On Fri, Feb 06, 2015 at 05:07:41PM -0800, Kees Cook wrote: > On Fri, Feb 6, 2015 at 3:17 PM, Dmitry V. Levin <ldv@xxxxxxxxxxxx> wrote: > > On Fri, Feb 06, 2015 at 12:07:03PM -0800, Kees Cook wrote: > >> On Fri, Feb 6, 2015 at 11:32 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > >> > On Fri, Feb 6, 2015 at 11:23 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > [...] > >> >> And an unrelated thought: > >> >> > >> >> 3) Can't we find some way to fix the inability of a ptracer to > >> >> distinguish between syscall-enter-stop and syscall-exit-stop? > >> > > >> > Couldn't we add PTRACE_O_TRACESYSENTRY and PTRACE_O_TRACESYSEXIT along > >> > the lines of PTRACE_O_TRACESYSGOOD? > >> > >> That might be a nice idea. I haven't written a test to see, but what > >> does PTRACE_GETEVENTMSG return on syscall-enter/exit-stop? > > > > The value returned by PTRACE_GETEVENTMSG is the value set along with the > > latest PTRACE_EVENT_*. > > In case of syscall-enter/exit-stop (which is not a PTRACE_EVENT_*), > > there is no particular value set for PTRACE_GETEVENTMSG. > > Could we define one to help distinguish? I suppose we could define one, but performing extra PTRACE_GETEVENTMSG for every syscall-stop may be too expensive. For example, strace makes about 4.5 syscalls per syscall-stop. The minimum is 4 syscalls: wait4, PTRACE_GETREGSET, write, and PTRACE_SYSCALL; processing some syscall-stops may require additional process_vm_readv calls. That is, forcing strace to make extra PTRACE_GETEVENTMSG per syscall-stop would result to about 20% more syscalls per syscall-stop, that is a noticeable cost. A better alternative is to define an event that wouldn't require this extra PTRACE_GETEVENTMSG per syscall-stop. For example, it could be a PTRACE_EVENT_SYSCALL_ENTRY and/or PTRACE_EVENT_SYSCALL_EXIT. In practice, adding just one of these two events would be enough to distinguish two kinds of syscall-stops. Adding two events would look less surprising, though. If the decision would be to add both events, I'd recommend adding just one new option to cover both events - there is a room only for 32 different PTRACE_O_* options. -- ldv
