Chapter 13: System Calls
unsigned int ptrace;
...
/* ptrace_list/ptrace_children forms the list of my children
- that were stolen by a ptracer. /
struct list_head ptrace_children;
struct list_head ptrace_list;
...
struct task_struct real_parent; / real parent process (when being debugged) /
...
};
IfPTRACE_ATTACHis set,ptrace_attachestablishes a link between the tracer process and the target
process. When this is done,❑ Theptraceelement of the target process is set toPT_TRACED.
❑ The tracer process becomes the parent process of the target process (the real parent process is
held inreal_parent).
❑ The traced process is added to theptrace_childrenlist of the tracer using theptrace_listtask
structure element.
❑ ASTOPsignal is sent to the traced process.If a different action fromPTRACE_ATTACHwas requested,ptrace_check_attachfirst checks whether
a tracer is attached to the process, and the code splits depending on the particularptraceoperation.
This is handled inarch_ptrace; the function is defined by every architecture and cannot be provided
by the generic code. However, this is not entirely true: Some requests can, in fact, be handled by
architecture-independent code, and they are handled inptrace_request(fromkernel/ptrace.c) called
byarch_ptrace. Only very simple requests are processed by this function. For example,PTRACE_DETACH
to detach a tracer from a process is one of them.Usually, a largecasestructure that deals separately with each case (depending on therequest
parameter) is employed for this purpose. I discuss only some important cases:PTRACE_ATTACHand
PTRACE_DETACH,PTRACE_SYSCALL,PTRACE_CONTas well asPTRACE_PEEKDATAandPTRACE_POKEDATA.The
implementation of the remaining requests follows a similar pattern.All further tracing actions performed by the kernelare present in the signal handler code discussed in
Chapter 5. When a signal is delivered, the kernel checks whether thePT_TRACEDflag is set in theptrace
field oftask_struct. If it is, the state of the process is set toTASK_STOPPED(inget_signal_to_deliver
inkernel/signal.c) in order to interrupt execution.notify_parentwith theCHLDsignal is then used
to inform the tracer process. (The tracer process is woken up if it happens to be sleeping.) The tracer
process then performs the desired checks on the target process as specified by the remainingptrace
options.Implementation ofPTRACE_CONTand_SYSCALL
PTRACE_CONTresumes a traced process after it was suspended owing to delivery of a signal. The
kernel-side implementation of this function is strongly associated withPTRACE_SYSCALL(which
suspends a traced process not only after the arrival of a signal but also before and after system calls are
invoked).