[RFC PATCH] ptrace: add PTRACE_GET_SYSCALL_INFO request

Wed Nov 7 16:44:44 UTC 2018

On 11/07, Andy Lutomirski wrote:
>
>
> > On Nov 7, 2018, at 3:21 AM, Oleg Nesterov <oleg at redhat.com> wrote:
> >
> >> On 11/07, Elvira Khabirova wrote:
> >>
> >> In short, if a 64-bit task performs a syscall through int 0x80, its tracer
> >> has no reliable means to find out that the syscall was, in fact,
> >> a compat syscall, and misidentifies it.
> >> * Syscall-enter-stop and syscall-exit-stop look the same for the tracer.
> >
> > Yes, this was discussed many times...
> >
> > So perhaps it makes sense to encode compat/is_enter in ->ptrace_message,
> > debugger can use PTRACE_GETEVENTMSG to get this info.
>
> As I said before, I strongly object to the use of “compat” here.

Not sure I understand you... I do not like "compat" too, but this patch uses
is_compat/etc and I agree with any naming.

> >> Secondly, ptracers also have to support a lot of arch-specific code for
> >> obtaining information about the tracee. For some architectures, this
> >> requires a ptrace(PTRACE_PEEKUSER, ...) invocation for every syscall
> >> argument and return value.
> >
> > I am not sure about this change... I won't really argue, but imo this
> > needs a separate patch.
>
> Why?  Having a single struct that the tracer can read to get the full state is extremely helpful.

As I said, I won't argue, but why can't it come as a separate change?

More info in ->ptrace_message looks usable even without PTRACE_GET_SYSCALL_INFO,
while ptrace_syscall_info layout/API may need more discussion.

> Also, we really want it to work for seccomp events as well as PTRACE_SYSCALL, and the event info trick doesn’t make sense for seccomp events.

I too thought about PTRACE_EVENT_SECCOMP (or I misunderstoo you?), looks like
another reason to make a separate patch.

> >> +#define PT_IN_SYSCALL_STOP    0x00000004    /* task is in a syscall-stop */
> > ...
> >> -static inline int ptrace_report_syscall(struct pt_regs *regs)
> >> +static inline int ptrace_report_syscall(struct pt_regs *regs,
> >> +                    unsigned long message)
> >> {
> >>    int ptrace = current->ptrace;
> >>
> >>    if (!(ptrace & PT_PTRACED))
> >>        return 0;
> >> +    current->ptrace |= PT_IN_SYSCALL_STOP;
> >>
> >> +    current->ptrace_message = message;
> >>    ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0));
> >>
> >>    /*
> >> @@ -76,6 +79,7 @@ static inline int ptrace_report_syscall(struct pt_regs *regs)
> >>        current->exit_code = 0;
> >>    }
> >>
> >> +    current->ptrace &= ~PT_IN_SYSCALL_STOP;
> >>    return fatal_signal_pending(current);
> > ...
> >
> >> +    case PTRACE_GET_SYSCALL_INFO:
> >> +        if (child->ptrace & PT_IN_SYSCALL_STOP)
> >> +            ret = ptrace_get_syscall(child, datavp);
> >> +        break;
> >
> > Why? If debugger uses PTRACE_O_TRACESYSGOOD it can know if the tracee reported
> > syscall entry/exit or not. PTRACE_GET_SYSCALL_INFO is pointless if not, but
> > nothing bad can happen.
>
> I think it’s considerably nicer to the user to avoid reporting garbage if the user misused the API.  (And Elvira got this right in the patch — I just missed it.)

To me PT_IN_SYSCALL_STOP makes no real sense, but I won't argue.

At least I'd ask to not abuse task->ptrace. ptrace_report_syscall() can clear
->ptrace_message on exit if we really want PTRACE_GET_SYSCALL_INFO to fail after
that.

Oleg.