11

子进程可以使用ptrace系统调用来跟踪其父进程吗?

操作系统是linux 2.6

谢谢。

upd1:我想从“自身”跟踪 process1。这是不可能的,所以我做 fork 并尝试ptrace(process1_pid, PTRACE_ATTACH)从子进程中做。但我不能,有一个奇怪的错误,比如内核禁止子跟踪他们的父进程

UPD2:安全策略可以禁止此类跟踪。哪些政策会这样做?内核中的检查代码在哪里?

UPD3:在我的嵌入式 linux 上,PEEKDATA 没有错误,但 GETREGS 没有:

child: getregs parent: -1
errno is 1, strerror is Operation not permitted

错误号 = EPERM

4

2 回答 2

10

这个问题真的让我很感兴趣。所以我写了一些代码来尝试一下。

首先请记住,在跟踪进程时,跟踪进程在大多数情况下都成为父进程,但名称除外(即getppid())。首先,PTRACE_ATTACH手册部分的片段很有帮助:

   PTRACE_ATTACH
          Attaches to the process specified in pid,  making  it  a  traced
          "child"  of the calling process; the behavior of the child is as
          if it had done a PTRACE_TRACEME.  The calling  process  actually
          becomes the parent of the child process for most purposes (e.g.,
          it will receive notification of  child  events  and  appears  in
          ps(1)  output  as  the  child's parent), but a getppid(2) by the
          child will still return the PID of  the  original  parent.   The
          child  is  sent a SIGSTOP, but will not necessarily have stopped
          by the completion of this call; use  wait(2)  to  wait  for  the
          child to stop.  (addr and data are ignored.)

现在这是我编写的代码,用于测试并验证您实际上是否可以成为ptrace()您的父母(您可以通过将其转储到名为blah.c并运行的文件中来构建它make blah

#include <assert.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ptrace.h>

int main()
{
    pid_t pid = fork();
    assert(pid != -1);
    int status;
    long readme = 0;
    if (pid)
    {
        readme = 42;
        printf("parent: child pid is %d\n", pid);
        assert(pid == wait(&status));
        printf("parent: child terminated?\n");
        assert(0 == status);
    }
    else
    {
        pid_t tracee = getppid();
        printf("child: parent pid is %d\n", tracee);
        sleep(1); // give parent time to set readme
        assert(0 == ptrace(PTRACE_ATTACH, tracee));
        assert(tracee == waitpid(tracee, &status, 0));
        printf("child: parent should be stopped\n");
        printf("child: peeking at parent: %ld\n", ptrace(PTRACE_PEEKDATA, tracee, &readme));
    }
    return 0;
}

请注意,我正在利用父虚拟地址空间的复制来知道在哪里查找。另请注意,当孩子随后终止时,我怀疑存在必须允许父母继续的隐式分离,我没有进一步调查。

于 2010-02-07T06:35:03.283 回答
1

是的,这是可能的......即使是 GETREGS 也可以。检查 x86(基于 Matt Joiner 代码,谢谢他)

#include <assert.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/user.h>

int main()
{
    pid_t pid = fork();
//    assert(pid != -1);
    int status;
    long readme = 0;
    struct user_regs_struct regs;
    if (pid)
    {
        readme = 42;
        printf("parent: child pid is %d\n", pid);
        assert(pid == wait(&status));
        printf("parent: child terminated?\n");
        assert(0 == status);
    }
    else
    {
        pid_t tracee = getppid();
        printf("child: parent pid is %d\n", tracee);
        sleep(1); // give parent time to set readme
        assert(0 == ptrace(PTRACE_ATTACH, tracee));
        assert(tracee == waitpid(tracee, &status, 0));
        printf("child: parent should be stopped\n");
        printf("child: peeking at parent: %ld\n", ptrace(PTRACE_PEEKDATA, tracee, &readme, NULL));
        printf("Regs was %p, %p, %p, %p; &status is %p \n", regs.eax, regs.ebx, regs.ecx, regs.edx, &status);
        printf("child: getregs parent: %ld\n", ptrace(PTRACE_GETREGS, tracee, NULL, &regs));
        printf("Regs is %p, %p, %p, %p; &status is %p \n", regs.eax, regs.ebx, regs.ecx, regs.edx, &status);
    }
    return 0;
}

结果:

child: parent pid is 1188
parent: child pid is 1189
child: parent should be stopped
child: peeking at parent: 42
Regs was (nil), (nil), (nil), (nil); &status is 0xbfffea50
child: getregs parent: 0
Regs is 0xfffffe00, 0xffffffff, 0xbfffea50, (nil); &status is 0xbfffea50
parent: child terminated?
于 2010-02-08T14:54:20.177 回答