Hi. Mac OS X has a PT_DENY_ATTACH argument to ptrace(2) which does what it says on the tin: PT_DENY_ATTACH This request is the other operation used by the traced process; it allows a process that is not currently being traced to deny future traces by its parent. All other arguments are ignored. If the process is currently being traced, it will exit with the exit status of ENOTSUP; oth- erwise, it sets a flag that denies future traces. An attempt by the parent to trace a process which has set this flag will result in a segmentation violation in the parent Any reason not to use it in platform_disable_tracing() ? diff --git a/configure.ac b/configure.ac index f5e1378..88c4633 100644 --- a/configure.ac +++ b/configure.ac @@ -405,6 +405,7 @@ AC_CHECK_HEADERS([ \ sys/poll.h \ sys/prctl.h \ sys/pstat.h \ + sys/ptrace.h \ sys/select.h \ sys/stat.h \ sys/stream.h \ diff --git a/platform-tracing.c b/platform-tracing.c index 81020e7..4c80a28 100644 --- a/platform-tracing.c +++ b/platform-tracing.c @@ -20,6 +20,9 @@ #if defined(HAVE_SYS_PRCTL_H) #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */ #endif +#ifdef HAVE_SYS_PTRACE_H +#include <sys/ptrace.h> +#endif #ifdef HAVE_PRIV_H #include <priv.h> /* For setpflags() and __PROC_PROTECT */ #endif @@ -40,4 +43,9 @@ platform_disable_tracing(int strict) if (setpflags(__PROC_PROTECT, 1) != 0 && strict) fatal("unable to make the process untraceable"); #endif +#ifdef PT_DENY_ATTACH + /* Mac OS X */ + if (ptrace(PT_DENY_ATTACH, 0, 0, 0) == -1 && strict) + fatal("unable to set PT_DENY_ATTACH"); +#endif } -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev