1PTRACE(2) Linux Programmer's Manual PTRACE(2)
2
6 ptrace - process trace
7
9 #include <sys/ptrace.h>
10 long ptrace(enum __ptrace_request request, pid_t pid,
12 void *addr, void *data);
13
15 The ptrace() system call provides a means by which one process (the
16 "tracer") may observe and control the execution of another process (the
17 "tracee"), and examine and change the tracee's memory and registers.
18 It is primarily used to implement breakpoint debugging and system call
19 tracing.
20 A tracee first needs to be attached to the tracer. Attachment and sub‐
22 sequent commands are per thread: in a multithreaded process, every
23 thread can be individually attached to a (potentially different)
24 tracer, or left not attached and thus not debugged. Therefore,
25 "tracee" always means "(one) thread", never "a (possibly multithreaded)
26 process". Ptrace commands are always sent to a specific tracee using a
27 call of the form
28 ptrace(PTRACE_foo, pid, ...)
30 where pid is the thread ID of the corresponding Linux thread.
32 (Note that in this page, a "multithreaded process" means a thread group
34 consisting of threads created using the clone(2) CLONE_THREAD flag.)
35 A process can initiate a trace by calling fork(2) and having the
37 resulting child do a PTRACE_TRACEME, followed (typically) by an
38 execve(2). Alternatively, one process may commence tracing another
39 process using PTRACE_ATTACH or PTRACE_SEIZE.
40 While being traced, the tracee will stop each time a signal is deliv‐
42 ered, even if the signal is being ignored. (An exception is SIGKILL,
43 which has its usual effect.) The tracer will be notified at its next
44 call to waitpid(2) (or one of the related "wait" system calls); that
45 call will return a status value containing information that indicates
46 the cause of the stop in the tracee. While the tracee is stopped, the
47 tracer can use various ptrace requests to inspect and modify the
48 tracee. The tracer then causes the tracee to continue, optionally
49 ignoring the delivered signal (or even delivering a different signal
50 instead).
51 If the PTRACE_O_TRACEEXEC option is not in effect, all successful calls
53 to execve(2) by the traced process will cause it to be sent a SIGTRAP
54 signal, giving the parent a chance to gain control before the new pro‐
55 gram begins execution.
56 When the tracer is finished tracing, it can cause the tracee to con‐
58 tinue executing in a normal, untraced mode via PTRACE_DETACH.
59 The value of request determines the action to be performed:
61 PTRACE_TRACEME
63 Indicate that this process is to be traced by its parent. A
64 process probably shouldn't make this request if its parent isn't
65 expecting to trace it. (pid, addr, and data are ignored.)
66 The PTRACE_TRACEME request is used only by the tracee; the
68 remaining requests are used only by the tracer. In the follow‐
69 ing requests, pid specifies the thread ID of the tracee to be
70 acted on. For requests other than PTRACE_ATTACH, PTRACE_SEIZE,
71 PTRACE_INTERRUPT, and PTRACE_KILL, the tracee must be stopped.
72 PTRACE_PEEKTEXT, PTRACE_PEEKDATA
74 Read a word at the address addr in the tracee's memory, return‐
75 ing the word as the result of the ptrace() call. Linux does not
76 have separate text and data address spaces, so these two
77 requests are currently equivalent. (data is ignored; but see
78 NOTES.)
79 PTRACE_PEEKUSER
81 Read a word at offset addr in the tracee's USER area, which
82 holds the registers and other information about the process (see
83 <sys/user.h>). The word is returned as the result of the
84 ptrace() call. Typically, the offset must be word-aligned,
85 though this might vary by architecture. See NOTES. (data is
86 ignored; but see NOTES.)
87 PTRACE_POKETEXT, PTRACE_POKEDATA
89 Copy the word data to the address addr in the tracee's memory.
90 As for PTRACE_PEEKTEXT and PTRACE_PEEKDATA, these two requests
91 are currently equivalent.
92 PTRACE_POKEUSER
94 Copy the word data to offset addr in the tracee's USER area. As
95 for PTRACE_PEEKUSER, the offset must typically be word-aligned.
96 In order to maintain the integrity of the kernel, some modifica‐
97 tions to the USER area are disallowed.
98 PTRACE_GETREGS, PTRACE_GETFPREGS
100 Copy the tracee's general-purpose or floating-point registers,
101 respectively, to the address data in the tracer. See
102 <sys/user.h> for information on the format of this data. (addr
103 is ignored.) Note that SPARC systems have the meaning of data
104 and addr reversed; that is, data is ignored and the registers
105 are copied to the address addr. PTRACE_GETREGS and PTRACE_GETF‐
106 PREGS are not present on all architectures.
107 PTRACE_GETREGSET (since Linux 2.6.34)
109 Read the tracee's registers. addr specifies, in an architec‐
110 ture-dependent way, the type of registers to be read. NT_PRSTA‐
111 TUS (with numerical value 1) usually results in reading of gen‐
112 eral-purpose registers. If the CPU has, for example, floating-
113 point and/or vector registers, they can be retrieved by setting
114 addr to the corresponding NT_foo constant. data points to a
115 struct iovec, which describes the destination buffer's location
116 and length. On return, the kernel modifies iov.len to indicate
117 the actual number of bytes returned.
118 PTRACE_SETREGS, PTRACE_SETFPREGS
120 Modify the tracee's general-purpose or floating-point registers,
121 respectively, from the address data in the tracer. As for
122 PTRACE_POKEUSER, some general-purpose register modifications may
123 be disallowed. (addr is ignored.) Note that SPARC systems have
124 the meaning of data and addr reversed; that is, data is ignored
125 and the registers are copied from the address addr.
126 PTRACE_SETREGS and PTRACE_SETFPREGS are not present on all
127 architectures.
128 PTRACE_SETREGSET (since Linux 2.6.34)
130 Modify the tracee's registers. The meaning of addr and data is
131 analogous to PTRACE_GETREGSET.
132 PTRACE_GETSIGINFO (since Linux 2.3.99-pre6)
134 Retrieve information about the signal that caused the stop.
135 Copy a siginfo_t structure (see sigaction(2)) from the tracee to
136 the address data in the tracer. (addr is ignored.)
137 PTRACE_SETSIGINFO (since Linux 2.3.99-pre6)
139 Set signal information: copy a siginfo_t structure from the
140 address data in the tracer to the tracee. This will affect only
141 signals that would normally be delivered to the tracee and were
142 caught by the tracer. It may be difficult to tell these normal
143 signals from synthetic signals generated by ptrace() itself.
144 (addr is ignored.)
145 PTRACE_PEEKSIGINFO (since Linux 3.10)
147 Retrieve siginfo_t structures without removing signals from a
148 queue. addr points to a ptrace_peeksiginfo_args structure that
149 specifies the ordinal position from which copying of signals
150 should start, and the number of signals to copy. siginfo_t
151 structures are copied into the buffer pointed to by data. The
152 return value contains the number of copied signals (zero indi‐
153 cates that there is no signal corresponding to the specified
154 ordinal position). Within the returned siginfo structures, the
155 si_code field includes information (__SI_CHLD, __SI_FAULT, etc.)
156 that are not otherwise exposed to user space.
157 struct ptrace_peeksiginfo_args {
159 u64 off; /* Ordinal position in queue at which
160 to start copying signals */
161 u32 flags; /* PTRACE_PEEKSIGINFO_SHARED or 0 */
162 s32 nr; /* Number of signals to copy */
163 };
164 Currently, there is only one flag, PTRACE_PEEKSIGINFO_SHARED,
166 for dumping signals from the process-wide signal queue. If this
167 flag is not set, signals are read from the per-thread queue of
168 the specified thread.
169 PTRACE_GETSIGMASK (since Linux 3.11)
171 Place a copy of the mask of blocked signals (see sigprocmask(2))
172 in the buffer pointed to by data, which should be a pointer to a
173 buffer of type sigset_t. The addr argument contains the size of
174 the buffer pointed to by data (i.e., sizeof(sigset_t)).
175 PTRACE_SETSIGMASK (since Linux 3.11)
177 Change the mask of blocked signals (see sigprocmask(2)) to the
178 value specified in the buffer pointed to by data, which should
179 be a pointer to a buffer of type sigset_t. The addr argument
180 contains the size of the buffer pointed to by data (i.e.,
181 sizeof(sigset_t)).
182 PTRACE_SETOPTIONS (since Linux 2.4.6; see BUGS for caveats)
184 Set ptrace options from data. (addr is ignored.) data is
185 interpreted as a bit mask of options, which are specified by the
186 following flags:
187 PTRACE_O_EXITKILL (since Linux 3.8)
189 Send a SIGKILL signal to the tracee if the tracer exits.
190 This option is useful for ptrace jailers that want to
191 ensure that tracees can never escape the tracer's con‐
192 trol.
193 PTRACE_O_TRACECLONE (since Linux 2.5.46)
195 Stop the tracee at the next clone(2) and automatically
196 start tracing the newly cloned process, which will start
197 with a SIGSTOP, or PTRACE_EVENT_STOP if PTRACE_SEIZE was
198 used. A waitpid(2) by the tracer will return a status
199 value such that
200 status>>8 == (SIGTRAP | (PTRACE_EVENT_CLONE<<8))
202 The PID of the new process can be retrieved with
204 PTRACE_GETEVENTMSG.
205 This option may not catch clone(2) calls in all cases.
207 If the tracee calls clone(2) with the CLONE_VFORK flag,
208 PTRACE_EVENT_VFORK will be delivered instead if
209 PTRACE_O_TRACEVFORK is set; otherwise if the tracee calls
210 clone(2) with the exit signal set to SIGCHLD,
211 PTRACE_EVENT_FORK will be delivered if PTRACE_O_TRACEFORK
212 is set.
213 PTRACE_O_TRACEEXEC (since Linux 2.5.46)
215 Stop the tracee at the next execve(2). A waitpid(2) by
216 the tracer will return a status value such that
217 status>>8 == (SIGTRAP | (PTRACE_EVENT_EXEC<<8))
219 If the execing thread is not a thread group leader, the
221 thread ID is reset to thread group leader's ID before
222 this stop. Since Linux 3.0, the former thread ID can be
223 retrieved with PTRACE_GETEVENTMSG.
224 PTRACE_O_TRACEEXIT (since Linux 2.5.60)
226 Stop the tracee at exit. A waitpid(2) by the tracer will
227 return a status value such that
228 status>>8 == (SIGTRAP | (PTRACE_EVENT_EXIT<<8))
230 The tracee's exit status can be retrieved with
232 PTRACE_GETEVENTMSG.
233 The tracee is stopped early during process exit, when
235 registers are still available, allowing the tracer to see
236 where the exit occurred, whereas the normal exit notifi‐
237 cation is done after the process is finished exiting.
238 Even though context is available, the tracer cannot pre‐
239 vent the exit from happening at this point.
240 PTRACE_O_TRACEFORK (since Linux 2.5.46)
242 Stop the tracee at the next fork(2) and automatically
243 start tracing the newly forked process, which will start
244 with a SIGSTOP, or PTRACE_EVENT_STOP if PTRACE_SEIZE was
245 used. A waitpid(2) by the tracer will return a status
246 value such that
247 status>>8 == (SIGTRAP | (PTRACE_EVENT_FORK<<8))
249 The PID of the new process can be retrieved with
251 PTRACE_GETEVENTMSG.
252 PTRACE_O_TRACESYSGOOD (since Linux 2.4.6)
254 When delivering system call traps, set bit 7 in the sig‐
255 nal number (i.e., deliver SIGTRAP|0x80). This makes it
256 easy for the tracer to distinguish normal traps from
257 those caused by a system call.
258 PTRACE_O_TRACEVFORK (since Linux 2.5.46)
260 Stop the tracee at the next vfork(2) and automatically
261 start tracing the newly vforked process, which will start
262 with a SIGSTOP, or PTRACE_EVENT_STOP if PTRACE_SEIZE was
263 used. A waitpid(2) by the tracer will return a status
264 value such that
265 status>>8 == (SIGTRAP | (PTRACE_EVENT_VFORK<<8))
267 The PID of the new process can be retrieved with
269 PTRACE_GETEVENTMSG.
270 PTRACE_O_TRACEVFORKDONE (since Linux 2.5.60)
272 Stop the tracee at the completion of the next vfork(2).
273 A waitpid(2) by the tracer will return a status value
274 such that
275 status>>8 == (SIGTRAP | (PTRACE_EVENT_VFORK_DONE<<8))
277 The PID of the new process can (since Linux 2.6.18) be
279 retrieved with PTRACE_GETEVENTMSG.
280 PTRACE_O_TRACESECCOMP (since Linux 3.5)
282 Stop the tracee when a seccomp(2) SECCOMP_RET_TRACE rule
283 is triggered. A waitpid(2) by the tracer will return a
284 status value such that
285 status>>8 == (SIGTRAP | (PTRACE_EVENT_SECCOMP<<8))
287 While this triggers a PTRACE_EVENT stop, it is similar to
289 a syscall-enter-stop. For details, see the note on
290 PTRACE_EVENT_SECCOMP below. The seccomp event message
291 data (from the SECCOMP_RET_DATA portion of the seccomp
292 filter rule) can be retrieved with PTRACE_GETEVENTMSG.
293 PTRACE_O_SUSPEND_SECCOMP (since Linux 4.3)
295 Suspend the tracee's seccomp protections. This applies
296 regardless of mode, and can be used when the tracee has
297 not yet installed seccomp filters. That is, a valid use
298 case is to suspend a tracee's seccomp protections before
299 they are installed by the tracee, let the tracee install
300 the filters, and then clear this flag when the filters
301 should be resumed. Setting this option requires that the
302 tracer have the CAP_SYS_ADMIN capability, not have any
303 seccomp protections installed, and not have PTRACE_O_SUS‐
304 PEND_SECCOMP set on itself.
305 PTRACE_GETEVENTMSG (since Linux 2.5.46)
307 Retrieve a message (as an unsigned long) about the ptrace event
308 that just happened, placing it at the address data in the
309 tracer. For PTRACE_EVENT_EXIT, this is the tracee's exit sta‐
310 tus. For PTRACE_EVENT_FORK, PTRACE_EVENT_VFORK,
311 PTRACE_EVENT_VFORK_DONE, and PTRACE_EVENT_CLONE, this is the PID
312 of the new process. For PTRACE_EVENT_SECCOMP, this is the sec‐
313 comp(2) filter's SECCOMP_RET_DATA associated with the triggered
314 rule. (addr is ignored.)
315 PTRACE_CONT
317 Restart the stopped tracee process. If data is nonzero, it is
318 interpreted as the number of a signal to be delivered to the
319 tracee; otherwise, no signal is delivered. Thus, for example,
320 the tracer can control whether a signal sent to the tracee is
321 delivered or not. (addr is ignored.)
322 PTRACE_SYSCALL, PTRACE_SINGLESTEP
324 Restart the stopped tracee as for PTRACE_CONT, but arrange for
325 the tracee to be stopped at the next entry to or exit from a
326 system call, or after execution of a single instruction, respec‐
327 tively. (The tracee will also, as usual, be stopped upon
328 receipt of a signal.) From the tracer's perspective, the tracee
329 will appear to have been stopped by receipt of a SIGTRAP. So,
330 for PTRACE_SYSCALL, for example, the idea is to inspect the
331 arguments to the system call at the first stop, then do another
332 PTRACE_SYSCALL and inspect the return value of the system call
333 at the second stop. The data argument is treated as for
334 PTRACE_CONT. (addr is ignored.)
335 PTRACE_SET_SYSCALL (since Linux 2.6.16)
337 When in syscall-enter-stop, change the number of the system call
338 that is about to be executed to the number specified in the data
339 argument. The addr argument is ignored. This request is cur‐
340 rently supported only on arm (and arm64, though only for back‐
341 wards compatibility), but most other architectures have other
342 means of accomplishing this (usually by changing the register
343 that the userland code passed the system call number in).
344 PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP (since Linux 2.6.14)
346 For PTRACE_SYSEMU, continue and stop on entry to the next system
347 call, which will not be executed. See the documentation on
348 syscall-stops below. For PTRACE_SYSEMU_SINGLESTEP, do the same
349 but also singlestep if not a system call. This call is used by
350 programs like User Mode Linux that want to emulate all the
351 tracee's system calls. The data argument is treated as for
352 PTRACE_CONT. The addr argument is ignored. These requests are
353 currently supported only on x86.
354 PTRACE_LISTEN (since Linux 3.4)
356 Restart the stopped tracee, but prevent it from executing. The
357 resulting state of the tracee is similar to a process which has
358 been stopped by a SIGSTOP (or other stopping signal). See the
359 "group-stop" subsection for additional information. PTRACE_LIS‐
360 TEN works only on tracees attached by PTRACE_SEIZE.
361 PTRACE_KILL
363 Send the tracee a SIGKILL to terminate it. (addr and data are
364 ignored.)
365 This operation is deprecated; do not use it! Instead, send a
367 SIGKILL directly using kill(2) or tgkill(2). The problem with
368 PTRACE_KILL is that it requires the tracee to be in signal-
369 delivery-stop, otherwise it may not work (i.e., may complete
370 successfully but won't kill the tracee). By contrast, sending a
371 SIGKILL directly has no such limitation.
372 PTRACE_INTERRUPT (since Linux 3.4)
374 Stop a tracee. If the tracee is running or sleeping in kernel
375 space and PTRACE_SYSCALL is in effect, the system call is inter‐
376 rupted and syscall-exit-stop is reported. (The interrupted sys‐
377 tem call is restarted when the tracee is restarted.) If the
378 tracee was already stopped by a signal and PTRACE_LISTEN was
379 sent to it, the tracee stops with PTRACE_EVENT_STOP and WSTOP‐
380 SIG(status) returns the stop signal. If any other ptrace-stop
381 is generated at the same time (for example, if a signal is sent
382 to the tracee), this ptrace-stop happens. If none of the above
383 applies (for example, if the tracee is running in user space),
384 it stops with PTRACE_EVENT_STOP with WSTOPSIG(status) == SIG‐
385 TRAP. PTRACE_INTERRUPT only works on tracees attached by
386 PTRACE_SEIZE.
387 PTRACE_ATTACH
389 Attach to the process specified in pid, making it a tracee of
390 the calling process. The tracee is sent a SIGSTOP, but will not
391 necessarily have stopped by the completion of this call; use
392 waitpid(2) to wait for the tracee to stop. See the "Attaching
393 and detaching" subsection for additional information. (addr and
394 data are ignored.)
395 Permission to perform a PTRACE_ATTACH is governed by a ptrace
397 access mode PTRACE_MODE_ATTACH_REALCREDS check; see below.
398 PTRACE_SEIZE (since Linux 3.4)
400 Attach to the process specified in pid, making it a tracee of
401 the calling process. Unlike PTRACE_ATTACH, PTRACE_SEIZE does
402 not stop the process. Group-stops are reported as
403 PTRACE_EVENT_STOP and WSTOPSIG(status) returns the stop signal.
404 Automatically attached children stop with PTRACE_EVENT_STOP and
405 WSTOPSIG(status) returns SIGTRAP instead of having SIGSTOP sig‐
406 nal delivered to them. execve(2) does not deliver an extra SIG‐
407 TRAP. Only a PTRACE_SEIZEd process can accept PTRACE_INTERRUPT
408 and PTRACE_LISTEN commands. The "seized" behavior just
409 described is inherited by children that are automatically
410 attached using PTRACE_O_TRACEFORK, PTRACE_O_TRACEVFORK, and
411 PTRACE_O_TRACECLONE. addr must be zero. data contains a bit
412 mask of ptrace options to activate immediately.
413 Permission to perform a PTRACE_SEIZE is governed by a ptrace
415 access mode PTRACE_MODE_ATTACH_REALCREDS check; see below.
416 PTRACE_SECCOMP_GET_FILTER (since Linux 4.4)
418 This operation allows the tracer to dump the tracee's classic
419 BPF filters.
420 addr is an integer specifying the index of the filter to be
422 dumped. The most recently installed filter has the index 0. If
423 addr is greater than the number of installed filters, the opera‐
424 tion fails with the error ENOENT.
425 data is either a pointer to a struct sock_filter array that is
427 large enough to store the BPF program, or NULL if the program is
428 not to be stored.
429 Upon success, the return value is the number of instructions in
431 the BPF program. If data was NULL, then this return value can
432 be used to correctly size the struct sock_filter array passed in
433 a subsequent call.
434 This operation fails with the error EACCES if the caller does
436 not have the CAP_SYS_ADMIN capability or if the caller is in
437 strict or filter seccomp mode. If the filter referred to by
438 addr is not a classic BPF filter, the operation fails with the
439 error EMEDIUMTYPE.
440 This operation is available if the kernel was configured with
442 both the CONFIG_SECCOMP_FILTER and the CONFIG_CHECKPOINT_RESTORE
443 options.
444 PTRACE_DETACH
446 Restart the stopped tracee as for PTRACE_CONT, but first detach
447 from it. Under Linux, a tracee can be detached in this way
448 regardless of which method was used to initiate tracing. (addr
449 is ignored.)
450 PTRACE_GET_THREAD_AREA (since Linux 2.6.0)
452 This operation performs a similar task to get_thread_area(2).
453 It reads the TLS entry in the GDT whose index is given in addr,
454 placing a copy of the entry into the struct user_desc pointed to
455 by data. (By contrast with get_thread_area(2), the entry_number
456 of the struct user_desc is ignored.)
457 PTRACE_SET_THREAD_AREA (since Linux 2.6.0)
459 This operation performs a similar task to set_thread_area(2).
460 It sets the TLS entry in the GDT whose index is given in addr,
461 assigning it the data supplied in the struct user_desc pointed
462 to by data. (By contrast with set_thread_area(2), the
463 entry_number of the struct user_desc is ignored; in other words,
464 this ptrace operation can't be used to allocate a free TLS
465 entry.)
466 PTRACE_GET_SYSCALL_INFO (since Linux 5.3)
468 Retrieve information about the system call that caused the stop.
469 The information is placed into the buffer pointed by the data
470 argument, which should be a pointer to a buffer of type struct
471 ptrace_syscall_info. The addr argument contains the size of the
472 buffer pointed to by the data argument (i.e., sizeof(struct
473 ptrace_syscall_info)). The return value contains the number of
474 bytes available to be written by the kernel. If the size of the
475 data to be written by the kernel exceeds the size specified by
476 the addr argument, the output data is truncated.
477 The ptrace_syscall_info structure contains the following fields:
479 struct ptrace_syscall_info {
481 __u8 op; /* Type of system call stop */
482 __u32 arch; /* AUDIT_ARCH_* value; see seccomp(2) */
483 __u64 instruction_pointer; /* CPU instruction pointer */
484 __u64 stack_pointer; /* CPU stack pointer */
485 union {
486 struct { /* op == PTRACE_SYSCALL_INFO_ENTRY */
487 __u64 nr; /* System call number */
488 __u64 args[6]; /* System call arguments */
489 } entry;
490 struct { /* op == PTRACE_SYSCALL_INFO_EXIT */
491 __s64 rval; /* System call return value */
492 __u8 is_error; /* System call error flag;
493 Boolean: does rval contain
494 an error value (-ERRCODE) or
495 a nonerror return value? */
496 } exit;
497 struct { /* op == PTRACE_SYSCALL_INFO_SECCOMP */
498 __u64 nr; /* System call number */
499 __u64 args[6]; /* System call arguments */
500 __u32 ret_data; /* SECCOMP_RET_DATA portion
501 of SECCOMP_RET_TRACE
502 return value */
503 } seccomp;
504 };
505 };
506 The op, arch, instruction_pointer, and stack_pointer fields are
508 defined for all kinds of ptrace system call stops. The rest of
509 the structure is a union; one should read only those fields that
510 are meaningful for the kind of system call stop specified by the
511 op field.
512 The op field has one of the following values (defined in
514 <linux/ptrace.h>) indicating what type of stop occurred and
515 which part of the union is filled:
516 PTRACE_SYSCALL_INFO_ENTRY
518 The entry component of the union contains information
519 relating to a system call entry stop.
520 PTRACE_SYSCALL_INFO_EXIT
522 The exit component of the union contains information
523 relating to a system call exit stop.
524 PTRACE_SYSCALL_INFO_SECCOMP
526 The seccomp component of the union contains information
527 relating to a PTRACE_EVENT_SECCOMP stop.
528 PTRACE_SYSCALL_INFO_NONE
530 No component of the union contains relevant information.
531 Death under ptrace
533 When a (possibly multithreaded) process receives a killing signal (one
534 whose disposition is set to SIG_DFL and whose default action is to kill
535 the process), all threads exit. Tracees report their death to their
536 tracer(s). Notification of this event is delivered via waitpid(2).
537 Note that the killing signal will first cause signal-delivery-stop (on
539 one tracee only), and only after it is injected by the tracer (or after
540 it was dispatched to a thread which isn't traced), will death from the
541 signal happen on all tracees within a multithreaded process. (The term
542 "signal-delivery-stop" is explained below.)
543 SIGKILL does not generate signal-delivery-stop and therefore the tracer
545 can't suppress it. SIGKILL kills even within system calls (syscall-
546 exit-stop is not generated prior to death by SIGKILL). The net effect
547 is that SIGKILL always kills the process (all its threads), even if
548 some threads of the process are ptraced.
549 When the tracee calls _exit(2), it reports its death to its tracer.
551 Other threads are not affected.
552 When any thread executes exit_group(2), every tracee in its thread
554 group reports its death to its tracer.
555 If the PTRACE_O_TRACEEXIT option is on, PTRACE_EVENT_EXIT will happen
557 before actual death. This applies to exits via exit(2), exit_group(2),
558 and signal deaths (except SIGKILL, depending on the kernel version; see
559 BUGS below), and when threads are torn down on execve(2) in a multi‐
560 threaded process.
561 The tracer cannot assume that the ptrace-stopped tracee exists. There
563 are many scenarios when the tracee may die while stopped (such as
564 SIGKILL). Therefore, the tracer must be prepared to handle an ESRCH
565 error on any ptrace operation. Unfortunately, the same error is
566 returned if the tracee exists but is not ptrace-stopped (for commands
567 which require a stopped tracee), or if it is not traced by the process
568 which issued the ptrace call. The tracer needs to keep track of the
569 stopped/running state of the tracee, and interpret ESRCH as "tracee
570 died unexpectedly" only if it knows that the tracee has been observed
571 to enter ptrace-stop. Note that there is no guarantee that wait‐
572 pid(WNOHANG) will reliably report the tracee's death status if a ptrace
573 operation returned ESRCH. waitpid(WNOHANG) may return 0 instead. In
574 other words, the tracee may be "not yet fully dead", but already refus‐
575 ing ptrace requests.
576 The tracer can't assume that the tracee always ends its life by report‐
578 ing WIFEXITED(status) or WIFSIGNALED(status); there are cases where
579 this does not occur. For example, if a thread other than thread group
580 leader does an execve(2), it disappears; its PID will never be seen
581 again, and any subsequent ptrace stops will be reported under the
582 thread group leader's PID.
583 Stopped states
585 A tracee can be in two states: running or stopped. For the purposes of
586 ptrace, a tracee which is blocked in a system call (such as read(2),
587 pause(2), etc.) is nevertheless considered to be running, even if the
588 tracee is blocked for a long time. The state of the tracee after
589 PTRACE_LISTEN is somewhat of a gray area: it is not in any ptrace-stop
590 (ptrace commands won't work on it, and it will deliver waitpid(2) noti‐
591 fications), but it also may be considered "stopped" because it is not
592 executing instructions (is not scheduled), and if it was in group-stop
593 before PTRACE_LISTEN, it will not respond to signals until SIGCONT is
594 received.
595 There are many kinds of states when the tracee is stopped, and in
597 ptrace discussions they are often conflated. Therefore, it is impor‐
598 tant to use precise terms.
599 In this manual page, any stopped state in which the tracee is ready to
601 accept ptrace commands from the tracer is called ptrace-stop. Ptrace-
602 stops can be further subdivided into signal-delivery-stop, group-stop,
603 syscall-stop, PTRACE_EVENT stops, and so on. These stopped states are
604 described in detail below.
605 When the running tracee enters ptrace-stop, it notifies its tracer
607 using waitpid(2) (or one of the other "wait" system calls). Most of
608 this manual page assumes that the tracer waits with:
609 pid = waitpid(pid_or_minus_1, &status, __WALL);
611 Ptrace-stopped tracees are reported as returns with pid greater than 0
613 and WIFSTOPPED(status) true.
614 The __WALL flag does not include the WSTOPPED and WEXITED flags, but
616 implies their functionality.
617 Setting the WCONTINUED flag when calling waitpid(2) is not recommended:
619 the "continued" state is per-process and consuming it can confuse the
620 real parent of the tracee.
621 Use of the WNOHANG flag may cause waitpid(2) to return 0 ("no wait
623 results available yet") even if the tracer knows there should be a
624 notification. Example:
625 errno = 0;
627 ptrace(PTRACE_CONT, pid, 0L, 0L);
628 if (errno == ESRCH) {
629 /* tracee is dead */
630 r = waitpid(tracee, &status, __WALL | WNOHANG);
631 /* r can still be 0 here! */
632 }
633 The following kinds of ptrace-stops exist: signal-delivery-stops,
635 group-stops, PTRACE_EVENT stops, syscall-stops. They all are reported
636 by waitpid(2) with WIFSTOPPED(status) true. They may be differentiated
637 by examining the value status>>8, and if there is ambiguity in that
638 value, by querying PTRACE_GETSIGINFO. (Note: the WSTOPSIG(status)
639 macro can't be used to perform this examination, because it returns the
640 value (status>>8) & 0xff.)
641 Signal-delivery-stop
643 When a (possibly multithreaded) process receives any signal except
644 SIGKILL, the kernel selects an arbitrary thread which handles the sig‐
645 nal. (If the signal is generated with tgkill(2), the target thread can
646 be explicitly selected by the caller.) If the selected thread is
647 traced, it enters signal-delivery-stop. At this point, the signal is
648 not yet delivered to the process, and can be suppressed by the tracer.
649 If the tracer doesn't suppress the signal, it passes the signal to the
650 tracee in the next ptrace restart request. This second step of signal
651 delivery is called signal injection in this manual page. Note that if
652 the signal is blocked, signal-delivery-stop doesn't happen until the
653 signal is unblocked, with the usual exception that SIGSTOP can't be
654 blocked.
655 Signal-delivery-stop is observed by the tracer as waitpid(2) returning
657 with WIFSTOPPED(status) true, with the signal returned by WSTOPSIG(sta‐
658 tus). If the signal is SIGTRAP, this may be a different kind of
659 ptrace-stop; see the "Syscall-stops" and "execve" sections below for
660 details. If WSTOPSIG(status) returns a stopping signal, this may be a
661 group-stop; see below.
662 Signal injection and suppression
664 After signal-delivery-stop is observed by the tracer, the tracer should
665 restart the tracee with the call
666 ptrace(PTRACE_restart, pid, 0, sig)
668 where PTRACE_restart is one of the restarting ptrace requests. If sig
670 is 0, then a signal is not delivered. Otherwise, the signal sig is
671 delivered. This operation is called signal injection in this manual
672 page, to distinguish it from signal-delivery-stop.
673 The sig value may be different from the WSTOPSIG(status) value: the
675 tracer can cause a different signal to be injected.
676 Note that a suppressed signal still causes system calls to return pre‐
678 maturely. In this case, system calls will be restarted: the tracer
679 will observe the tracee to reexecute the interrupted system call (or
680 restart_syscall(2) system call for a few system calls which use a dif‐
681 ferent mechanism for restarting) if the tracer uses PTRACE_SYSCALL.
682 Even system calls (such as poll(2)) which are not restartable after
683 signal are restarted after signal is suppressed; however, kernel bugs
684 exist which cause some system calls to fail with EINTR even though no
685 observable signal is injected to the tracee.
686 Restarting ptrace commands issued in ptrace-stops other than signal-
688 delivery-stop are not guaranteed to inject a signal, even if sig is
689 nonzero. No error is reported; a nonzero sig may simply be ignored.
690 Ptrace users should not try to "create a new signal" this way: use
691 tgkill(2) instead.
692 The fact that signal injection requests may be ignored when restarting
694 the tracee after ptrace stops that are not signal-delivery-stops is a
695 cause of confusion among ptrace users. One typical scenario is that
696 the tracer observes group-stop, mistakes it for signal-delivery-stop,
697 restarts the tracee with
698 ptrace(PTRACE_restart, pid, 0, stopsig)
700 with the intention of injecting stopsig, but stopsig gets ignored and
702 the tracee continues to run.
703 The SIGCONT signal has a side effect of waking up (all threads of) a
705 group-stopped process. This side effect happens before signal-deliv‐
706 ery-stop. The tracer can't suppress this side effect (it can only sup‐
707 press signal injection, which only causes the SIGCONT handler to not be
708 executed in the tracee, if such a handler is installed). In fact, wak‐
709 ing up from group-stop may be followed by signal-delivery-stop for sig‐
710 nal(s) other than SIGCONT, if they were pending when SIGCONT was deliv‐
711 ered. In other words, SIGCONT may be not the first signal observed by
712 the tracee after it was sent.
713 Stopping signals cause (all threads of) a process to enter group-stop.
715 This side effect happens after signal injection, and therefore can be
716 suppressed by the tracer.
717 In Linux 2.4 and earlier, the SIGSTOP signal can't be injected.
719 PTRACE_GETSIGINFO can be used to retrieve a siginfo_t structure which
721 corresponds to the delivered signal. PTRACE_SETSIGINFO may be used to
722 modify it. If PTRACE_SETSIGINFO has been used to alter siginfo_t, the
723 si_signo field and the sig parameter in the restarting command must
724 match, otherwise the result is undefined.
725 Group-stop
727 When a (possibly multithreaded) process receives a stopping signal, all
728 threads stop. If some threads are traced, they enter a group-stop.
729 Note that the stopping signal will first cause signal-delivery-stop (on
730 one tracee only), and only after it is injected by the tracer (or after
731 it was dispatched to a thread which isn't traced), will group-stop be
732 initiated on all tracees within the multithreaded process. As usual,
733 every tracee reports its group-stop separately to the corresponding
734 tracer.
735 Group-stop is observed by the tracer as waitpid(2) returning with WIF‐
737 STOPPED(status) true, with the stopping signal available via WSTOP‐
738 SIG(status). The same result is returned by some other classes of
739 ptrace-stops, therefore the recommended practice is to perform the call
740 ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo)
742 The call can be avoided if the signal is not SIGSTOP, SIGTSTP, SIGTTIN,
744 or SIGTTOU; only these four signals are stopping signals. If the
745 tracer sees something else, it can't be a group-stop. Otherwise, the
746 tracer needs to call PTRACE_GETSIGINFO. If PTRACE_GETSIGINFO fails
747 with EINVAL, then it is definitely a group-stop. (Other failure codes
748 are possible, such as ESRCH ("no such process") if a SIGKILL killed the
749 tracee.)
750 If tracee was attached using PTRACE_SEIZE, group-stop is indicated by
752 PTRACE_EVENT_STOP: status>>16 == PTRACE_EVENT_STOP. This allows detec‐
753 tion of group-stops without requiring an extra PTRACE_GETSIGINFO call.
754 As of Linux 2.6.38, after the tracer sees the tracee ptrace-stop and
756 until it restarts or kills it, the tracee will not run, and will not
757 send notifications (except SIGKILL death) to the tracer, even if the
758 tracer enters into another waitpid(2) call.
759 The kernel behavior described in the previous paragraph causes a prob‐
761 lem with transparent handling of stopping signals. If the tracer
762 restarts the tracee after group-stop, the stopping signal is effec‐
763 tively ignored—the tracee doesn't remain stopped, it runs. If the
764 tracer doesn't restart the tracee before entering into the next wait‐
765 pid(2), future SIGCONT signals will not be reported to the tracer; this
766 would cause the SIGCONT signals to have no effect on the tracee.
767 Since Linux 3.4, there is a method to overcome this problem: instead of
769 PTRACE_CONT, a PTRACE_LISTEN command can be used to restart a tracee in
770 a way where it does not execute, but waits for a new event which it can
771 report via waitpid(2) (such as when it is restarted by a SIGCONT).
772 PTRACE_EVENT stops
774 If the tracer sets PTRACE_O_TRACE_* options, the tracee will enter
775 ptrace-stops called PTRACE_EVENT stops.
776 PTRACE_EVENT stops are observed by the tracer as waitpid(2) returning
778 with WIFSTOPPED(status), and WSTOPSIG(status) returns SIGTRAP (or for
779 PTRACE_EVENT_STOP, returns the stopping signal if tracee is in a group-
780 stop). An additional bit is set in the higher byte of the status word:
781 the value status>>8 will be
782 ((PTRACE_EVENT_foo<<8) | SIGTRAP).
784 The following events exist:
786 PTRACE_EVENT_VFORK
788 Stop before return from vfork(2) or clone(2) with the
789 CLONE_VFORK flag. When the tracee is continued after this stop,
790 it will wait for child to exit/exec before continuing its execu‐
791 tion (in other words, the usual behavior on vfork(2)).
792 PTRACE_EVENT_FORK
794 Stop before return from fork(2) or clone(2) with the exit signal
795 set to SIGCHLD.
796 PTRACE_EVENT_CLONE
798 Stop before return from clone(2).
799 PTRACE_EVENT_VFORK_DONE
801 Stop before return from vfork(2) or clone(2) with the
802 CLONE_VFORK flag, but after the child unblocked this tracee by
803 exiting or execing.
804 For all four stops described above, the stop occurs in the parent
806 (i.e., the tracee), not in the newly created thread.
807 PTRACE_GETEVENTMSG can be used to retrieve the new thread's ID.
808 PTRACE_EVENT_EXEC
810 Stop before return from execve(2). Since Linux 3.0,
811 PTRACE_GETEVENTMSG returns the former thread ID.
812 PTRACE_EVENT_EXIT
814 Stop before exit (including death from exit_group(2)), signal
815 death, or exit caused by execve(2) in a multithreaded process.
816 PTRACE_GETEVENTMSG returns the exit status. Registers can be
817 examined (unlike when "real" exit happens). The tracee is still
818 alive; it needs to be PTRACE_CONTed or PTRACE_DETACHed to finish
819 exiting.
820 PTRACE_EVENT_STOP
822 Stop induced by PTRACE_INTERRUPT command, or group-stop, or ini‐
823 tial ptrace-stop when a new child is attached (only if attached
824 using PTRACE_SEIZE).
825 PTRACE_EVENT_SECCOMP
827 Stop triggered by a seccomp(2) rule on tracee syscall entry when
828 PTRACE_O_TRACESECCOMP has been set by the tracer. The seccomp
829 event message data (from the SECCOMP_RET_DATA portion of the
830 seccomp filter rule) can be retrieved with PTRACE_GETEVENTMSG.
831 The semantics of this stop are described in detail in a separate
832 section below.
833 PTRACE_GETSIGINFO on PTRACE_EVENT stops returns SIGTRAP in si_signo,
835 with si_code set to (event<<8) | SIGTRAP.
836 Syscall-stops
838 If the tracee was restarted by PTRACE_SYSCALL or PTRACE_SYSEMU, the
839 tracee enters syscall-enter-stop just prior to entering any system call
840 (which will not be executed if the restart was using PTRACE_SYSEMU,
841 regardless of any change made to registers at this point or how the
842 tracee is restarted after this stop). No matter which method caused
843 the syscall-entry-stop, if the tracer restarts the tracee with
844 PTRACE_SYSCALL, the tracee enters syscall-exit-stop when the system
845 call is finished, or if it is interrupted by a signal. (That is, sig‐
846 nal-delivery-stop never happens between syscall-enter-stop and syscall-
847 exit-stop; it happens after syscall-exit-stop.). If the tracee is con‐
848 tinued using any other method (including PTRACE_SYSEMU), no syscall-
849 exit-stop occurs. Note that all mentions PTRACE_SYSEMU apply equally
850 to PTRACE_SYSEMU_SINGLESTEP.
851 However, even if the tracee was continued using PTRACE_SYSCALL, it is
853 not guaranteed that the next stop will be a syscall-exit-stop. Other
854 possibilities are that the tracee may stop in a PTRACE_EVENT stop
855 (including seccomp stops), exit (if it entered _exit(2) or
856 exit_group(2)), be killed by SIGKILL, or die silently (if it is a
857 thread group leader, the execve(2) happened in another thread, and that
858 thread is not traced by the same tracer; this situation is discussed
859 later).
860 Syscall-enter-stop and syscall-exit-stop are observed by the tracer as
862 waitpid(2) returning with WIFSTOPPED(status) true, and WSTOPSIG(status)
863 giving SIGTRAP. If the PTRACE_O_TRACESYSGOOD option was set by the
864 tracer, then WSTOPSIG(status) will give the value (SIGTRAP | 0x80).
865 Syscall-stops can be distinguished from signal-delivery-stop with SIG‐
867 TRAP by querying PTRACE_GETSIGINFO for the following cases:
868 si_code <= 0
870 SIGTRAP was delivered as a result of a user-space action, for
871 example, a system call (tgkill(2), kill(2), sigqueue(3), etc.),
872 expiration of a POSIX timer, change of state on a POSIX message
873 queue, or completion of an asynchronous I/O request.
874 si_code == SI_KERNEL (0x80)
876 SIGTRAP was sent by the kernel.
877 si_code == SIGTRAP or si_code == (SIGTRAP|0x80)
879 This is a syscall-stop.
880 However, syscall-stops happen very often (twice per system call), and
882 performing PTRACE_GETSIGINFO for every syscall-stop may be somewhat
883 expensive.
884 Some architectures allow the cases to be distinguished by examining
886 registers. For example, on x86, rax == -ENOSYS in syscall-enter-stop.
887 Since SIGTRAP (like any other signal) always happens after syscall-
888 exit-stop, and at this point rax almost never contains -ENOSYS, the
889 SIGTRAP looks like "syscall-stop which is not syscall-enter-stop"; in
890 other words, it looks like a "stray syscall-exit-stop" and can be
891 detected this way. But such detection is fragile and is best avoided.
892 Using the PTRACE_O_TRACESYSGOOD option is the recommended method to
894 distinguish syscall-stops from other kinds of ptrace-stops, since it is
895 reliable and does not incur a performance penalty.
896 Syscall-enter-stop and syscall-exit-stop are indistinguishable from
898 each other by the tracer. The tracer needs to keep track of the
899 sequence of ptrace-stops in order to not misinterpret syscall-enter-
900 stop as syscall-exit-stop or vice versa. In general, a syscall-enter-
901 stop is always followed by syscall-exit-stop, PTRACE_EVENT stop, or the
902 tracee's death; no other kinds of ptrace-stop can occur in between.
903 However, note that seccomp stops (see below) can cause syscall-exit-
904 stops, without preceding syscall-entry-stops. If seccomp is in use,
905 care needs to be taken not to misinterpret such stops as syscall-entry-
906 stops.
907 If after syscall-enter-stop, the tracer uses a restarting command other
909 than PTRACE_SYSCALL, syscall-exit-stop is not generated.
910 PTRACE_GETSIGINFO on syscall-stops returns SIGTRAP in si_signo, with
912 si_code set to SIGTRAP or (SIGTRAP|0x80).
913 PTRACE_EVENT_SECCOMP stops (Linux 3.5 to 4.7)
915 The behavior of PTRACE_EVENT_SECCOMP stops and their interaction with
916 other kinds of ptrace stops has changed between kernel versions. This
917 documents the behavior from their introduction until Linux 4.7 (inclu‐
918 sive). The behavior in later kernel versions is documented in the next
919 section.
920 A PTRACE_EVENT_SECCOMP stop occurs whenever a SECCOMP_RET_TRACE rule is
922 triggered. This is independent of which methods was used to restart
923 the system call. Notably, seccomp still runs even if the tracee was
924 restarted using PTRACE_SYSEMU and this system call is unconditionally
925 skipped.
926 Restarts from this stop will behave as if the stop had occurred right
928 before the system call in question. In particular, both PTRACE_SYSCALL
929 and PTRACE_SYSEMU will normally cause a subsequent syscall-entry-stop.
930 However, if after the PTRACE_EVENT_SECCOMP the system call number is
931 negative, both the syscall-entry-stop and the system call itself will
932 be skipped. This means that if the system call number is negative
933 after a PTRACE_EVENT_SECCOMP and the tracee is restarted using
934 PTRACE_SYSCALL, the next observed stop will be a syscall-exit-stop,
935 rather than the syscall-entry-stop that might have been expected.
936 PTRACE_EVENT_SECCOMP stops (since Linux 4.8)
938 Starting with Linux 4.8, the PTRACE_EVENT_SECCOMP stop was reordered to
939 occur between syscall-entry-stop and syscall-exit-stop. Note that sec‐
940 comp no longer runs (and no PTRACE_EVENT_SECCOMP will be reported) if
941 the system call is skipped due to PTRACE_SYSEMU.
942 Functionally, a PTRACE_EVENT_SECCOMP stop functions comparably to a
944 syscall-entry-stop (i.e., continuations using PTRACE_SYSCALL will cause
945 syscall-exit-stops, the system call number may be changed and any other
946 modified registers are visible to the to-be-executed system call as
947 well). Note that there may be, but need not have been a preceding
948 syscall-entry-stop.
949 After a PTRACE_EVENT_SECCOMP stop, seccomp will be rerun, with a SEC‐
951 COMP_RET_TRACE rule now functioning the same as a SECCOMP_RET_ALLOW.
952 Specifically, this means that if registers are not modified during the
953 PTRACE_EVENT_SECCOMP stop, the system call will then be allowed.
954 PTRACE_SINGLESTEP stops
956 [Details of these kinds of stops are yet to be documented.]
957 Informational and restarting ptrace commands
959 Most ptrace commands (all except PTRACE_ATTACH, PTRACE_SEIZE,
960 PTRACE_TRACEME, PTRACE_INTERRUPT, and PTRACE_KILL) require the tracee
961 to be in a ptrace-stop, otherwise they fail with ESRCH.
962 When the tracee is in ptrace-stop, the tracer can read and write data
964 to the tracee using informational commands. These commands leave the
965 tracee in ptrace-stopped state:
966 ptrace(PTRACE_PEEKTEXT/PEEKDATA/PEEKUSER, pid, addr, 0);
968 ptrace(PTRACE_POKETEXT/POKEDATA/POKEUSER, pid, addr, long_val);
969 ptrace(PTRACE_GETREGS/GETFPREGS, pid, 0, &struct);
970 ptrace(PTRACE_SETREGS/SETFPREGS, pid, 0, &struct);
971 ptrace(PTRACE_GETREGSET, pid, NT_foo, &iov);
972 ptrace(PTRACE_SETREGSET, pid, NT_foo, &iov);
973 ptrace(PTRACE_GETSIGINFO, pid, 0, &siginfo);
974 ptrace(PTRACE_SETSIGINFO, pid, 0, &siginfo);
975 ptrace(PTRACE_GETEVENTMSG, pid, 0, &long_var);
976 ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
977 Note that some errors are not reported. For example, setting signal
979 information (siginfo) may have no effect in some ptrace-stops, yet the
980 call may succeed (return 0 and not set errno); querying
981 PTRACE_GETEVENTMSG may succeed and return some random value if current
982 ptrace-stop is not documented as returning a meaningful event message.
983 The call
985 ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_flags);
987 affects one tracee. The tracee's current flags are replaced. Flags
989 are inherited by new tracees created and "auto-attached" via active
990 PTRACE_O_TRACEFORK, PTRACE_O_TRACEVFORK, or PTRACE_O_TRACECLONE
991 options.
992 Another group of commands makes the ptrace-stopped tracee run. They
994 have the form:
995 ptrace(cmd, pid, 0, sig);
997 where cmd is PTRACE_CONT, PTRACE_LISTEN, PTRACE_DETACH, PTRACE_SYSCALL,
999 PTRACE_SINGLESTEP, PTRACE_SYSEMU, or PTRACE_SYSEMU_SINGLESTEP. If the
1000 tracee is in signal-delivery-stop, sig is the signal to be injected (if
1001 it is nonzero). Otherwise, sig may be ignored. (When restarting a
1002 tracee from a ptrace-stop other than signal-delivery-stop, recommended
1003 practice is to always pass 0 in sig.)
1004 Attaching and detaching
1006 A thread can be attached to the tracer using the call
1007 ptrace(PTRACE_ATTACH, pid, 0, 0);
1009 or
1011 ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_flags);
1013 PTRACE_ATTACH sends SIGSTOP to this thread. If the tracer wants this
1015 SIGSTOP to have no effect, it needs to suppress it. Note that if other
1016 signals are concurrently sent to this thread during attach, the tracer
1017 may see the tracee enter signal-delivery-stop with other signal(s)
1018 first! The usual practice is to reinject these signals until SIGSTOP
1019 is seen, then suppress SIGSTOP injection. The design bug here is that
1020 a ptrace attach and a concurrently delivered SIGSTOP may race and the
1021 concurrent SIGSTOP may be lost.
1022 Since attaching sends SIGSTOP and the tracer usually suppresses it,
1024 this may cause a stray EINTR return from the currently executing system
1025 call in the tracee, as described in the "Signal injection and suppres‐
1026 sion" section.
1027 Since Linux 3.4, PTRACE_SEIZE can be used instead of PTRACE_ATTACH.
1029 PTRACE_SEIZE does not stop the attached process. If you need to stop
1030 it after attach (or at any other time) without sending it any signals,
1031 use PTRACE_INTERRUPT command.
1032 The request
1034 ptrace(PTRACE_TRACEME, 0, 0, 0);
1036 turns the calling thread into a tracee. The thread continues to run
1038 (doesn't enter ptrace-stop). A common practice is to follow the
1039 PTRACE_TRACEME with
1040 raise(SIGSTOP);
1042 and allow the parent (which is our tracer now) to observe our signal-
1044 delivery-stop.
1045 If the PTRACE_O_TRACEFORK, PTRACE_O_TRACEVFORK, or PTRACE_O_TRACECLONE
1047 options are in effect, then children created by, respectively, vfork(2)
1048 or clone(2) with the CLONE_VFORK flag, fork(2) or clone(2) with the
1049 exit signal set to SIGCHLD, and other kinds of clone(2), are automati‐
1050 cally attached to the same tracer which traced their parent. SIGSTOP
1051 is delivered to the children, causing them to enter signal-delivery-
1052 stop after they exit the system call which created them.
1053 Detaching of the tracee is performed by:
1055 ptrace(PTRACE_DETACH, pid, 0, sig);
1057 PTRACE_DETACH is a restarting operation; therefore it requires the
1059 tracee to be in ptrace-stop. If the tracee is in signal-delivery-stop,
1060 a signal can be injected. Otherwise, the sig parameter may be silently
1061 ignored.
1062 If the tracee is running when the tracer wants to detach it, the usual
1064 solution is to send SIGSTOP (using tgkill(2), to make sure it goes to
1065 the correct thread), wait for the tracee to stop in signal-delivery-
1066 stop for SIGSTOP and then detach it (suppressing SIGSTOP injection). A
1067 design bug is that this can race with concurrent SIGSTOPs. Another
1068 complication is that the tracee may enter other ptrace-stops and needs
1069 to be restarted and waited for again, until SIGSTOP is seen. Yet
1070 another complication is to be sure that the tracee is not already
1071 ptrace-stopped, because no signal delivery happens while it is—not even
1072 SIGSTOP.
1073 If the tracer dies, all tracees are automatically detached and
1075 restarted, unless they were in group-stop. Handling of restart from
1076 group-stop is currently buggy, but the "as planned" behavior is to
1077 leave tracee stopped and waiting for SIGCONT. If the tracee is
1078 restarted from signal-delivery-stop, the pending signal is injected.
1079 execve(2) under ptrace
1081 When one thread in a multithreaded process calls execve(2), the kernel
1082 destroys all other threads in the process, and resets the thread ID of
1083 the execing thread to the thread group ID (process ID). (Or, to put
1084 things another way, when a multithreaded process does an execve(2), at
1085 completion of the call, it appears as though the execve(2) occurred in
1086 the thread group leader, regardless of which thread did the execve(2).)
1087 This resetting of the thread ID looks very confusing to tracers:
1088 * All other threads stop in PTRACE_EVENT_EXIT stop, if the
1090 PTRACE_O_TRACEEXIT option was turned on. Then all other threads
1091 except the thread group leader report death as if they exited via
1092 _exit(2) with exit code 0.
1093 * The execing tracee changes its thread ID while it is in the
1095 execve(2). (Remember, under ptrace, the "pid" returned from wait‐
1096 pid(2), or fed into ptrace calls, is the tracee's thread ID.) That
1097 is, the tracee's thread ID is reset to be the same as its process
1098 ID, which is the same as the thread group leader's thread ID.
1099 * Then a PTRACE_EVENT_EXEC stop happens, if the PTRACE_O_TRACEEXEC
1101 option was turned on.
1102 * If the thread group leader has reported its PTRACE_EVENT_EXIT stop
1104 by this time, it appears to the tracer that the dead thread leader
1105 "reappears from nowhere". (Note: the thread group leader does not
1106 report death via WIFEXITED(status) until there is at least one other
1107 live thread. This eliminates the possibility that the tracer will
1108 see it dying and then reappearing.) If the thread group leader was
1109 still alive, for the tracer this may look as if thread group leader
1110 returns from a different system call than it entered, or even
1111 "returned from a system call even though it was not in any system
1112 call". If the thread group leader was not traced (or was traced by
1113 a different tracer), then during execve(2) it will appear as if it
1114 has become a tracee of the tracer of the execing tracee.
1115 All of the above effects are the artifacts of the thread ID change in
1117 the tracee.
1118 The PTRACE_O_TRACEEXEC option is the recommended tool for dealing with
1120 this situation. First, it enables PTRACE_EVENT_EXEC stop, which occurs
1121 before execve(2) returns. In this stop, the tracer can use
1122 PTRACE_GETEVENTMSG to retrieve the tracee's former thread ID. (This
1123 feature was introduced in Linux 3.0.) Second, the PTRACE_O_TRACEEXEC
1124 option disables legacy SIGTRAP generation on execve(2).
1125 When the tracer receives PTRACE_EVENT_EXEC stop notification, it is
1127 guaranteed that except this tracee and the thread group leader, no
1128 other threads from the process are alive.
1129 On receiving the PTRACE_EVENT_EXEC stop notification, the tracer should
1131 clean up all its internal data structures describing the threads of
1132 this process, and retain only one data structure—one which describes
1133 the single still running tracee, with
1134 thread ID == thread group ID == process ID.
1136 Example: two threads call execve(2) at the same time:
1138 *** we get syscall-enter-stop in thread 1: **
1140 PID1 execve("/bin/foo", "foo" <unfinished ...>
1141 *** we issue PTRACE_SYSCALL for thread 1 **
1142 *** we get syscall-enter-stop in thread 2: **
1143 PID2 execve("/bin/bar", "bar" <unfinished ...>
1144 *** we issue PTRACE_SYSCALL for thread 2 **
1145 *** we get PTRACE_EVENT_EXEC for PID0, we issue PTRACE_SYSCALL **
1146 *** we get syscall-exit-stop for PID0: **
1147 PID0 <... execve resumed> ) = 0
1148 If the PTRACE_O_TRACEEXEC option is not in effect for the execing
1150 tracee, and if the tracee was PTRACE_ATTACHed rather that
1151 PTRACE_SEIZEd, the kernel delivers an extra SIGTRAP to the tracee after
1152 execve(2) returns. This is an ordinary signal (similar to one which
1153 can be generated by kill -TRAP), not a special kind of ptrace-stop.
1154 Employing PTRACE_GETSIGINFO for this signal returns si_code set to 0
1155 (SI_USER). This signal may be blocked by signal mask, and thus may be
1156 delivered (much) later.
1157 Usually, the tracer (for example, strace(1)) would not want to show
1159 this extra post-execve SIGTRAP signal to the user, and would suppress
1160 its delivery to the tracee (if SIGTRAP is set to SIG_DFL, it is a
1161 killing signal). However, determining which SIGTRAP to suppress is not
1162 easy. Setting the PTRACE_O_TRACEEXEC option or using PTRACE_SEIZE and
1163 thus suppressing this extra SIGTRAP is the recommended approach.
1164 Real parent
1166 The ptrace API (ab)uses the standard UNIX parent/child signaling over
1167 waitpid(2). This used to cause the real parent of the process to stop
1168 receiving several kinds of waitpid(2) notifications when the child
1169 process is traced by some other process.
1170 Many of these bugs have been fixed, but as of Linux 2.6.38 several
1172 still exist; see BUGS below.
1173 As of Linux 2.6.38, the following is believed to work correctly:
1175 * exit/death by signal is reported first to the tracer, then, when the
1177 tracer consumes the waitpid(2) result, to the real parent (to the
1178 real parent only when the whole multithreaded process exits). If
1179 the tracer and the real parent are the same process, the report is
1180 sent only once.
1181
1183 On success, the PTRACE_PEEK* requests return the requested data (but
1184 see NOTES), the PTRACE_SECCOMP_GET_FILTER request returns the number of
1185 instructions in the BPF program, and other requests return zero.
1186 On error, all requests return -1, and errno is set appropriately.
1188 Since the value returned by a successful PTRACE_PEEK* request may be
1189 -1, the caller must clear errno before the call, and then check it
1190 afterward to determine whether or not an error occurred.
1191
1193 EBUSY (i386 only) There was an error with allocating or freeing a
1194 debug register.
1195 EFAULT There was an attempt to read from or write to an invalid area in
1197 the tracer's or the tracee's memory, probably because the area
1198 wasn't mapped or accessible. Unfortunately, under Linux, dif‐
1199 ferent variations of this fault will return EIO or EFAULT more
1200 or less arbitrarily.
1201 EINVAL An attempt was made to set an invalid option.
1203 EIO request is invalid, or an attempt was made to read from or write
1205 to an invalid area in the tracer's or the tracee's memory, or
1206 there was a word-alignment violation, or an invalid signal was
1207 specified during a restart request.
1208 EPERM The specified process cannot be traced. This could be because
1210 the tracer has insufficient privileges (the required capability
1211 is CAP_SYS_PTRACE); unprivileged processes cannot trace pro‐
1212 cesses that they cannot send signals to or those running set-
1213 user-ID/set-group-ID programs, for obvious reasons. Alterna‐
1214 tively, the process may already be being traced, or (on kernels
1215 before 2.6.26) be init(1) (PID 1).
1216 ESRCH The specified process does not exist, or is not currently being
1218 traced by the caller, or is not stopped (for requests that
1219 require a stopped tracee).
1220
1222 SVr4, 4.3BSD.
1223
1225 Although arguments to ptrace() are interpreted according to the proto‐
1226 type given, glibc currently declares ptrace() as a variadic function
1227 with only the request argument fixed. It is recommended to always sup‐
1228 ply four arguments, even if the requested operation does not use them,
1229 setting unused/ignored arguments to 0L or (void *) 0.
1230 In Linux kernels before 2.6.26, init(1), the process with PID 1, may
1232 not be traced.
1233 A tracees parent continues to be the tracer even if that tracer calls
1235 execve(2).
1236 The layout of the contents of memory and the USER area are quite oper‐
1238 ating-system- and architecture-specific. The offset supplied, and the
1239 data returned, might not entirely match with the definition of struct
1240 user.
1241 The size of a "word" is determined by the operating-system variant
1243 (e.g., for 32-bit Linux it is 32 bits).
1244 This page documents the way the ptrace() call works currently in Linux.
1246 Its behavior differs significantly on other flavors of UNIX. In any
1247 case, use of ptrace() is highly specific to the operating system and
1248 architecture.
1249 Ptrace access mode checking
1251 Various parts of the kernel-user-space API (not just ptrace() opera‐
1252 tions), require so-called "ptrace access mode" checks, whose outcome
1253 determines whether an operation is permitted (or, in a few cases,
1254 causes a "read" operation to return sanitized data). These checks are
1255 performed in cases where one process can inspect sensitive information
1256 about, or in some cases modify the state of, another process. The
1257 checks are based on factors such as the credentials and capabilities of
1258 the two processes, whether or not the "target" process is dumpable, and
1259 the results of checks performed by any enabled Linux Security Module
1260 (LSM)—for example, SELinux, Yama, or Smack—and by the commoncap LSM
1261 (which is always invoked).
1262 Prior to Linux 2.6.27, all access checks were of a single type. Since
1264 Linux 2.6.27, two access mode levels are distinguished:
1265 PTRACE_MODE_READ
1267 For "read" operations or other operations that are less danger‐
1268 ous, such as: get_robust_list(2); kcmp(2); reading
1269 /proc/[pid]/auxv, /proc/[pid]/environ, or /proc/[pid]/stat; or
1270 readlink(2) of a /proc/[pid]/ns/* file.
1271 PTRACE_MODE_ATTACH
1273 For "write" operations, or other operations that are more dan‐
1274 gerous, such as: ptrace attaching (PTRACE_ATTACH) to another
1275 process or calling process_vm_writev(2). (PTRACE_MODE_ATTACH
1276 was effectively the default before Linux 2.6.27.)
1277 Since Linux 4.5, the above access mode checks are combined (ORed) with
1279 one of the following modifiers:
1280 PTRACE_MODE_FSCREDS
1282 Use the caller's filesystem UID and GID (see credentials(7)) or
1283 effective capabilities for LSM checks.
1284 PTRACE_MODE_REALCREDS
1286 Use the caller's real UID and GID or permitted capabilities for
1287 LSM checks. This was effectively the default before Linux 4.5.
1288 Because combining one of the credential modifiers with one of the
1290 aforementioned access modes is typical, some macros are defined in the
1291 kernel sources for the combinations:
1292 PTRACE_MODE_READ_FSCREDS
1294 Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
1295 PTRACE_MODE_READ_REALCREDS
1297 Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
1298 PTRACE_MODE_ATTACH_FSCREDS
1300 Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
1301 PTRACE_MODE_ATTACH_REALCREDS
1303 Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
1304 One further modifier can be ORed with the access mode:
1306 PTRACE_MODE_NOAUDIT (since Linux 3.3)
1308 Don't audit this access mode check. This modifier is employed
1309 for ptrace access mode checks (such as checks when reading
1310 /proc/[pid]/stat) that merely cause the output to be filtered or
1311 sanitized, rather than causing an error to be returned to the
1312 caller. In these cases, accessing the file is not a security
1313 violation and there is no reason to generate a security audit
1314 record. This modifier suppresses the generation of such an
1315 audit record for the particular access check.
1316 Note that all of the PTRACE_MODE_* constants described in this subsec‐
1318 tion are kernel-internal, and not visible to user space. The constant
1319 names are mentioned here in order to label the various kinds of ptrace
1320 access mode checks that are performed for various system calls and
1321 accesses to various pseudofiles (e.g., under /proc). These names are
1322 used in other manual pages to provide a simple shorthand for labeling
1323 the different kernel checks.
1324 The algorithm employed for ptrace access mode checking determines
1326 whether the calling process is allowed to perform the corresponding
1327 action on the target process. (In the case of opening /proc/[pid]
1328 files, the "calling process" is the one opening the file, and the
1329 process with the corresponding PID is the "target process".) The algo‐
1330 rithm is as follows:
1331 1. If the calling thread and the target thread are in the same thread
1333 group, access is always allowed.
1334 2. If the access mode specifies PTRACE_MODE_FSCREDS, then, for the
1336 check in the next step, employ the caller's filesystem UID and GID.
1337 (As noted in credentials(7), the filesystem UID and GID almost
1338 always have the same values as the corresponding effective IDs.)
1339 Otherwise, the access mode specifies PTRACE_MODE_REALCREDS, so use
1341 the caller's real UID and GID for the checks in the next step.
1342 (Most APIs that check the caller's UID and GID use the effective
1343 IDs. For historical reasons, the PTRACE_MODE_REALCREDS check uses
1344 the real IDs instead.)
1345 3. Deny access if neither of the following is true:
1347 · The real, effective, and saved-set user IDs of the target match
1349 the caller's user ID, and the real, effective, and saved-set group
1350 IDs of the target match the caller's group ID.
1351 · The caller has the CAP_SYS_PTRACE capability in the user namespace
1353 of the target.
1354 4. Deny access if the target process "dumpable" attribute has a value
1356 other than 1 (SUID_DUMP_USER; see the discussion of PR_SET_DUMPABLE
1357 in prctl(2)), and the caller does not have the CAP_SYS_PTRACE capa‐
1358 bility in the user namespace of the target process.
1359 5. The kernel LSM security_ptrace_access_check() interface is invoked
1361 to see if ptrace access is permitted. The results depend on the
1362 LSM(s). The implementation of this interface in the commoncap LSM
1363 performs the following steps:
1364 a) If the access mode includes PTRACE_MODE_FSCREDS, then use the
1366 caller's effective capability set in the following check; other‐
1367 wise (the access mode specifies PTRACE_MODE_REALCREDS, so) use
1368 the caller's permitted capability set.
1369 b) Deny access if neither of the following is true:
1371 · The caller and the target process are in the same user names‐
1373 pace, and the caller's capabilities are a superset of the tar‐
1374 get process's permitted capabilities.
1375 · The caller has the CAP_SYS_PTRACE capability in the target
1377 process's user namespace.
1378 Note that the commoncap LSM does not distinguish between
1380 PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
1381 6. If access has not been denied by any of the preceding steps, then
1383 access is allowed.
1384 /proc/sys/kernel/yama/ptrace_scope
1386 On systems with the Yama Linux Security Module (LSM) installed (i.e.,
1387 the kernel was configured with CONFIG_SECURITY_YAMA), the
1388 /proc/sys/kernel/yama/ptrace_scope file (available since Linux 3.4) can
1389 be used to restrict the ability to trace a process with ptrace() (and
1390 thus also the ability to use tools such as strace(1) and gdb(1)). The
1391 goal of such restrictions is to prevent attack escalation whereby a
1392 compromised process can ptrace-attach to other sensitive processes
1393 (e.g., a GPG agent or an SSH session) owned by the user in order to
1394 gain additional credentials that may exist in memory and thus expand
1395 the scope of the attack.
1396 More precisely, the Yama LSM limits two types of operations:
1398 * Any operation that performs a ptrace access mode PTRACE_MODE_ATTACH
1400 check—for example, ptrace() PTRACE_ATTACH. (See the "Ptrace access
1401 mode checking" discussion above.)
1402 * ptrace() PTRACE_TRACEME.
1404 A process that has the CAP_SYS_PTRACE capability can update the
1406 /proc/sys/kernel/yama/ptrace_scope file with one of the following val‐
1407 ues:
1408 0 ("classic ptrace permissions")
1410 No additional restrictions on operations that perform
1411 PTRACE_MODE_ATTACH checks (beyond those imposed by the commoncap
1412 and other LSMs).
1413 The use of PTRACE_TRACEME is unchanged.
1415 1 ("restricted ptrace") [default value]
1417 When performing an operation that requires a PTRACE_MODE_ATTACH
1418 check, the calling process must either have the CAP_SYS_PTRACE
1419 capability in the user namespace of the target process or it
1420 must have a predefined relationship with the target process. By
1421 default, the predefined relationship is that the target process
1422 must be a descendant of the caller.
1423 A target process can employ the prctl(2) PR_SET_PTRACER opera‐
1425 tion to declare an additional PID that is allowed to perform
1426 PTRACE_MODE_ATTACH operations on the target. See the kernel
1427 source file Documentation/admin-guide/LSM/Yama.rst (or Documen‐
1428 tation/security/Yama.txt before Linux 4.13) for further details.
1429 The use of PTRACE_TRACEME is unchanged.
1431 2 ("admin-only attach")
1433 Only processes with the CAP_SYS_PTRACE capability in the user
1434 namespace of the target process may perform PTRACE_MODE_ATTACH
1435 operations or trace children that employ PTRACE_TRACEME.
1436 3 ("no attach")
1438 No process may perform PTRACE_MODE_ATTACH operations or trace
1439 children that employ PTRACE_TRACEME.
1440 Once this value has been written to the file, it cannot be
1442 changed.
1443 With respect to values 1 and 2, note that creating a new user namespace
1445 effectively removes the protection offered by Yama. This is because a
1446 process in the parent user namespace whose effective UID matches the
1447 UID of the creator of a child namespace has all capabilities (including
1448 CAP_SYS_PTRACE) when performing operations within the child user names‐
1449 pace (and further-removed descendants of that namespace). Conse‐
1450 quently, when a process tries to use user namespaces to sandbox itself,
1451 it inadvertently weakens the protections offered by the Yama LSM.
1452 C library/kernel differences
1454 At the system call level, the PTRACE_PEEKTEXT, PTRACE_PEEKDATA, and
1455 PTRACE_PEEKUSER requests have a different API: they store the result at
1456 the address specified by the data parameter, and the return value is
1457 the error flag. The glibc wrapper function provides the API given in
1458 DESCRIPTION above, with the result being returned via the function
1459 return value.
1460
1462 On hosts with 2.6 kernel headers, PTRACE_SETOPTIONS is declared with a
1463 different value than the one for 2.4. This leads to applications com‐
1464 piled with 2.6 kernel headers failing when run on 2.4 kernels. This
1465 can be worked around by redefining PTRACE_SETOPTIONS to PTRACE_OLDSE‐
1466 TOPTIONS, if that is defined.
1467 Group-stop notifications are sent to the tracer, but not to real par‐
1469 ent. Last confirmed on 2.6.38.6.
1470 If a thread group leader is traced and exits by calling _exit(2), a
1472 PTRACE_EVENT_EXIT stop will happen for it (if requested), but the sub‐
1473 sequent WIFEXITED notification will not be delivered until all other
1474 threads exit. As explained above, if one of other threads calls
1475 execve(2), the death of the thread group leader will never be reported.
1476 If the execed thread is not traced by this tracer, the tracer will
1477 never know that execve(2) happened. One possible workaround is to
1478 PTRACE_DETACH the thread group leader instead of restarting it in this
1479 case. Last confirmed on 2.6.38.6.
1480 A SIGKILL signal may still cause a PTRACE_EVENT_EXIT stop before actual
1482 signal death. This may be changed in the future; SIGKILL is meant to
1483 always immediately kill tasks even under ptrace. Last confirmed on
1484 Linux 3.13.
1485 Some system calls return with EINTR if a signal was sent to a tracee,
1487 but delivery was suppressed by the tracer. (This is very typical oper‐
1488 ation: it is usually done by debuggers on every attach, in order to not
1489 introduce a bogus SIGSTOP). As of Linux 3.2.9, the following system
1490 calls are affected (this list is likely incomplete): epoll_wait(2), and
1491 read(2) from an inotify(7) file descriptor. The usual symptom of this
1492 bug is that when you attach to a quiescent process with the command
1493 strace -p <process-ID>
1495 then, instead of the usual and expected one-line output such as
1497 restart_syscall(<... resuming interrupted call ...>_
1499 or
1501 select(6, [5], NULL, [5], NULL_
1503 ('_' denotes the cursor position), you observe more than one line. For
1505 example:
1506 clock_gettime(CLOCK_MONOTONIC, {15370, 690928118}) = 0
1508 epoll_wait(4,_
1509 What is not visible here is that the process was blocked in
1511 epoll_wait(2) before strace(1) has attached to it. Attaching caused
1512 epoll_wait(2) to return to user space with the error EINTR. In this
1513 particular case, the program reacted to EINTR by checking the current
1514 time, and then executing epoll_wait(2) again. (Programs which do not
1515 expect such "stray" EINTR errors may behave in an unintended way upon
1516 an strace(1) attach.)
1517 Contrary to the normal rules, the glibc wrapper for ptrace() can set
1519 errno to zero.
1520
1522 gdb(1), ltrace(1), strace(1), clone(2), execve(2), fork(2), gettid(2),
1523 prctl(2), seccomp(2), sigaction(2), tgkill(2), vfork(2), waitpid(2),
1524 exec(3), capabilities(7), signal(7)
1525
1527 This page is part of release 5.07 of the Linux man-pages project. A
1528 description of the project, information about reporting bugs, and the
1529 latest version of this page, can be found at
1530 https://www.kernel.org/doc/man-pages/.
1531Linux 2020-06-09 PTRACE(2)