I thought I was very close to finishing up an application that uses the audit system to perform a task formally done by a modified version of strace. Alas, one of the programs I had working last October no longer works.
The broken program uses ptrace to add an audit rule for each child process forked by the traced application. It adds the rule before the child runs by handling a SIGTRAP generated as a result of tracing the original child with the PTRACE_O_TRACEFORK option. I tried to follow to the changes to kernel/ptrace.c via linuxhq, but I got little from that exercise. I ended up submitting a bug report here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246330 If there is something else I should be doing, please advise. I notice there are two other ptrace related bugs reported for Fedora 7. Both have been assigned to Roland McGrath, a primary maintainer of strace. I bet he gets assigned this bug report too. Roland doesn't like the changes I make to strace that allows it to display the security contexts associated with traced objects, so he'll remember me. One final question. Has there been any other efforts aimed at allowing the audit system to follow forks of traced processes? Alternatives to my ptrace solution would be greatly appreciated at this time. John -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
