Re: Am I traced?

To: Kamil Rytarowski <n54%gmx.com@localhost>, Netbsd-Users-List <netbsd-users%NetBSD.org@localhost>
Subject: Re: Am I traced?
From: Eric Haszlakiewicz <erh%nimenees.com@localhost>
Date: Thu, 14 Apr 2016 22:09:56 -0400


On 4/11/2016 11:52 PM, Kamil Rytarowski wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm trying to write a check whether I am a traced process.

Is the following code correct:

#define _KMEMUSER
#include <sys/cdefs.h>
#include <sys/param.h>
#include <sys/sysctl.h>
#include <stdio.h>
#include <unistd.h>
#include <kvm.h>
#include <err.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
     int traced = -1;
     kvm_t *kd;
     int cnt;

     struct kinfo_proc *info;
     size_t size = sizeof(info);

     kd = kvm_open(NULL, NULL, NULL, KVM_NO_FILES, "kvm_open");
     if (kd == NULL)
         err(EXIT_FAILURE, "kvm_open");

     info = kvm_getprocs(kd, KERN_PROC_PID, getpid(), &cnt);
     if (info == NULL)
         err(EXIT_FAILURE, "kvm_getprocs");

     traced = info->kp_proc.p_flag & P_TRACED;

I don't think this will work using kvm_getprocs(), because many of theflags that you might expect to be in p_flag are actually in other fieldsof struct proc, such as p_slflag. If I change your code to do:

   traced = info->kp_proc.p_slflag & PSL_TRACED;

it seems to work roughly as expected. Alternately, I believe you couldswitch to using kvm_getproc2(), as there is code (in fill_kproc2() inkern_proc.c) which translates the various P*_<foo> flags into P_<foo>flags and places them in the p_flag field.For example, if I print out all the flags, and run your program throughgdb, I get:

p_flag=0x4000
p_sflag=0x10000000
p_slflag=0x801
p_lflag=0x2
p_stflag=0x0
traced=2048

Decoded, that's:
p_flag=PK_EXEC
p_sflag=PS_NOTIFYSTOP
p_slflag=PSL_TRACED|PSL_TRACEFORK
p_lflag=PL_CONTROLT
p_stflag=0
traced=Yes

     kvm_close(kd);

     printf("traced=%d\n", traced);

     return 0;
}

I'm getting weird results for info->kp_proc.p_flag indicating that I
was timeouted during sleep.

eh? What value in p_flag would indicate a timeout? Oh, perhaps you'relooking at the ps man page, which refers to P_TIMEDOUT with value 0x400,but /usr/include/sys/sysctl.h has P_SA (aka L_SA) with that value.As far as I can tell, P_TIMEDOUT is not actually defined anywhere, andP_SA/L_SA are not actually used within the kernel anymore and haven'tbeen since before netbsd-5.


Eric

Follow-Ups:
- Re: Am I traced?
  - From: Kamil Rytarowski

References:
- Am I traced?
  - From: Kamil Rytarowski

Prev by Date: Re: NPF - npfctl_config_send: Invalid argument
Next by Date: OSS audio results in noise (when playing bass-heavy music)
Previous by Thread: Am I traced?
Next by Thread: Re: Am I traced?
Indexes:

Home | Main Index | Thread Index | Old Index