From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Dmitry V. Levin" Subject: Re: a method to distinguish between syscall-enter/exit-stop Date: Sat, 7 Feb 2015 06:04:47 +0300 Message-ID: <20150207030447.GA4930@altlinux.org> References: <20150205233945.GA31540@altlinux.org> <20150206023249.GB31540@altlinux.org> <20150206231720.GB3829@altlinux.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from pegasus3.altlinux.org ([194.107.17.103]:48994 "EHLO pegasus3.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753938AbbBGDEz (ORCPT ); Fri, 6 Feb 2015 22:04:55 -0500 Content-Disposition: inline In-Reply-To: Sender: linux-arch-owner@vger.kernel.org List-ID: To: Kees Cook Cc: Andy Lutomirski , LKML , Will Drewry , Oleg Nesterov , "x86@kernel.org" , "linux-arm-kernel@lists.infradead.org" , Linux MIPS Mailing List , linux-arch , linux-security-module , Alexei Starovoitov , "H. Peter Anvin" , Frederic Weisbecker , Michael Kerrisk-manpages On Fri, Feb 06, 2015 at 05:07:41PM -0800, Kees Cook wrote: > On Fri, Feb 6, 2015 at 3:17 PM, Dmitry V. Levin wrote: > > On Fri, Feb 06, 2015 at 12:07:03PM -0800, Kees Cook wrote: > >> On Fri, Feb 6, 2015 at 11:32 AM, Andy Lutomirski wrote: > >> > On Fri, Feb 6, 2015 at 11:23 AM, Kees Cook wrote: > > [...] > >> >> And an unrelated thought: > >> >> > >> >> 3) Can't we find some way to fix the inability of a ptracer to > >> >> distinguish between syscall-enter-stop and syscall-exit-stop? > >> > > >> > Couldn't we add PTRACE_O_TRACESYSENTRY and PTRACE_O_TRACESYSEXIT along > >> > the lines of PTRACE_O_TRACESYSGOOD? > >> > >> That might be a nice idea. I haven't written a test to see, but what > >> does PTRACE_GETEVENTMSG return on syscall-enter/exit-stop? > > > > The value returned by PTRACE_GETEVENTMSG is the value set along with the > > latest PTRACE_EVENT_*. > > In case of syscall-enter/exit-stop (which is not a PTRACE_EVENT_*), > > there is no particular value set for PTRACE_GETEVENTMSG. > > Could we define one to help distinguish? I suppose we could define one, but performing extra PTRACE_GETEVENTMSG for every syscall-stop may be too expensive. For example, strace makes about 4.5 syscalls per syscall-stop. The minimum is 4 syscalls: wait4, PTRACE_GETREGSET, write, and PTRACE_SYSCALL; processing some syscall-stops may require additional process_vm_readv calls. That is, forcing strace to make extra PTRACE_GETEVENTMSG per syscall-stop would result to about 20% more syscalls per syscall-stop, that is a noticeable cost. A better alternative is to define an event that wouldn't require this extra PTRACE_GETEVENTMSG per syscall-stop. For example, it could be a PTRACE_EVENT_SYSCALL_ENTRY and/or PTRACE_EVENT_SYSCALL_EXIT. In practice, adding just one of these two events would be enough to distinguish two kinds of syscall-stops. Adding two events would look less surprising, though. If the decision would be to add both events, I'd recommend adding just one new option to cover both events - there is a room only for 32 different PTRACE_O_* options. -- ldv