From: ramsdell@mitre.org (John D. Ramsdell)
To: linux-audit@redhat.com
Subject: clone flags
Date: 19 Jul 2007 09:24:09 -0400 [thread overview]
Message-ID: <ogtbqe8y1ae.fsf@oolong.mitre.org> (raw)
I've been carefully comparing output I obtain with autrace with what I
get from strace. It appears they differ when the clone system call is
invoked from the C library via fork. In particular, strace reports
flags of CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, while
autrace says the flags are 0. The flags are in field a2.
John
[ramsdell@goo fork]$ uname -r
2.6.21-1.3228.fc7
[ramsdell@goo fork]$ make fork
cc fork.c -o fork
[ramsdell@goo fork]$ strace -o strace.txt ./fork
[ramsdell@goo fork]$ su -
Password:
[root@goo ~]# cd /home/ramsdell/proj/fork
[root@goo fork]# autrace ./fork
Waiting to execute: ./fork
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 1160'
[root@goo fork]# ausearch -i -p 1160 > autrace.txt
[root@goo fork]# grep clone strace.txt
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7efb708) = 1122
[root@goo fork]# grep clone autrace.txt
type=SYSCALL msg=audit(07/19/2007 09:16:02.350:848) : arch=i386 syscall=clone success=yes exit=1161 a0=1200011 a1=0 a2=0 a3=0 items=0 ppid=1158 pid=1160 auid=ramsdell uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=fork exe=/home/ramsdell/proj/fork/fork subj=user_u:system_r:unconfined_t:s0 key=(null)
[root@goo fork]# cat fork.c
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/wait.h>
int main(int argc, char **argv)
{
int status;
pid_t pid;
switch (fork()) {
case -1:
perror("clone");
return 1;
case 0:
return 0;
default:
do {
pid = wait(&status);
} while (pid < 0 && errno == EINTR);
if (WIFEXITED(status))
return WEXITSTATUS(status);
else
return 1;
}
}
[root@goo fork]#
next reply other threads:[~2007-07-19 13:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-19 13:24 John D. Ramsdell [this message]
2007-07-19 17:59 ` clone flags Eric Paris
2007-07-19 18:45 ` John D. Ramsdell
2007-07-19 19:37 ` Eric Paris
2007-07-19 19:42 ` John D. Ramsdell
2007-07-20 11:07 ` John D. Ramsdell
2007-07-23 11:44 ` Clone and fcntl64 flags patch John D. Ramsdell
2007-07-23 13:40 ` John D. Ramsdell
2007-07-24 21:36 ` Steve Grubb
2007-07-25 11:49 ` John D. Ramsdell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ogtbqe8y1ae.fsf@oolong.mitre.org \
--to=ramsdell@mitre.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.