19#include <linux/audit.h>
20#include <sys/ptrace.h>
21#include <linux/ptrace.h>
24#include <cosmos/BitMask.hxx>
25#include <cosmos/dso_export.h>
26#include <cosmos/memory.hxx>
27#include <cosmos/proc/types.hxx>
29namespace cosmos::ptrace {
32enum class Opt : intptr_t {
60 VFORK = PTRACE_EVENT_VFORK,
62 FORK = PTRACE_EVENT_FORK,
64 CLONE = PTRACE_EVENT_CLONE,
68 EXEC = PTRACE_EVENT_EXEC,
70 EXIT = PTRACE_EVENT_EXIT,
72 STOP = PTRACE_EVENT_STOP,
79 GENERAL_PURPOSE = NT_PRSTATUS,
80 FLOATING_POINT = NT_FPREGSET
136#ifdef PTRACE_SET_SYSCALL
137 SET_SYSCALL = PTRACE_SET_SYSCALL,
141 SYSEMU = PTRACE_SYSEMU,
143 SYSEMU_SINGLESTEP = PTRACE_SYSEMU_SINGLESTEP,
150 INTERRUPT = PTRACE_INTERRUPT,
154 SEIZE = PTRACE_SEIZE,
161#if PTRACE_SET_THREAD_AREA
163 SET_THREAD_AREA = PTRACE_SET_THREAD_AREA,
175 X86_64 = AUDIT_ARCH_X86_64,
176 I386 = AUDIT_ARCH_I386
185 ENTRY = PTRACE_SYSCALL_INFO_ENTRY,
186 EXIT = PTRACE_SYSCALL_INFO_EXIT,
187 SECCOMP = PTRACE_SYSCALL_INFO_SECCOMP,
188 NONE = PTRACE_SYSCALL_INFO_NONE
191 using EntryInfo =
decltype(ptrace_syscall_info::entry);
192 using ExitInfo =
decltype(ptrace_syscall_info::exit);
193 using SeccompInfo =
decltype(ptrace_syscall_info::seccomp);
198 return Type{m_info.op};
203 return Arch{m_info.arch};
208 return m_info.instruction_pointer;
213 return m_info.stack_pointer;
218 return type() ==
Type::ENTRY ? std::make_optional(m_info.entry) : std::nullopt;
223 return type() ==
Type::EXIT ? std::make_optional(m_info.exit) : std::nullopt;
228 return type() ==
Type::SECCOMP ? std::make_optional(m_info.seccomp) : std::nullopt;
231 auto raw() {
return &m_info; }
232 auto raw()
const {
return &m_info; }
235 struct ptrace_syscall_info m_info;
264 void setFlags(Flags flags) {
265 m_args.flags = flags.raw();
284 struct ptrace_peeksiginfo_args m_args;
300std::optional<long> COSMOS_API trace(
const ptrace::Request req,
const ProcessID pid,
301 void *addr =
nullptr,
void *data =
nullptr);
315void COSMOS_API traceme();
A typesafe bit mask representation using class enums.
Wrapper around data structure used with ptrace::Request::PEEKSIGINFO.
PeekSigInfo()
Creates an object with default settings.
@ PEEK_SHARED
dump signals from the process-wide queue, otherwise from the per-thread queue.
void setOffset(uint64_t off)
Sets the offset into the queue from which SigInfo structures should be obtained.
void setAmount(int32_t nr)
Sets the maximum amount of SigInfo structures to copy.
@ VFORK
The calling process is suspended until the child calls execve() or _exit(), see vfork(); should not b...
void zero_object(T &obj)
Completely overwrites the given object with zeroes.
Request
Basic requests that can be passed to the ptrace() system call.
@ SEIZE
Like ATTACH but does not stop the process.
@ PEEKTEXT
Read a word at a given offset of the tracee's TEXT data (the same as PEEKDATA on Linux).
@ GETREGS
Copy the tracee's general-purpose registers to the given address in the tracer.
@ GETSIGINFO
Retrieve information about the signal that cause the tracee to stop. Copies a siginfo_t structure.
@ DETACH
Restart the stopped tracee, but first detach from it.
@ SETFPREGS
Modify the tracee's floating-point registers.
@ PEEKUSER
Read a word at a given offset of the tracee's USER data (holds registers and other metadata).
@ SETSIGINFO
Modify the tracee's signal information (used when the tracer catched a signal that would normally be ...
@ SYSCALL
Restart the stopped tracee like CONT, but arrange for the tracee to be stopped at entry/exit to/from ...
@ POKEUSER
Write a word at the given offset into the tracee's USER data.
@ GETSIGMASK
Retrieves a copy of the mask of blocked signals from the tracee.
@ PEEKDATA
Read a word at a given address of the tracee's memory.
@ GETREGSET
Reg the tracee's registers in an architecture dependent way.
@ GETEVENTMSG
Retrieve a message (unsigned long) about the ptrace event that just happened.
@ SETREGSET
Modify the tracee's registers, analogous to GETREGSET.
@ GET_THREAD_AREA
Performs an operation similar to get_thread_area().
@ SECCOMP_GET_FILTER
Dump the tracee's classic BPF filters.
@ SETOPTIONS
Set ptrace options (see ptrace::Opts)
@ POKEDATA
Write a word at the given address into the tracee's memory.
@ ATTACH
Attach to the specified process, making it a tracee of the caller.
@ SETREGS
Modify the tracee's general-purpose registers (not available on all architectures).
@ LISTEN
Restart a stopped tracee, but let it enter a SIGSTOP like state. Works only for SEIZE'd tracees.
@ GET_SYSCALL_INFO
Retrieve information about the system call that cause the stop.
@ SETSIGMASK
Change the tracee's mask of blocked signals.
@ PEEKSIGINFO
Retrieve siginfo_t structures without removing them from the tracee's queue.
@ TRACEME
The tracee asks to be traced by its parent.
@ SINGLESTEP
Like SYSCALL, but arrange for the tracee to be stopped after a single instruction.
@ GETFPREGS
Copy the tracee's floating-point registers to the given address in the tracer.
RegisterType
Different types of register sets that can be read from a tracee via Request::GETREGSET.
Event
Different events that can occur in a tracee leading to ptrace-event-stop.
@ SECCOMP
Stop triggered by a seccomp rule on tracee syscall entry.
@ EXIT
exit() is upcoming.
@ FORK
fork() (or clone with SIGCHLD as exit signal) is upcoming.
@ CLONE
clone() is upcoming.
@ VFORK_DONE
vfork() (or clone() with VFORK flag) was finished but not yet returned.
Opt
Different options which can be set for a tracee.
@ TRACEVFORKDONE
Stop tracee at completion of vfork(2).
@ TRACEFORK
Stop on fork(2) and automatically trace the newly forked process.
@ TRACEVFORK
Stop on vfork(2) and automatically trace the newly forked proc.
@ TRACECLONE
Stop on clone(2) and automatically trace the newly cloned process.
@ TRACESECCOMP
Stop when a SECCOMP_RET_TRACE rule is triggered.
@ TRACEEXIT
Stop the tracee at when it exits.
@ TRACEEXEC
Stop on execve(2).
@ TRACESYSGOOD
For better detection of system-call-stops, sets bit 7 in the si_code field (WSTOPSIG() == SIGTRAP|0x8...
@ EXITKILL
When the tracer exits, the tracees will be sent SIGKILL.
@ SUSPENDSECCOMP
Suspends the tracee's seccomp protections.
Arch
System call ABI architecture.
Wrapper around data structure used with ptrace::Request::GET_SYSCALL_INFO.
uint64_t stackPtr() const
Returns the CPU stack pointer value.
Type
Type of the system call information provided.
@ SECCOMP
ptrace-event-stop for ptrace::Event::SECCOMP.
@ ENTRY
system-call-entry stop.
@ EXIT
system-call-exit-stop.
@ NONE
no meaningful information placed into struct.
Arch arch() const
Returns the system call ABI in effect for the current system call.
std::optional< ExitInfo > exitInfo() const
If available return the syscall-exit-stop information from the struct.
uint64_t instructionPtr() const
Returns the CPU instruction pointer value.
std::optional< SeccompInfo > seccompInfo() const
If available return the ptrace-event seccomp info from the struct.
std::optional< EntryInfo > entryInfo() const
If available return the syscall-entry-stop information from the struct.
1.12.0