strace -f (v4.7) randomly failing on grsecurity and Ubuntu kernels

Denys Vlasenko vda.linux at
Wed May 9 11:26:59 UTC 2012

On Wed, May 9, 2012 at 1:43 AM, Brad Spengler <spender at> wrote:
> Hi guys,
> I'm writing to report this before the recent release sees more
> widespread use.  I've already had one report from a user of strace v4.7
> failing on a grsecurity kernel when run with the -f argument.  Strace
> (due to what IMO is a bug) is randomly conflicting with a feature of
> grsecurity that prevents ptracing processes other than one's decendents.
> Since Ubuntu's kernel carries the same logic/algorithm as grsecurity
> through the Yama module, strace will likewise fail on their kernels.
> I've investigated the problem a bit.  The failing code (in strace.c) is:
>               if (tracee_pid != pid) {
>                        found_grandchild = tracee_pid;
>                        if (ptrace(PTRACE_CONT, tracee_pid, 0, 0) < 0) {
>                                kill_save_errno(tracee_pid, SIGKILL);
>                                kill_save_errno(pid, SIGKILL);
>                                perror_msg_and_die("PTRACE_CONT doesn't work");
>                        }
>                        continue;
>                }

This code senses that grandchild was found in stopped state.
It sends PTRACE_CONT to grandchild.
What operation fails? PTRACE_CONT?

> This happens because of the raciness of the following code (in strace.c):
>        if (pid == 0) {
>                pid = getpid();
>                if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
>                        perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
>                                           __func__);
>                kill_save_errno(pid, SIGSTOP);
>                if (fork() < 0)
>                        perror_msg_and_die("fork");
>                _exit(0);
>        }
> Sometimes the child exits before the PTRACE_CONT is issued against the
> grandchild, while other times the child exits after.  If the child exits
> after, there are no issues, as the grandchild keeps its descendent
> relation to the ptracing grandparent.  If the child exits before,
> however, it gets reparented to init, breaking the ability to walk back
> through the ancestors of the grandchild to reach the (previous)
> grandparent.  Because of this, grsecurity (and Ubuntu) will deny the
> ptrace to the grandchild.

Are you saying that grsecurity may deny ptrace commands to be sent
to an already-attached tracee??? (As opposed to "grsecurity
denies attaching to a process who isn't our descendant").
If yes, then it sounds like a misfeature in grsecurity.


> Let me know if you need straces of the failing and successful cases in
> order to fix the bug, but it should be as simple as adding a wait
> before exiting out of the child.
> Thanks,
> -Brad
> Version: GnuPG v1.4.9 (GNU/Linux)
> PUQAn1Qpfp5fla4D71StqphlUuIvWiRt
> =tyUJ
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats.
> _______________________________________________
> Strace-devel mailing list
> Strace-devel at

More information about the Strace-devel mailing list