strace -f (v4.7) randomly failing on grsecurity and Ubuntu kernels

Brad Spengler spender at grsecurity.net
Tue May 8 23:43:28 UTC 2012 

Hi guys,

I'm writing to report this before the recent release sees more 
widespread use.  I've already had one report from a user of strace v4.7 
failing on a grsecurity kernel when run with the -f argument.  Strace 
(due to what IMO is a bug) is randomly conflicting with a feature of 
grsecurity that prevents ptracing processes other than one's decendents.  
Since Ubuntu's kernel carries the same logic/algorithm as grsecurity 
through the Yama module, strace will likewise fail on their kernels.

I've investigated the problem a bit.  The failing code (in strace.c) is:
               if (tracee_pid != pid) {
                        found_grandchild = tracee_pid;
                        if (ptrace(PTRACE_CONT, tracee_pid, 0, 0) < 0) {
                                kill_save_errno(tracee_pid, SIGKILL);
                                kill_save_errno(pid, SIGKILL);
                                perror_msg_and_die("PTRACE_CONT doesn't work");
                        }
                        continue;
                }

This happens because of the raciness of the following code (in strace.c):
        if (pid == 0) {
                pid = getpid();
                if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
                        perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
                                           __func__);
                kill_save_errno(pid, SIGSTOP);
                if (fork() < 0)
                        perror_msg_and_die("fork");
                _exit(0);
        }

Sometimes the child exits before the PTRACE_CONT is issued against the 
grandchild, while other times the child exits after.  If the child exits 
after, there are no issues, as the grandchild keeps its descendent 
relation to the ptracing grandparent.  If the child exits before, 
however, it gets reparented to init, breaking the ability to walk back 
through the ancestors of the grandchild to reach the (previous) 
grandparent.  Because of this, grsecurity (and Ubuntu) will deny the 
ptrace to the grandchild.

Let me know if you need straces of the failing and successful cases in 
order to fix the bug, but it should be as simple as adding a wait 
before exiting out of the child.

Thanks,
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20120508/fea33223/attachment.bin>

More information about the Strace-devel mailing list