From mboxrd@z Thu Jan 1 00:00:00 1970 From: ramsdell@mitre.org (John D. Ramsdell) Subject: Ptrace looses track of a forked child Date: 30 Jun 2007 10:14:53 -0400 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l5UEEtLN026667 for ; Sat, 30 Jun 2007 10:14:55 -0400 Received: from smtp-mclean.mitre.org (smtp-mclean.mitre.org [192.80.55.71]) by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l5UEEsj5023368 for ; Sat, 30 Jun 2007 10:14:54 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id l5UEErX2008663 for ; Sat, 30 Jun 2007 10:14:53 -0400 Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-mclean.mitre.org (Postfix) with ESMTP id 628034F8D7 for ; Sat, 30 Jun 2007 10:14:53 -0400 (EDT) Received: from linus.mitre.org (rcf-smtp.mitre.org [129.83.10.1]) by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id l5UEErT0008633 for ; Sat, 30 Jun 2007 10:14:53 -0400 Received: from oolong.mitre.org (oolong.mitre.org [129.83.162.84]) by linus.mitre.org (8.12.11/8.12.10) with ESMTP id l5UEErtO007428 for ; Sat, 30 Jun 2007 10:14:53 -0400 (EDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I thought I was very close to finishing up an application that uses the audit system to perform a task formally done by a modified version of strace. Alas, one of the programs I had working last October no longer works. The broken program uses ptrace to add an audit rule for each child process forked by the traced application. It adds the rule before the child runs by handling a SIGTRAP generated as a result of tracing the original child with the PTRACE_O_TRACEFORK option. I tried to follow to the changes to kernel/ptrace.c via linuxhq, but I got little from that exercise. I ended up submitting a bug report here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246330 If there is something else I should be doing, please advise. I notice there are two other ptrace related bugs reported for Fedora 7. Both have been assigned to Roland McGrath, a primary maintainer of strace. I bet he gets assigned this bug report too. Roland doesn't like the changes I make to strace that allows it to display the security contexts associated with traced objects, so he'll remember me. One final question. Has there been any other efforts aimed at allowing the audit system to follow forks of traced processes? Alternatives to my ptrace solution would be greatly appreciated at this time. John