0

I know the behavior about tracee call ptrace(TRACEME) . but how about TRACE_ATTACH behavior ? here is my guess:

  1. tracer send SIGSTOP to tracee, the tracee SIGSTOP-handler function mark self as TRACED(but how? why it knows being traced) then send SIGTRAP to itself , the SIGTRAP-handler send SIGCHLD to tracer then pause itself. OR
  2. tracer send SIGSTOP to tracee, the tracee SIGSTOP-handler function mark self as TRACED(also how?) then send SIGCHLD to tracer and pause itsefl.
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Ryan Gao
  • 73
  • 5

1 Answers1

1

the tracee SIGSTOP-handler function mark self as TRACED

No, the tracee doesn't have to do anything. ptrace works on processes that haven't installed any signal handlers, so SIGSTOP just does the default action of suspending the process.

A process being marked as traced by another is something that the kernel keeps track of, totally separate from delivering signals to the tracee. The relevant kernel code is likely part of the implementation of the ptrace system call itself.

(At least that's my limited understanding just from the man page and thinking about what would make sense for a design. Note that PTRACE_SEIZE exists which attaches without stopping a process.)

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • so far as I know, the default kernel signal handler has ptrace-related code. for instance SIGTRAP-handler maybe like this :`int do_signal(struct pt_regs *regs, sigset_t *oldset) { ... if ((current->ptrace & PT_PTRACED) && signr != SIGKILL) { current->exit_code = signr; current->state = TASK_STOPPED; notify_parent(current, SIGCHLD); schedule(); ... } }` – Ryan Gao Nov 04 '21 at 14:03
  • Aha, maybe I know, I mistook signal handler, SIGTRAP & SIGSTOP will go into the same handler just like do_signal – Ryan Gao Nov 04 '21 at 14:18
  • @protoss: "Signal handler" has a specific meaning: user-space code that has been registers with `sigaction(2)` for the kernel to invoke as part of delivering a signal. But you're talking about kernel code that implements the default action for processes that *don't* have a signal-handler installed. (Or the kernel's signal delivering code that notifies the parent when a tracee recieves a signal, whether it takes the default action or has a handler.) – Peter Cordes Nov 04 '21 at 20:30