An autrace that follows forks

[ramsdell@mitre.org (John D. Ramsdell)]

I plan to write a version of autrace that follows forks.  When run in
follow forks mode, it will ptrace the child.  Each time the child or
one of its descendents creates a new process, the program will use the
API provided by libaudit to add an audit rule for the freshly created
process.  If I hear of interest in this capability, I'll prepare a
patch against the most recent audit source release, and share.

Last summer, someone else in my company made a simple version of a
fork following tracer based on the audit library; however it does not
compile on my FC5 machine.  The reason is he was including the
kernel's headers for ptrace, which defines PTRACE_O_TRACEFORK and
other symbols not part of the standard ptrace header.  I don't like
the idea of requiring kernel headers to compile the extended version
autrace.

I studied the strace source code, in particular, strace.c and
process.c.  I ran the preprocessor on these files using the options
created on an FC5 machine, and my comments refer to the preprocessed
version of these source files.

When asked to follow forks, in addition to calling ptrace with the
PTRACE_TRACEME option in the child, strace uses procfs to find the
task ID of the process PID in the directory /proc/PID/task.
Apparently, it's the only file name in the directory that parses as a
positive number.  Using ptrace to attach to the task ID allows strace
to follow forks.  I'm guessing that I have to set a ptrace option so
that the parent is signaled on every descendent system call, and
inspect each system call to see if a new process was created.  I bet
following more of the strace logic will allow me to figure out these
details.  

I'm worried that blindly following strace's ways may lead me astray.
Is there someplace I can find high-level documentation on when to use
ptrace and when to use the procfs?  Should I also study the GDB
sources?

John