Re: clone flags - Eric Paris

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Paris <eparis@redhat.com>
To: "John D. Ramsdell" <ramsdell@mitre.org>
Cc: linux-audit@redhat.com
Subject: Re: clone flags
Date: Thu, 19 Jul 2007 13:59:53 -0400	[thread overview]
Message-ID: <1184867993.3544.26.camel@localhost.localdomain> (raw)
In-Reply-To: <ogtbqe8y1ae.fsf@oolong.mitre.org>

On Thu, 2007-07-19 at 09:24 -0400, John D. Ramsdell wrote:

> [root@goo fork]# ausearch -i -p 1160 > autrace.txt
> [root@goo fork]# grep clone strace.txt 
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7efb708) = 1122
> [root@goo fork]# grep clone autrace.txt 
> type=SYSCALL msg=audit(07/19/2007 09:16:02.350:848) : arch=i386 syscall=clone success=yes exit=1161 a0=1200011 a1=0 a2=0 a3=0 items=0 ppid=1158 pid=1160 auid=ramsdell uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=fork exe=/home/ramsdell/proj/fork/fork subj=user_u:system_r:unconfined_t:s0 key=(null) 

Actually it's a problem with mapping things.  The flags are in a0.  If
you look at the clone man page they talk about sys_clone at the bottom
(which is the actual call, whereas cone is just a library function on
top of the call) and they state the the ordering for sys_clone is
different.  The kernel function is actually

asmlinkage long
sys_clone(unsigned long clone_flags, unsigned long newsp,
          void __user *parent_tid, void __user *child_tid, struct
pt_regs *regs)

So the flags are actually coming in the first argument.  To verify check

#define CLONE_CHILD_SETTID   0x01000000
#define CLONE_CHILD_CLEARTID 0x00200000
#define SIGCHLD              0x00000011

Which just so happens to be  0x01200011
and a0 just so happen to be     1200011

But it's just a difference between the library call 'clone' that the
application makes and the actual syscall glibc translates that to
sys_clone and the ordering of the flags.

-Eric

next prev parent reply	other threads:[~2007-07-19 17:59 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-19 13:24 clone flags John D. Ramsdell
2007-07-19 17:59 ` Eric Paris [this message]
2007-07-19 18:45   ` John D. Ramsdell
2007-07-19 19:37     ` Eric Paris
2007-07-19 19:42       ` John D. Ramsdell
2007-07-20 11:07       ` John D. Ramsdell
2007-07-23 11:44         ` Clone and fcntl64 flags patch John D. Ramsdell
2007-07-23 13:40           ` John D. Ramsdell
2007-07-24 21:36           ` Steve Grubb
2007-07-25 11:49             ` John D. Ramsdell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1184867993.3544.26.camel@localhost.localdomain \
    --to=eparis@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=ramsdell@mitre.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.