Commit f701e5b7 authored by Vladimir Zapolskiy's avatar Vladimir Zapolskiy Committed by Oleg Nesterov

connector: add an event for monitoring process tracers

This change adds a procfs connector event, which is emitted on every
successful process tracer attach or detach.

If some process connects to other one, kernelspace connector reports
process id and thread group id of both these involved processes. On
disconnection null process id is returned.

Such an event allows to create a simple automated userspace mechanism
to be aware about processes connecting to others, therefore predefined
process policies can be applied to them if needed.

Note, a detach signal is emitted only in case, if a tracer process
explicitly executes PTRACE_DETACH request. In other cases like tracee
or tracer exit detach event from proc connector is not reported.
Signed-off-by: default avatarVladimir Zapolskiy <vzapolskiy@gmail.com>
Acked-by: default avatarEvgeniy Polyakov <zbr@ioremap.net>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
parent d184d6eb
...@@ -28,6 +28,7 @@ ...@@ -28,6 +28,7 @@
#include <linux/init.h> #include <linux/init.h>
#include <linux/connector.h> #include <linux/connector.h>
#include <linux/gfp.h> #include <linux/gfp.h>
#include <linux/ptrace.h>
#include <asm/atomic.h> #include <asm/atomic.h>
#include <asm/unaligned.h> #include <asm/unaligned.h>
...@@ -166,6 +167,40 @@ void proc_sid_connector(struct task_struct *task) ...@@ -166,6 +167,40 @@ void proc_sid_connector(struct task_struct *task)
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
} }
void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
{
struct cn_msg *msg;
struct proc_event *ev;
struct timespec ts;
__u8 buffer[CN_PROC_MSG_SIZE];
struct task_struct *tracer;
if (atomic_read(&proc_event_num_listeners) < 1)
return;
msg = (struct cn_msg *)buffer;
ev = (struct proc_event *)msg->data;
get_seq(&msg->seq, &ev->cpu);
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
ev->what = PROC_EVENT_PTRACE;
ev->event_data.ptrace.process_pid = task->pid;
ev->event_data.ptrace.process_tgid = task->tgid;
if (ptrace_id == PTRACE_ATTACH) {
ev->event_data.ptrace.tracer_pid = current->pid;
ev->event_data.ptrace.tracer_tgid = current->tgid;
} else if (ptrace_id == PTRACE_DETACH) {
ev->event_data.ptrace.tracer_pid = 0;
ev->event_data.ptrace.tracer_tgid = 0;
} else
return;
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
void proc_exit_connector(struct task_struct *task) void proc_exit_connector(struct task_struct *task)
{ {
struct cn_msg *msg; struct cn_msg *msg;
......
...@@ -53,6 +53,7 @@ struct proc_event { ...@@ -53,6 +53,7 @@ struct proc_event {
PROC_EVENT_UID = 0x00000004, PROC_EVENT_UID = 0x00000004,
PROC_EVENT_GID = 0x00000040, PROC_EVENT_GID = 0x00000040,
PROC_EVENT_SID = 0x00000080, PROC_EVENT_SID = 0x00000080,
PROC_EVENT_PTRACE = 0x00000100,
/* "next" should be 0x00000400 */ /* "next" should be 0x00000400 */
/* "last" is the last process event: exit */ /* "last" is the last process event: exit */
PROC_EVENT_EXIT = 0x80000000 PROC_EVENT_EXIT = 0x80000000
...@@ -95,6 +96,13 @@ struct proc_event { ...@@ -95,6 +96,13 @@ struct proc_event {
__kernel_pid_t process_tgid; __kernel_pid_t process_tgid;
} sid; } sid;
struct ptrace_proc_event {
__kernel_pid_t process_pid;
__kernel_pid_t process_tgid;
__kernel_pid_t tracer_pid;
__kernel_pid_t tracer_tgid;
} ptrace;
struct exit_proc_event { struct exit_proc_event {
__kernel_pid_t process_pid; __kernel_pid_t process_pid;
__kernel_pid_t process_tgid; __kernel_pid_t process_tgid;
...@@ -109,6 +117,7 @@ void proc_fork_connector(struct task_struct *task); ...@@ -109,6 +117,7 @@ void proc_fork_connector(struct task_struct *task);
void proc_exec_connector(struct task_struct *task); void proc_exec_connector(struct task_struct *task);
void proc_id_connector(struct task_struct *task, int which_id); void proc_id_connector(struct task_struct *task, int which_id);
void proc_sid_connector(struct task_struct *task); void proc_sid_connector(struct task_struct *task);
void proc_ptrace_connector(struct task_struct *task, int which_id);
void proc_exit_connector(struct task_struct *task); void proc_exit_connector(struct task_struct *task);
#else #else
static inline void proc_fork_connector(struct task_struct *task) static inline void proc_fork_connector(struct task_struct *task)
...@@ -124,6 +133,10 @@ static inline void proc_id_connector(struct task_struct *task, ...@@ -124,6 +133,10 @@ static inline void proc_id_connector(struct task_struct *task,
static inline void proc_sid_connector(struct task_struct *task) static inline void proc_sid_connector(struct task_struct *task)
{} {}
static inline void proc_ptrace_connector(struct task_struct *task,
int ptrace_id)
{}
static inline void proc_exit_connector(struct task_struct *task) static inline void proc_exit_connector(struct task_struct *task)
{} {}
#endif /* CONFIG_PROC_EVENTS */ #endif /* CONFIG_PROC_EVENTS */
......
...@@ -23,6 +23,7 @@ ...@@ -23,6 +23,7 @@
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/regset.h> #include <linux/regset.h>
#include <linux/hw_breakpoint.h> #include <linux/hw_breakpoint.h>
#include <linux/cn_proc.h>
static int ptrace_trapping_sleep_fn(void *flags) static int ptrace_trapping_sleep_fn(void *flags)
...@@ -305,9 +306,12 @@ static int ptrace_attach(struct task_struct *task, long request, ...@@ -305,9 +306,12 @@ static int ptrace_attach(struct task_struct *task, long request,
unlock_creds: unlock_creds:
mutex_unlock(&task->signal->cred_guard_mutex); mutex_unlock(&task->signal->cred_guard_mutex);
out: out:
if (!retval) if (!retval) {
wait_on_bit(&task->jobctl, JOBCTL_TRAPPING_BIT, wait_on_bit(&task->jobctl, JOBCTL_TRAPPING_BIT,
ptrace_trapping_sleep_fn, TASK_UNINTERRUPTIBLE); ptrace_trapping_sleep_fn, TASK_UNINTERRUPTIBLE);
proc_ptrace_connector(task, PTRACE_ATTACH);
}
return retval; return retval;
} }
...@@ -415,6 +419,7 @@ static int ptrace_detach(struct task_struct *child, unsigned int data) ...@@ -415,6 +419,7 @@ static int ptrace_detach(struct task_struct *child, unsigned int data)
} }
write_unlock_irq(&tasklist_lock); write_unlock_irq(&tasklist_lock);
proc_ptrace_connector(child, PTRACE_DETACH);
if (unlikely(dead)) if (unlikely(dead))
release_task(child); release_task(child);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment