subterfugue.org for example user.
Basically we'd like all the new users to set PTRACE_O_TRACESYSGOOD.
Pavel
--
181:
On Wed, Mar 15, 2006 at 12:00:56AM +0100, Pavel Machek wrote:
> Yes.. and unless you deliver ptrace() syscall stops with different
> signal, you can't tell difference between syscall stop and real
> SIGTRAP.
You can, but you have to examine registers in order to do this. This
is a concern when running gdb inside UML. gdb breakpoints will cause
real SIGTRAPs, while system calls cause synthetic ones. Before
switching to TRACESYS_GOOD, UML examined orig_eax to distinguish
between them.
Jeff