issuhub.com

Linux Kernel Architecture

(Jacob Rumans) #1

Chapter 13: System Calls


Both are discussed in the same section because their code differs only slightly:

❑ WhenPTRACE_SYSCALLis used, theTIF_SYSCALL_TRACEflag is set in the task structure of the

monitored process.

❑ WhenPTRACE_CONTis used, the flag is removed usingclear_tsk_thread_flag.

Both flag routines set the corresponding bit in theflagsfield of thethread_infoinstance of the process.

Once the flag has been set or removed, the kernel need only wake the traced process using

wake_up_processbefore resuming its normal work.

What are the effects of theTIF_SYSCALL_TRACEflag? Because invoking system calls is very hardware-

related, the effects of the flag extend into the assembly language source code ofentry.S.Iftheflagisset,

the C functiondo_syscall_traceis invoked on system call completion — but only on IA-32, PPC, and

PPC64 systems. Other architectures use other mechanisms not described here.

Nevertheless, the effects of the flag are the same on all supported platforms. Before and after the execu-

tion of a system call by the monitored process, the process state is set toTASK_STOPPED,andthetraceris

informed accordingly by means of aCHLDsignal. Required information can then be extracted from the

contents of registers or specific memory areas.

Stopping Tracing


Tracing is disabled usingPTRACE_DETACH, which causes the centralptracehandler to delegate this task

to theptrace_detachfunction inkernel/ptrace.c. The task itself comprises the following steps:


  1. The architecture-specific hookptrace_disableallows for performing any required
    low-level operations to stop tracing.

  2. The flagTIF_SYSCALL_TRACEis removed from the child’s thread flags.

  3. Theptraceelement of thetask_structinstance is reset to 0, and the target process is
    removed from theptrace_childrenlist of the tracer process.

  4. The parent process is reset to the original task by overwritingtask_struct->parentwith
    the value stored inreal_parent.


The traced process is woken up withwake_up_processso that it can resume its work.

Reading and Modifying Target Process Data


PTRACE_PEEKDATAreads information from the data segment.^12 Theptracecall requires two parameters

for the request:

❑ addrspecifies the address to be read in the data segment.

❑ dataaccepts the associated result.

(^12) Because memory management does not differentiate between textand data segments — both begin at different addresses but are
accessed in the same way — the information provided applies equally forPTRACE_PEEKTEXT.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.