From mboxrd@z Thu Jan  1 00:00:00 1970
From: ramsdell@mitre.org (John D. Ramsdell)
Subject: Re: An autrace that follows forks
Date: 15 Oct 2006 11:38:16 -0400
Message-ID: <ogtzmbxk2s7.fsf@divan.mitre.org>
References: <ogtbqoiwraf.fsf@divan.mitre.org>
	<1160600130.10063.34.camel@code.and.org>
	<ogtlknk2ul5.fsf@divan.mitre.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id k9FFcNer005650
	for <linux-audit@redhat.com>; Sun, 15 Oct 2006 11:38:23 -0400
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [192.160.51.76])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k9FFcMgx001401
	for <linux-audit@redhat.com>; Sun, 15 Oct 2006 11:38:22 -0400
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with SMTP id
	k9FFcGDL012251
	for <linux-audit@redhat.com>; Sun, 15 Oct 2006 11:38:16 -0400
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-bedford.mitre.org (Postfix) with ESMTP id C4BCCBF01
	for <linux-audit@redhat.com>; Sun, 15 Oct 2006 11:38:16 -0400 (EDT)
Received: from linus.mitre.org (rcf-smtp.mitre.org [129.83.10.1])
	by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id
	k9FFcGAQ012245
	for <linux-audit@redhat.com>; Sun, 15 Oct 2006 11:38:16 -0400
Received: from divan.mitre.org (divan.mitre.org [129.83.10.75])
	by linus.mitre.org (8.12.11/8.12.10) with ESMTP id k9FFcGI6003919
	for <linux-audit@redhat.com>; Sun, 15 Oct 2006 11:38:16 -0400 (EDT)
In-Reply-To: <ogtlknk2ul5.fsf@divan.mitre.org>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

ramsdell@mitre.org (John D. Ramsdell) writes:

> The tricky part seems to be that the SIGTRAP generated by the
> parent's immediate child has to be converted to a SIGSTOP before
> continuing the child.

If you trace a shell, you find out you must always convert a SIGTRAP
to a SIGSTOP.

John

> static int			/* Watch all children */
> watch(pid_t pid)		/* This process' child is pid  */
> {				/* Function returns an exit code */
>   if (add_rule(pid))
>     return 1;
>   for (;;) {
>     int status;
>     pid = wait_for_it(&status);
>     if (pid < 0) {
>       if (errno == ECHILD)	/* No children to wait for */
> 	return 0;		/* Declare success */
>       perror("wait");
>       return 1;
>     }
>     if (WIFSTOPPED(status)) {
>       int signal = WSTOPSIG(status);
>       if (signal == SIGTRAP) {	/* Tracing causes this signal */
        signal = SIGSTOP;
> 	unsigned long msg;
> 	if (geteventmsg(pid, &msg) < 0) {
> 	  perror("ptrace(PTRACE_GETEVENTMSG, ...)");
> 	  return 1;
> 	}
> 	pid_t child = (pid_t)msg;
> 	if (child) {
> 	  /* The child of each traced fork is noted here */
> 	  if (add_rule(child))
> 	    return 1;
> 	}
> 	/* Only this process' child gets to this location, and just
> 	   one time */
> 	else if (setoptions(pid, PTRACE_O_TRACEFORK) < 0) {
> 	  perror("ptrace(PTRACE_SETOPTIONS, ...)");
> 	  return 1;
> 	}
 	/* Wrong
>       else
> 	  signal = SIGSTOP;
        */
>       }
>       if (restart(pid, signal) < 0) {
> 	perror("ptrace(PTRACE_CONT, ...)");
> 	return 1;
>       }
>     }
>   }
> }