Hello I have a requirement to catch a specific signal hitting a specific process and to send it a SIGSTOP before that signal arrives. This is so that the process can then be attached with ptrace(), but without the necessity of ptrace()ing the process continuously beforehand (due to performance and stability reasons). I thought this might be possible with an eBPF program attached to a tracepoint. I attached a program to the signal/signal_deliver tracepoint and used bpf_send_signal() to send the SIGSTOP but it didn't stop the process. If I sent SIGTERM or SIGHUP instead it worked as expected, just not SIGSTOP or SIGTSTP. Sending a SIGSTOP prior to another signal (eg SIGSEGV) works from userland - the process stops and the other signal is queued. I'm guessing that the reason is that bpf_send_signal() adds the (non-state transitioning) signal to the process signal queue, ignoring SIGSTOP, SIGTSTP, SIGKILL, SIGCONT, but doesn't change the state of processes. Can anyone confirm if that is correct or if there's another possible reason that bpf_send_signal seems to fail to send a SIGSTOP? If so, is this documented anywhere? Is there another way to do this with eBPF? Many thanks Kev -- Kevin Sheldrake Microsoft Threat Intelligence Centre
