osg*_*sgx 9 linux ptrace trace fork
子进程可以使用ptrace系统调用来跟踪其父进程吗?
Os是linux 2.6
谢谢.
upd1:我想跟踪"自身"中的process1.这是不可能的,所以我做分叉并尝试ptrace(process1_pid, PTRACE_ATTACH)从子进程做.但是我不能,有一个奇怪的错误,比如内核禁止孩子跟踪他们的父进程
UPD2:安全策略可以禁止这种跟踪.这样做的政策是什么?内核中的检查代码在哪里?
UPD3:在我的嵌入式Linux上,PEEKDATA没有错误,但GETREGS没有错误:
child: getregs parent: -1
errno is 1, strerror is Operation not permitted
errno = EPERM
这个问题真让我感兴趣.所以我写了一些代码来试试.
首先要记住,在跟踪进程时,跟踪进程成为大多数用途的父进程,除了名称(即getppid()).首先,PTRACE_ATTACH本手册部分的摘要是有帮助的:
PTRACE_ATTACH
Attaches to the process specified in pid, making it a traced
"child" of the calling process; the behavior of the child is as
if it had done a PTRACE_TRACEME. The calling process actually
becomes the parent of the child process for most purposes (e.g.,
it will receive notification of child events and appears in
ps(1) output as the child's parent), but a getppid(2) by the
child will still return the PID of the original parent. The
child is sent a SIGSTOP, but will not necessarily have stopped
by the completion of this call; use wait(2) to wait for the
child to stop. (addr and data are ignored.)
现在这里是我编写的代码,用于测试和验证您实际上可以是ptrace()您的父级(您可以通过将其转储到名为blah.c并运行的文件中来构建它make blah:
#include <assert.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ptrace.h>
int main()
{
pid_t pid = fork();
assert(pid != -1);
int status;
long readme = 0;
if (pid)
{
readme = 42;
printf("parent: child pid is %d\n", pid);
assert(pid == wait(&status));
printf("parent: child terminated?\n");
assert(0 == status);
}
else
{
pid_t tracee = getppid();
printf("child: parent pid is %d\n", tracee);
sleep(1); // give parent time to set readme
assert(0 == ptrace(PTRACE_ATTACH, tracee));
assert(tracee == waitpid(tracee, &status, 0));
printf("child: parent should be stopped\n");
printf("child: peeking at parent: %ld\n", ptrace(PTRACE_PEEKDATA, tracee, &readme));
}
return 0;
}
请注意,我正在利用父虚拟地址空间的复制来了解要查找的位置.还要注意,当孩子终止时,我怀疑有一个隐含的分离,必须允许父母继续,我没有进一步调查.
| 归档时间: |
|
| 查看次数: |
4190 次 |
| 最近记录: |