clues/AutoAttachedTracee_8cxx_source.html

// cosmos

#include <cosmos/error/ApiError.hxx>

#include <cosmos/io/ILogger.hxx>

#include <cosmos/proc/process.hxx>


// clues

#include <clues/AutoAttachedTracee.hxx>

#include <clues/logger.hxx>

#include <clues/syscalls/process.hxx>

#include <clues/sysnrs/generic.hxx>


namespace clues {


namespace {


bool shares_file_descriptors_with_parent(const SystemCall &sc) {


        /*

         * In case of clone() with CLONE_FILES we need to share process data

         * with the parent.

         *

         * In all other cases we need a deep-copy of process data (sharing of

         * the file descriptor table ends).

         *

         * Note: clone() calls with SIGCHILD as exit signal can appear as

         * regular fork events, clone() calls with CLONE_VFORK will appear as

         * regular vfork events. This is the case even if SHARE_FILES is

         * passed to clone(), which doesn't match the fork() semantics.

         *

         * For this reason we cannot rely on the ptrace event for this, but

         * need to inspect the active system call exclusively.

         */


        switch (sc.callNr()) {

                case SystemCallNr::CLONE3: {

                        auto &clone3_sc = dynamic_cast<const Clone3SystemCall&>(sc);

                        const auto args = clone3_sc.cl_args.args();


                        if (args) {

                                return args->flags()[cosmos::CloneFlag::SHARE_FILES];

                        } else {

                                // failes to parse cl_args, what now?

                                return false;

                        }

                }

                case SystemCallNr::CLONE: {

                        // this throws if the cast fails, but this should never happen

                        auto &clone_sc = dynamic_cast<const CloneSystemCall&>(sc);

                        const auto flags = clone_sc.flags.flags();


                        return flags[cosmos::CloneFlag::SHARE_FILES];

                }

                case SystemCallNr::FORK: /* fallthrough */

                case SystemCallNr::VFORK: return false;

                default:

                        LOG_ERROR("PTRACE auto-attach event but last system call is not recognized?!");

                        // we don't know what to do in this case, further tracing is

                        // undefined, might be best to detach?

                        return false;

        }

}


} // end anon ns


AutoAttachedTracee::AutoAttachedTracee(Engine &engine, EventConsumer &consumer, TraceePtr parent) :

                Tracee{engine, consumer, parent} {

}


void AutoAttachedTracee::configure(const cosmos::ProcessID pid, const cosmos::ptrace::Event event,

                const SystemCall &sc) {

        (void)event;

        setPID(pid);

        m_flags.set(Flag::WAIT_FOR_ATTACH_STOP);


        if (!shares_file_descriptors_with_parent(sc)) {

                unshareProcessData();

        }

}


AutoAttachedTracee::~AutoAttachedTracee() {

        try {

                detach();

        } catch (const cosmos::CosmosError &ce) {

                LOG_DEBUG("Couldn't detach from PID " << cosmos::to_integral(m_ptrace.pid()) << ":\n\n" << ce.what());

        }

}


} // end ns


clues::AutoAttachedTracee::AutoAttachedTracee
AutoAttachedTracee(Engine &engine, EventConsumer &consumer, TraceePtr parent)
Create a traced process object by attaching to the given process ID.
Definition AutoAttachedTracee.cxx:65

clues::AutoAttachedTracee::configure
void configure(const cosmos::ProcessID pid, const cosmos::ptrace::Event event, const SystemCall &sc)
Sets the given process ID as the process to be traced.
Definition AutoAttachedTracee.cxx:69

clues::EventConsumer
Callback interface for consumers of tracing events.
Definition EventConsumer.hxx:32

clues::SystemCall
Access to System Call Data.
Definition SystemCall.hxx:47

clues::SystemCall::callNr
SystemCallNr callNr() const
Returns the system call table number for this system call.
Definition SystemCall.hxx:90

clues::Tracee::setPID
void setPID(const cosmos::ProcessID tracee)
Sets the tracee PID.
Definition Tracee.cxx:129

clues::Tracee::Flag::WAIT_FOR_ATTACH_STOP
@ WAIT_FOR_ATTACH_STOP
we're still waiting for the PTRACE_INTERRUPT event stop.
Definition Tracee.hxx:62

clues::Tracee::detach
bool detach()
Attempt to detach the Tracee.
Definition Tracee.cxx:177

clues::Tracee::Tracee
Tracee(Engine &engine, EventConsumer &consumer, TraceePtr sibling=nullptr)
Definition Tracee.cxx:100

clues::Tracee::m_flags
Flags m_flags
These keep track of various state on the tracer side.
Definition Tracee.hxx:442

clues::Tracee::m_ptrace
cosmos::Tracee m_ptrace
libcosmos API for the Tracee.
Definition Tracee.hxx:444

clues::item::CloneArgs::args
const std::optional< cosmos::CloneArgs > & args() const
Returns an optional containing the cosmos::CloneArgs structure, if available.
Definition clone.hxx:60

clues
Definition AutoAttachedTracee.cxx:12

clues::Clone3SystemCall
Definition process.hxx:122

clues::Clone3SystemCall::cl_args
item::CloneArgs cl_args
Combined clone arguments.
Definition process.hxx:132

clues::CloneSystemCall
Wrapper for the clone() and clone2() system calls.
Definition process.hxx:62