strace -f (v4.7) randomly failing on grsecurity and Ubuntu kernels

[Brad Spengler]

Hi guys,

I'm writing to report this before the recent release sees more 
widespread use.  I've already had one report from a user of strace v4.7 
failing on a grsecurity kernel when run with the -f argument.  Strace 
(due to what IMO is a bug) is randomly conflicting with a feature of 
grsecurity that prevents ptracing processes other than one's decendents.  
Since Ubuntu's kernel carries the same logic/algorithm as grsecurity 
through the Yama module, strace will likewise fail on their kernels.

I've investigated the problem a bit.  The failing code (in strace.c) is:
               if (tracee_pid != pid) {
                        found_grandchild = tracee_pid;
                        if (ptrace(PTRACE_CONT, tracee_pid, 0, 0) < 0) {
                                kill_save_errno(tracee_pid, SIGKILL);
                                kill_save_errno(pid, SIGKILL);
                                perror_msg_and_die("PTRACE_CONT doesn't work");
                        }
                        continue;
                }

This happens because of the raciness of the following code (in strace.c):
        if (pid == 0) {
                pid = getpid();
                if (ptrace(PTRACE_TRACEME, 0L, 0L, 0L) < 0)
                        perror_msg_and_die("%s: PTRACE_TRACEME doesn't work",
                                           __func__);
                kill_save_errno(pid, SIGSTOP);
                if (fork() < 0)
                        perror_msg_and_die("fork");
                _exit(0);
        }

Sometimes the child exits before the PTRACE_CONT is issued against the 
grandchild, while other times the child exits after.  If the child exits 
after, there are no issues, as the grandchild keeps its descendent 
relation to the ptracing grandparent.  If the child exits before, 
however, it gets reparented to init, breaking the ability to walk back 
through the ancestors of the grandchild to reach the (previous) 
grandparent.  Because of this, grsecurity (and Ubuntu) will deny the 
ptrace to the grandchild.

Let me know if you need straces of the failing and successful cases in 
order to fix the bug, but it should be as simple as adding a wait 
before exiting out of the child.

Thanks,
-Brad

signature.asc
Description: Digital signature

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Strace-devel mailing list
Strace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/strace-devel