Chapter 13: System Calls
❑ Helping to resume program flow. The kernel must, of course, be informed that execution
will be stopped at the next system call; this is done using theptracerequestPTRACE_
SYSCALL.Program flow is obvious once the ball is rolling. A system call requested by the traced process triggers
theptracemechanism in the kernel, which sends aCHLDsignal to the tracer process. The handler of the
tracer process reads the required information — the number of the system call — and outputs it, again
using theptracemechanism. Execution of the traced process is resumed and interrupted again when a
system call is invoked.But how is the ball set rolling? Somehow or other the handler function must be invoked for the first time
in order to log system call tracing. As noted above, the kernel also sendsSIGCHLDsignals to the tracer
process when a signal is sent to thetracedprocess — in doing so, it invokes the same handler function acti-
vated when a system call occurs. The fact that the kernel automatically sends aSTOPsignal to the traced
process when tracing is initiated ensures that the handler function is invoked when tracing starts — even
if the process receives no other signals. This sets the ball — that is, system call tracing — rolling.Kernel-SideImplementation
As expected, the handler function for theptracesystem call is calledsys_ptrace. The architecture-
independent part of the implementation that is usedfor all except a handful of architectures can be
found inkernel/ptrace.c. The architecture-dependent part, that is, the functionarch_ptrace, is located
inarch/arch/kernel/ptrace.c. Figure 13-2 shows the code flow diagram.YesNoarch_ptrace Perform request specific operationsys_ptraceptrace_get_task_structPTRACE_ATTACH requested? ptrace_attachptrace_check_attachFigure 13-2: Code flow diagram forsys_ptrace.Theptracesystem call is dominated by itsrequestparameter — this is immediately apparent in the
structure of its code. Preliminary work is carried out, primarily to determine thetask_structinstance
of the passed PID usingptrace_get_task_struct. This basically usesfind_task_by_vpidto find the
required instance oftask_struct, but also prevents tracing of theinitprocess — the ptrace operation
is aborted if a value of 1 is passed forpid.Starting Tracing
Process task structures include severalptrace-specific elements that are needed below.struct task_struct {
...