ptrace support for BSDs

[xd009642]

This PR adds support to the ptrace API for BSDs to close #947. It also adds a read and write method for reading and writing to a traced processes memory. The ptrace API created for linux offers this via a deprecated function so I added this so they can be feature equivalent without replicating a deprecated part of the API.

Due to the differences in ptrace on BSD and linux I've made a ptrace module to keep things readable.

Still to do - revert travis config to remove my feature branch and update the changelog.

[asomers]

Good start so far. You should also try enabling the tests in test/sys/test_ptrace.rs.

[asomers]

This line shouldn't be necessary. Travis automatically builds PRs. This line is only necessary if you want nix-rust/nix to have a branch named "issue-947".

[asomers]

Please line wrap to 80 cols.

[asomers]

Why not enabled for these OSes? They both define PT_STEP.

[xd009642]

Do they really? I was going off https://github.com/openbsd/src/blob/master/sys/sys/ptrace.h and https://github.com/IIJ-NetBSD/netbsd-src/blob/master/sys/sys/ptrace.h#L38

[asomers]

They must be in a different header then. I'm looking at https://man.openbsd.org/ptrace and http://netbsd.gw.com/cgi-bin/man-cgi?ptrace++NetBSD-current

[krytarowski]

NetBSD supports PT_STEP in CPU specific headers, not all CPUs support it.

[asomers]

You shouldn't define this function. It's better to make programs fail at compile time than at runtime. Also, the capitalization is wrong.

[asomers]

This change shouldn't be necessary, since the file is not included on OSX.

[xd009642]

Well that didn't quite go as expected. I'm unsure what setup the buildbot instances are (guessing freebsd though) and the apple ptrace calls just seem to be returning ENOTSUP As that's returned if you use things like PT_DENY_ATTACH in apple I'm thinking maybe it's blocking ptrace calls for security reasons. Though that is just a guess.

[asomers]

The compile failure is because src/sys/mod.rs needs a change, too.

[asomers]

This #[cfg()] statement is too broad. Nix runs on many platforms. You should opt-in, not opt-out.

[xd009642]

Okay well I've just opened a libc PR that adds PT_STEP for the relevant archs. So once that's merged I'll update accordingly.

Any idea about the ENOTSUP for the apple ptrace tests? Might be a qemu based issue? I noticed that in the test comments it says it returns ENOSYS when it can't ptrace, might it do ENOTSUP on apple?

[krytarowski]

"libc PR that adds PT_STEP" where?

[xd009642]

In libc rust-lang/libc#1091 (comment) none of the ptrace requests were available in BSDs so I did a PR, did another one to add the arch specific requests today 😄

Edit: Just realised you're more of a BSD person not a rust person! libc is a rust library we use to reexport libc functions and constants etc.

[asomers]

Okay well I've just opened a libc PR that adds PT_STEP for the relevant archs. So once that's merged I'll update accordingly.

Any idea about the ENOTSUP for the apple ptrace tests? Might be a qemu based issue? I noticed that in the test comments it says it returns ENOSYS when it can't ptrace, might it do ENOTSUP on apple?

I don't know. Have you tried it on real Apple hardware? I don't have any.

[xd009642]

I don't have any either, I'm trying to add OSX support for one of my projects for a user that asked for it. I'll ask them if they can run it

[xd009642]

Well it doesn't seem to work on an actual apple pc as well. I think it might need additional fiddling via functions that aren't in libc but are in https://github.com/fitzgen/mach/

In the interest of moving this along I could remove apple support from bsd, fix the buildbot errors then work on apple support as an additional PR? Or try and do it all in this one.

How would you feel about adding a dependency on https://github.com/fitzgen/mach/ for apple users?

[xd009642]

I might be onto something, I've got test_ptrace_cont passing on apple! So I'm going to assume there's now no need for mach as a crate

[xd009642]

Okay I might be all good now!

One potential issue with the tests I noticed there was a spurious test_wait failure, this might be caused by test_wait and test_ptrace_cont being ran at the same time by rustc-test if waitpid will respond to any signal from the same PGID on the system in question. I've had similar issues in my own project when trying to test things that use wait or ptrace.

Either way I'll check back tomorrow and see what travis/buildbot says

[asomers]

Tsk Tsk. You should always compile and test before pushing to Travis. Travis shouldn't be finding your unclosed delimiters for you.

[xd009642]

I know, it's this apple stuff has made me sloppy. I realised doing stuff in the bsd mode that cargo check and build didn't flag up syntax errors at all.

If I make a habit of OSX based PRs I'll try to figure out how to cross compile for OSX

[xd009642]

So I know I can't just change wait to waitpid in test_wait, but I just wanted to prove my theory on the last failure was corrected. With the design of test_wait you're vulnerable to stealing test_ptrace_cont signals if cargo test is ran with multiple threads.

As a result I've made test-threads=1 I know this will slow down CI runs, so there's also an alternative to make test_wait ignored then run it on it's own in a separate call to cargo test than the others.

While that did sort the apple issue for that one run TEST_THREADS was already 1 in the cargo cfg. So that might just be down to the fact the multiple processes essentially make this is a threading probably. I've added an extra ptrace::cont which isn't checked after the check for the kill just because some systems may need a continue to transition from raising the SIGKILL signal to actually exiting (I'll also try detach if that doesn't work).

[asomers]

test_ptrace_cont should grab the FORK_MTX, just like other tests that fork. That will fix your conflict with test_wait.

[asomers]

Make sure to revert this whitespace change.

[asomers]

Why are you allowing EINVAL?

[xd009642]

https://www.freebsd.org/cgi/man.cgi?query=ptrace the BSDs seem to use EINVAL for attempting to attach to yourself. I don't know if all BSDs do that or if some mimic linux and do EPERM so I just had it as that for now. I can investigate and make it more specific though

[krytarowski]

NetBSD returns EINVAL

[xd009642]

@asomers FORK_MTX appears to have had no effect which seems super odd to me 😕

[krytarowski]

If you find anything wrong with NetBSD and ptrace(2), please let me know!

[krytarowski]

BTW. you might find it useful http://netbsd.org/~kamil/ptrace-netbsd/presentation.html a little bit dated, but quite good starter.

[asomers]

The compile failure on NetBSD is purely a problem in your PR. You have an unused use statement on line 7. Delete that and it should compile. The runtime failure on OSX is more interesting. It looks like the test_ptrace_const test is leaving behind a zombie process on OSX, even though it doesn't on Linux or FreeBSD. It would be interesting to run the test on OSX with this patch, and see if there is any zombie in the output. You'll have to run it with --nocapture, of course.

diff --git a/test/sys/test_ptrace.rs b/test/sys/test_ptrace.rs
index 68d7922a..73966b30 100644
--- a/test/sys/test_ptrace.rs
+++ b/test/sys/test_ptrace.rs
@@ -96,6 +96,9 @@ fn test_ptrace_cont() {
                 }
                 _ => panic!("The process should have been killed"),
             }
+            use std::process;
+            let output = process::Command::new("ps").arg("-axwwd").output().unwrap();
+            println!("{}", String::from_utf8_lossy(&output.stdout));
         },
     }
 }

[asomers]

ps -axwwd is evidently not the right command to list parent-child relationships in OSX. But nonetheless the theory is correct. The (test-4342e99f348) process looks like the child being traced. So fixing the test requires figuring out what combination of ptrace(2), kill(2), and/or wait(2) will reap that child process.

[xd009642]

Great, I figured as much.

I'll try things that come to mind as potential fixes, (like currently ptrace::detach) and also in parallel try to find some documentation or blogs that shed light on the differences between apple and the rest of the world

[xd009642]

I've seemingly cracked it, this part of the linux man page for ptrace helped me realise what may be happening:

PTRACE_KILL
      Send  the  tracee a SIGKILL to terminate it.  (addr and data are
      ignored.)

      This operation is deprecated; do not use it!   Instead,  send  a
      SIGKILL  directly  using kill(2) or tgkill(2).  The problem with
      PTRACE_KILL is that it requires the  tracee  to  be  in  signal-
      delivery-stop,  otherwise  it  may  not work (i.e., may complete
      successfully but won't kill the tracee).  By contrast, sending a
      SIGKILL directly has no such limitation.

And then in the apple man page for ptrace

PT_KILL       The traced process terminates, as if PT_CONTINUE had been
              used with SIGKILL given as the signal to be delivered.

I know they're different OSes but if PT_KILL in apple is subject to the same potential pitfalls of linux that would explain the issues we've observed. Therefore after waitpid catches the kill we sent, just in case it's a false positive kill I send a direct kill to the tracee.

I've also added a comment to document this behaviour in the test to explain the rationale for future maintainers.

[asomers]

I've seemingly cracked it, this part of the linux man page for ptrace helped me realise what may be happening:

PTRACE_KILL
      Send  the  tracee a SIGKILL to terminate it.  (addr and data are
      ignored.)

      This operation is deprecated; do not use it!   Instead,  send  a
      SIGKILL  directly  using kill(2) or tgkill(2).  The problem with
      PTRACE_KILL is that it requires the  tracee  to  be  in  signal-
      delivery-stop,  otherwise  it  may  not work (i.e., may complete
      successfully but won't kill the tracee).  By contrast, sending a
      SIGKILL directly has no such limitation.

And then in the apple man page for ptrace

PT_KILL       The traced process terminates, as if PT_CONTINUE had been
              used with SIGKILL given as the signal to be delivered.

I know they're different OSes but if PT_KILL in apple is subject to the same potential pitfalls of linux that would explain the issues we've observed. Therefore after waitpid catches the kill we sent, just in case it's a false positive kill I send a direct kill to the tracee.

I've also added a comment to document this behaviour in the test to explain the rationale for future maintainers.

The Linux manpage surely doesn't apply. ptrace(2) is very different in Linux than in the BSDs. OSX takes after the BSDs, but adds its own differences to ptrace(2) due to Mach. I'm not saying that your solution is wrong, but I don't accept the rationale.

[krytarowski]

No idea about Darwin, but while PT_KILL is broken on Linux, it's perfectly fine on BSDs (at least NetBSD).

[xd009642]

It might be tenuous but it is the only source that could explain this strange apple behaviour. I'm now going to see if PT_KILL works on apple different to PT_CONTINUE + SIGKILL.

I've also gone over all the signal and tracing stuff in http://newosxbook.com/MOXiI.pdf and can find no justification. Apart from the fact ptrace is crippled on apple for security/obfuscation reasons, there are undocumented parts and it's generally a pain as a result.

[xd009642]

Thinking of the kill, does it actually effect what the test is attempting to show. test_ptrace_cont wants to show that PT_CONTINUE works and also that you can use it to forward signals onto the tracee. This behaviour is still shown with the additional kill call in as we check the kill signal was received when sent via ptrace.

[xd009642]

@asomers any thoughts/issues RE my last comment?

[asomers]

I think I understand what you're saying: the extra trouble you go through to kill the process is irrelevant for the test coverage we're trying to achieve. I'm inclined to accept it. @Susurrus do you have any comments before we merge? @xd009642 you'll also need to rebase and squash.

[xd009642]

Yeah that's exactly the point I was making 😄 also rebased and squashed!

[xd009642]

So I've just had to rebase this onto master again because of another changelog change, @Susurrus any comments before merging?

[Susurrus]

A few minor nits. I would prefer to see the kill, read, write additions to linux done first as a separate commit from adding all the BSD support, but I won't hold up merging this just for that change.

[Susurrus]

These should be in alphabetical order.

[Susurrus]

This still isn't alphabetical.

[xd009642]

Fixed, squashed and pushed. Sorry about that!

[Susurrus]

Alphabetical order here as well.

[Susurrus]

Alphabetical order

[Susurrus]

Alphabetical order here too.

[Susurrus]

Alphabetical order

[Susurrus]

Please put a blank comment line above this one. Otherwise this line looks weird in the generated docs. I know this was carried over from the Linux one, but we should fix it here anyways (feel free to fix it there if you'd like too).

[xd009642]

Fix it as in a blank line above each function? I'm not sure which bit looks weird in the generated docs. Is it the function summary? https://docs.rs/nix/0.11.0/nix/sys/ptrace/index.html

[Susurrus]

Just these 3 things, then let's squash and merge!

[Susurrus]

Sorry I wasn't clear, can you put this blank comment line between the two existing comment lines on 326 and 327? A blank line separates a brief summary line from a further longer description. Otherwise this shows as one really long line on the main ptrace doc page.

[xd009642]

@Susurrus I think we're all good to go now 👍

[Susurrus]

bors r+

[bors]

Build succeeded

• continuous-integration/travis-ci/push
• buildbot/nix-rust/nix amd64_fbsd11
• buildbot/nix-rust/nix i386_fbsd11