Question: Userspace detection of ptraced process?

[Jesper Derehag]

Hi all,

Is there a way of getting info about any task that is being ptraced (from userspace)?

I know that in more recent kernels you can get an event through a NETLINK_CONNECTOR socket.
But I was hoping that you could get the same information say through the siginfo argument to waitid or something similar?

I have tried different variations on the code below but it seems like there is no dependable way to get the siginfo while child_pid is beeing trapped.
I get rc=-1 when child is traced (and trapped), and therefore siginfo is undefined.

I suspect it might be due to that when you ptrace child, the tracer becomes the parent and that is why I cannot get any accurate siginfo data within the original parent?
The reason for why I do WNOHANG here is that in my application its very important that I do not block. So I was hoping on just doing a "poll" of the pid status here.

rc = waitid(P_PID, child_pid, &info, WNOHANG);
if((rc == 0 || rc == child_pid) && info.si_pid != 0)
    if(info.si_code == CLD_TRAPPED)
        printf("child_pid=%d is being ptraced!", child_pid);

Anyway, any ideas of why waitid(..) doesnt work? And if waitid(..) approach is not possible, is there any additional clever ways to figure out if  a child is ptraced other than the NETLINK_CONNECTOR way? 
EVENT_PTRACE is unfortunatly not available in the kernel I am using at the moment (kernel 3.0) . 
And no, its not really possible to update or patch the kernel at this point.

Thanks.

Regards,
Jesper Derehag 		 	   		  --
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/