Question: Userspace detection of ptraced process?
From: Jesper Derehag
Date: Thu Jun 27 2013 - 06:23:21 EST
Hi all,
Is there a way of getting info about any task that is being ptraced (from userspace)?
I know that in more recent kernels you can get an event through a NETLINK_CONNECTOR socket.
But I was hoping that you could get the same information say through the siginfo argument to waitid or something similar?
I have tried different variations on the code below but it seems like there is no dependable way to get the siginfo while child_pid is beeing trapped.
I get rc=-1 when child is traced (and trapped), and therefore siginfo is undefined.
I suspect it might be due to that when you ptrace child, the tracer becomes the parent and that is why I cannot get any accurate siginfo data within the original parent?
The reason for why I do WNOHANG here is that in my application its very important that I do not block. So I was hoping on just doing a "poll" of the pid status here.
rc = waitid(P_PID, child_pid, &info, WNOHANG);
if((rc == 0 || rc == child_pid) && info.si_pid != 0)
if(info.si_code == CLD_TRAPPED)
printf("child_pid=%d is being ptraced!", child_pid);
Anyway, any ideas of why waitid(..) doesnt work? And if waitid(..) approach is not possible, is there any additional clever ways to figure out if a child is ptraced other than the NETLINK_CONNECTOR way?
EVENT_PTRACE is unfortunatly not available in the kernel I am using at the moment (kernel 3.0) .
And no, its not really possible to update or patch the kernel at this point.
Thanks.
Regards,
Jesper Derehag --
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/