From mboxrd@z Thu Jan  1 00:00:00 1970
From: ramsdell@mitre.org (John D. Ramsdell)
Subject: Re: An autrace that follows forks
Date: 12 Oct 2006 07:09:05 -0400
Message-ID: <ogt4pu9bxke.fsf@divan.mitre.org>
References: <ogtbqoiwraf.fsf@divan.mitre.org>
	<1160600130.10063.34.camel@code.and.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1160600130.10063.34.camel@code.and.org>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: James Antill <james.antill@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

James Antill <james.antill@redhat.com> writes:

>  Note that although the FC5 kernel-headers package might well not be
> updated, it's very likely that FC5 already has a kernel that supports
> the PTRACE_O_ options[1]. So, personally, I'd just have something like:
> 
> #ifndef PTRACE_O_TRACEFORK
> # define PTRACE_O_TRACEFORK 0x00000002 /* from kernel-2.6.x */
> #endif

Ah, and also do the same for PTRACE_EVENT_FORK and PTRACE_GETEVENTMSG.
I'm guessing using these options makes it so that signals are only
sent when a process is forked, not at every system call.

I grep'd the kernel documentation directory but didn't find much of
interest on ptrace.  I haven't looked at the kernel sources yet.
Googling on PTRACE_EVENT_FORK and the like keeps leading me to GDB, so
I plan to look at the sources.

http://www.cygwin.com/ml/gdb-patches/2003-08/msg00274.html

Thanks for your help.

John