clues/syscalls_2process_8cxx_source.html

// clues

#include <clues/syscalls/process.hxx>


namespace clues {


#ifdef CLUES_HAVE_ARCH_PRCTL

void ArchPrctlSystemCall::prepareNewSystemCall() {

        // only keep the `op` parameter

        m_pars.erase(m_pars.begin() + 1, m_pars.end());


        on_off.reset();

        set_addr.reset();

        get_addr.reset();


        on_off_ret.reset();

        result.emplace(item::SuccessResult{});

        setReturnItem(*result);

}


bool ArchPrctlSystemCall::check2ndPass(const Tracee &) {


        using enum item::ArchOpParameter::Operation;


        switch (op.operation()) {

        case SET_CPUID:

                on_off.emplace(item::ULongValue{"enable"});

                addParameters(*on_off);

                break;

        case GET_CPUID:

                result.reset();

                on_off_ret.emplace(item::IntValue{"enabled?", "", ItemType::RETVAL});

                setReturnItem(*on_off_ret);

                break;

        case SET_FS: [[fallthrough]];

        case SET_GS:

                set_addr.emplace(item::GenericPointerValue{"base"});

                addParameters(*set_addr);

                break;

        case GET_FS: [[fallthrough]];

        case GET_GS:

                get_addr.emplace(item::PointerToScalar<unsigned long>{"*base"});

                get_addr->setBase(Base::HEX);

                addParameters(*get_addr);

                break;

        default: /* unknown operation? keep defaults */

                break;

        }


        return true;

}

#endif


void CloneSystemCall::prepareNewSystemCall() {

        /* drop all but the fixed initial two parameters */

        m_pars.erase(m_pars.begin() + 2, m_pars.end());


        /* args */

        parent_tid.reset();

        pidfd.reset();

        child_tid.reset();

        tls.reset();

}


bool CloneSystemCall::check2ndPass(const Tracee &)  {

        // we need these two sizes to match, since a `pid_t*` is used in

        // clone() to store either the child pid or a pidfd at.

        static_assert( sizeof(int) == sizeof(pid_t), "sizeof(int) != sizeof(pid_t)" );

        using enum cosmos::CloneFlag;

        const auto clone_flags = this->flags.flags();


        auto maybe_add_unused_par = [this](const size_t need_index) {

                while (need_index > m_pars.size()) {

                        addParameters(item::unused);

                }

        };


        auto maybe_add_settid_par = [this, clone_flags, maybe_add_unused_par](const size_t pos) {

                if (clone_flags[CHILD_SETTID]) {

                        child_tid.emplace(item::GenericPointerValue{"child_tid", "pointer to child TID in child's memory"});

                        maybe_add_unused_par(pos);

                        addParameters(*child_tid);

                }

        };


        auto maybe_add_settls_par = [this, clone_flags, maybe_add_unused_par](const size_t pos) {

                if (clone_flags[SETTLS]) {

                        tls.emplace(item::GenericPointerValue{"tls", "ABI-specific thread-local-storage data"});


                        maybe_add_unused_par(pos);

                        addParameters(*tls);

                }

        };


        // these two are mutual-exclusive in the old clone() system call

        if (clone_flags[PARENT_SETTID]) {

                parent_tid.emplace(item::PointerToScalar<cosmos::ProcessID>{

                                "parent_tid", "pointer to child TID in parent's memory"});

                addParameters(*parent_tid);

        } else if (clone_flags[PIDFD]) {

                pidfd.emplace(item::PointerToScalar<cosmos::FileNum>{

                                "pidfd", "pointer to pidfd in parent's memory (alternative use of parent_tid)"});

                addParameters(*pidfd);

        }


        /*

         * Things are messy with clone(), the order of parameters differs

         * between ABIs and we might need to skip some parameters by adding

         * item::unused.

         *

         * The man page is a bit sketchy on the ABI details. In the kernel

         * source we have to look for `CONFIG_CLONE_BACKWARDS*`, define in

         * "arch/.../KConfig" as CLONE_BACKWARDS*.

         *

         * The situation for the ABIs we support is as follows:

         *

         * X86_32 (I386), ARM, ARM64: CLONE_BACKWARDS

         * X86_64 (seems to include X32): no define

         *

         * CLONE_BACKWARDS means the final two arguments are tls /

         * child_tidptr.

         *

         * no define means the final two arguments are child_tidptr / tls.

         */


        if (const auto abi = this->abi(); abi == ABI::X86_64 || abi == ABI::X32) {

                maybe_add_settid_par(3);

                maybe_add_settls_par(4);

        } else if (abi == ABI::AARCH64 || abi == ABI::I386) {

                maybe_add_settls_par(3);

                maybe_add_settid_par(4);

        }


        return m_pars.size() > 2;

}


void Clone3SystemCall::updateFDTracking(const Tracee &proc) {

        const auto args = cl_args.args();


        if (!args) {

                return;

        } else if (args->flags()[cosmos::CloneFlag::PIDFD]) {

                FDInfo info{FDInfo::Type::PID_FD, cl_args.pidfd()};

                trackFD(proc, std::move(info));

        }

}


} // end ns

clues::SystemCall::abi
ABI abi() const
Returns the system call ABi seen during system call entry.
Definition SystemCall.hxx:110

clues::SystemCall::m_pars
ParameterVector m_pars
The array of system call parameters, if any.
Definition SystemCall.hxx:226

clues::Tracee
Base class for traced processes.
Definition Tracee.hxx:39

clues::item::GenericPointerValue
Definition items.hxx:124

clues::item::PointerToScalar
A pointer to an integral data type which will be filled in by the kernel.
Definition items.hxx:209

clues::item::SuccessResult
An always-success return value.
Definition error.hxx:15

clues
Definition AutoAttachedTracee.cxx:12

clues::ItemType::RETVAL
@ RETVAL
A system call return value.
Definition SystemCallItem.hxx:25

clues::ABI::X32
@ X32
X86_64 with 32-bit pointers.
Definition types.hxx:66

clues::Clone3SystemCall::cl_args
item::CloneArgs cl_args
Combined clone arguments.
Definition process.hxx:132

clues::Clone3SystemCall::updateFDTracking
void updateFDTracking(const Tracee &proc) override
Update file descriptor tracking.
Definition process.cxx:136

clues::CloneSystemCall::tls
std::optional< item::GenericPointerValue > tls
Thread-local-storage data for the new child.
Definition process.hxx:107

clues::CloneSystemCall::pidfd
std::optional< item::PointerToScalar< cosmos::FileNum > > pidfd
PID file descriptor referring to the new child.
Definition process.hxx:89

clues::CloneSystemCall::child_tid
std::optional< item::GenericPointerValue > child_tid
TID of the new child written out to a pid_* in the child.
Definition process.hxx:99

clues::CloneSystemCall::prepareNewSystemCall
void prepareNewSystemCall() override
Perform any necessary actions before processing a new system call entry event.
Definition process.cxx:53

clues::CloneSystemCall::parent_tid
std::optional< item::PointerToScalar< cosmos::ProcessID > > parent_tid
TID of the new child written out to a pid_t* in the parent.
Definition process.hxx:84

clues::CloneSystemCall::check2ndPass
bool check2ndPass(const Tracee &) override
Check whether a second pass needs to be made processing parameters.
Definition process.cxx:64

clues::FDInfo
Contextual information about a file descriptor in a Tracee.
Definition types.hxx:75

clues::FDInfo::Type::PID_FD
@ PID_FD
created by pidfd_open(), clone(), ...
Definition types.hxx:96