-2019-09-26 Sergio Durigan Junior <sergiodj@redhat.com>
- Jan Kratochvil <jan.kratochvil@redhat.com>
- Pedro Alves <palves@redhat.com>
-
- * gdbsupport/gdb-dlfcn.h (gdb_dlopen): Update comment and
- mention that the function throws an error.
- * inf-ptrace.c (default_inf_ptrace_me_fail_reason): New
- function.
- (inf_ptrace_me_fail_reason): New variable.
- (inf_ptrace_me): Update call to 'trace_start_error_with_name'.
- * inf-ptrace.h (inf_ptrace_me_fail_reason): New variable.
- * linux-nat.c (attach_proc_task_lwp_callback): Call
- 'linux_ptrace_attach_fail_reason_lwp'.
- (linux_nat_target::attach): Update call to
- 'linux_ptrace_attach_fail_reason'.
- (_initialize_linux_nat): Set 'inf_ptrace_me_fail_reason'.
- * nat/fork-inferior.c (trace_start_error_with_name): Add
- optional 'append' argument.
- * nat/fork-inferior.h (trace_start_error_with_name): Update
- prototype.
- * nat/linux-ptrace.c: Include "gdbsupport/gdb-dlfcn.h",
- "gdbsupport/filestuff.h" and "nat/fork-inferior.h".
- (selinux_ftype): New typedef.
- (linux_ptrace_restricted_fail_reason): New function.
- (linux_ptrace_attach_fail_reason_1): New function.
- (linux_ptrace_attach_fail_reason): Change first argument type
- from 'ptid_t' to 'pid_t'. Call
- 'linux_ptrace_attach_fail_reason_1' and
- 'linux_ptrace_restricted_fail_reason'.
- (linux_ptrace_attach_fail_reason_lwp): New function.
- (linux_ptrace_me_fail_reason): New function.
- (errno_pipe): New variable.
- (linux_fork_to_function): Initialize pipe before forking.
- (linux_child_function): Deal with errno-passing from child.
- Handle ptrace error.
- (linux_check_child_ptrace_errno): New function.
- (linux_check_child_ptrace_errno): Call
- 'linux_check_child_ptrace_errno'.
- * nat/linux-ptrace.h (linux_ptrace_attach_fail_reason): Update
- prototype.
- (linux_ptrace_attach_fail_reason_lwp): New prototype.
- (linux_ptrace_me_fail_reason): New prototype.
- * remote.c (extended_remote_target::attach): Handle error
- message passed by the server when attach fails.
-
2019-09-26 Christian Biesinger <cbiesinger@google.com>
* blockframe.c (find_pc_partial_function): Change return type to bool.
-2019-09-26 Sergio Durigan Junior <sergiodj@redhat.com>
-
- * gdb.texinfo (Linux kernel ptrace restrictions): New appendix
- section.
-
2019-09-20 Ulrich Weigand <uweigand@de.ibm.com>
* doc/gdb.texinfo (Remote Configuration): Remove documentation for
@value{GDBN}
* Operating System Information:: Getting additional information from
the operating system
-* Linux kernel ptrace restrictions:: Restrictions sometimes
- imposed by the Linux
- kernel on @code{ptrace}
* Trace File Format:: GDB trace file format
* Index Section Format:: .gdb_index section format
* Man Pages:: Manual pages
is running on. Target may provide additional columns,
which @value{GDBN} currently ignores.
-@node Linux kernel ptrace restrictions
-@appendix Linux kernel @code{ptrace} restrictions
-@cindex linux kernel ptrace restrictions, attach
-
-The @code{ptrace} system call is used by @value{GDBN} and
-@code{gdbserver} on GNU/Linux to, among other things, attach to a new
-or existing inferior in order to start debugging it. Due to security
-concerns, some distributions and vendors disable or severely restrict
-the ability to perform these operations, which can make @value{GDBN}
-or @code{gdbserver} malfunction. In this section, we will expand on
-how this malfunction can manifest itself, and how to modify the
-system's settings in order to be able to use @value{GDBN} and
-@code{gdbserver} properly.
-
-@menu
-* The error message:: The error message displayed when the
- system prevents @value{GDBN}
- or @code{gdbserver} from using
- @code{ptrace}
-* SELinux's deny_ptrace:: SELinux and the @code{deny_ptrace} option
-* Yama's ptrace_scope:: Yama and the @code{ptrace_scope} setting
-* Docker and seccomp:: Docker and the @code{seccomp}
- infrastructure
-@end menu
-
-@node The error message
-@appendixsection The error message
-
-When the system prevents @value{GDBN} or @code{gdbserver} from using
-the @code{ptrace} system call, you will likely see a descriptive error
-message explaining what is wrong and how to attempt to fix the
-problem. For example, when SELinux's @code{deny_ptrace} option is
-enabled, you can see:
-
-@smallexample
-$ gdb program
-...
-(@value{GDBP}) run
-Starting program: program
-warning: Could not trace the inferior process.
-Error:
-warning: ptrace: Permission denied
-The SELinux 'deny_ptrace' option is enabled and preventing @value{GDBN}
-from using 'ptrace'. You can disable it by executing (as root):
-
- setsebool deny_ptrace off
-
-If you are debugging the inferior remotely, the instruction(s) above must
-be performed in the target system (e.g., where GDBserver is running).
-During startup program exited with code 127.
-(@value{GDBP})
-@end smallexample
-
-Sometimes, it may not be possible to acquire the necessary data to
-determine the root cause of the failure. In this case, you will see a
-generic error message pointing you to this section:
-
-@smallexample
-$ gdb program
-...
-Starting program: program
-warning: Could not trace the inferior process.
-Error:
-warning: ptrace: Permission denied
-There might be restrictions preventing ptrace from working. Please see
-the appendix "Linux kernel ptrace restrictions" in the GDB documentation
-for more details.
-During startup program exited with code 127.
-(@value{GDBP})
-@end smallexample
-
-@node SELinux's deny_ptrace
-@appendixsection SELinux's @code{deny_ptrace}
-@cindex SELinux
-@cindex deny_ptrace
-
-If you are using SELinux, you might want to check whether the
-@code{deny_ptrace} option is enabled by doing:
-
-@smallexample
-$ getsebool deny_ptrace
-deny_ptrace --> on
-@end smallexample
-
-If the option is enabled, you can disable it by doing, as root:
-
-@smallexample
-# setsebool deny_ptrace off
-@end smallexample
-
-The option will be disabled until the next reboot. If you would like
-to disable it permanently, you can do (as root):
-
-@smallexample
-# setsebool -P deny_ptrace off
-@end smallexample
-
-@node Yama's ptrace_scope
-@appendixsection Yama's @code{ptrace_scope}
-@cindex yama, ptrace_scope
-
-If your system has Yama enabled, you might want to check whether the
-@code{ptrace_scope} setting is enabled by checking the value of
-@file{/proc/sys/kernel/yama/ptrace_scope}:
-
-@smallexample
-$ cat /proc/sys/kernel/yama/ptrace_scope
-0
-@end smallexample
-
-If you see anything other than @code{0}, @value{GDBN} or
-@code{gdbserver} can be affected by it. You can temporarily disable
-the feature by doing, as root:
-
-@smallexample
-# sysctl kernel.yama.ptrace_scope=0
-kernel.yama.ptrace_scope = 0
-@end smallexample
-
-You can make this permanent by doing, as root:
-
-@smallexample
-# sysctl -w kernel.yama.ptrace_scope=0
-kernel.yama.ptrace_scope = 0
-@end smallexample
-
-@node Docker and seccomp
-@appendixsection Docker and @code{seccomp}
-@cindex docker, seccomp
-
-If you are using Docker (@uref{https://www.docker.com/}) containers,
-you will probably have to disable its @code{seccomp} protections in
-order to be able to use @value{GDBN} or @code{gdbserver}. To do that,
-you can use the options @code{--cap-add=SYS_PTRACE --security-opt
-seccomp=unconfined} when invoking Docker:
-
-@smallexample
-$ docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined
-@end smallexample
-
@node Trace File Format
@appendix Trace File Format
@cindex trace file format
-2019-09-26 Sergio Durigan Junior <sergiodj@redhat.com>
- Pedro Alves <palves@redhat.com>
-
- * linux-low.c (linux_ptrace_fun): Call
- 'linux_ptrace_me_fail_reason'.
- (attach_proc_task_lwp_callback): Call
- 'linux_ptrace_attach_fail_reason_lwp'.
- (linux_attach): Call 'linux_ptrace_attach_fail_reason'.
- * server.c (handle_v_attach): Use try..catch when calling
- 'attach_inferior', and send an error message to the client
- when needed.
- * thread-db.c (attach_thread): Call
- 'linux_ptrace_attach_fail_reason_lwp'.
-
2019-09-20 Christian Biesinger <cbiesinger@google.com>
* debug.c (debug_threads): Remove comment in favor of the header.
{
if (ptrace (PTRACE_TRACEME, 0, (PTRACE_TYPE_ARG3) 0,
(PTRACE_TYPE_ARG4) 0) < 0)
- trace_start_error_with_name ("ptrace",
- linux_ptrace_me_fail_reason (errno).c_str ());
+ trace_start_error_with_name ("ptrace");
if (setpgid (0, 0) < 0)
trace_start_error_with_name ("setpgid");
else if (err != 0)
{
std::string reason
- = linux_ptrace_attach_fail_reason_lwp (ptid, err);
+ = linux_ptrace_attach_fail_reason_string (ptid, err);
warning (_("Cannot attach to lwp %d: %s"), lwpid, reason.c_str ());
}
{
remove_process (proc);
- std::string reason = linux_ptrace_attach_fail_reason (pid, err);
- error (_("Cannot attach to process %ld: %s"), pid, reason.c_str ());
+ std::string reason = linux_ptrace_attach_fail_reason_string (ptid, err);
+ error ("Cannot attach to process %ld: %s", pid, reason.c_str ());
}
/* Don't ignore the initial SIGSTOP if we just attached to this
{
client_state &cs = get_client_state ();
int pid;
- int ret;
pid = strtol (own_buf + 8, NULL, 16);
-
- try
- {
- ret = attach_inferior (pid);
- }
- catch (const gdb_exception_error &e)
- {
- snprintf (own_buf, PBUFSIZ, "E.%s", e.what ());
- return 0;
- }
-
- if (pid != 0 && ret == 0)
+ if (pid != 0 && attach_inferior (pid) == 0)
{
/* Don't report shared library events after attaching, even if
some libraries are preloaded. GDB will always poll the
err = linux_attach_lwp (ptid);
if (err != 0)
{
- std::string reason = linux_ptrace_attach_fail_reason_lwp (ptid, err);
+ std::string reason = linux_ptrace_attach_fail_reason_string (ptid, err);
warning ("Could not attach to thread %ld (LWP %d): %s",
(unsigned long) ti_p->ti_tid, ti_p->ti_lid, reason.c_str ());
typedef std::unique_ptr<void, dlclose_deleter> gdb_dlhandle_up;
/* Load the dynamic library file named FILENAME, and return a handle
- for that dynamic library. Throw an error if the loading fails for
- any reason. */
+ for that dynamic library. Return NULL if the loading fails for any
+ reason. */
gdb_dlhandle_up gdb_dlopen (const char *filename);
#endif /* PT_GET_PROCESS_STATE */
\f
-/* Default method for "inf_ptrace_me_fail_reason", which returns an
- empty string. */
-
-static std::string
-default_inf_ptrace_me_fail_reason (int err)
-{
- return {};
-}
-
-/* See inf-ptrace.h. */
-
-std::string (*inf_ptrace_me_fail_reason) (int err)
- = default_inf_ptrace_me_fail_reason;
-
/* Prepare to be traced. */
static void
{
/* "Trace me, Dr. Memory!" */
if (ptrace (PT_TRACE_ME, 0, (PTRACE_TYPE_ARG3) 0, 0) < 0)
- trace_start_error_with_name ("ptrace",
- inf_ptrace_me_fail_reason (errno).c_str ());
+ trace_start_error_with_name ("ptrace");
}
/* Start a new inferior Unix child process. EXEC_FILE is the file to
extern pid_t get_ptrace_pid (ptid_t);
-/* Pointer to "inf_ptrace_me_fail_reason", which implements a function
- that can be called by "inf_ptrace_me" in order to obtain the reason
- for a ptrace failure. ERR is the ERRNO value set by the failing
- ptrace call.
-
- This pointer can be overriden by targets that want to personalize
- the error message printed when ptrace fails (see linux-nat.c, for
- example). */
-extern std::string (*inf_ptrace_me_fail_reason) (int err);
-
#endif
else
{
std::string reason
- = linux_ptrace_attach_fail_reason_lwp (ptid, err);
+ = linux_ptrace_attach_fail_reason_string (ptid, err);
warning (_("Cannot attach to lwp %d: %s"),
lwpid, reason.c_str ());
}
catch (const gdb_exception_error &ex)
{
- int saved_errno = errno;
pid_t pid = parse_pid_to_attach (args);
- std::string reason = linux_ptrace_attach_fail_reason (pid, saved_errno);
+ std::string reason = linux_ptrace_attach_fail_reason (pid);
if (!reason.empty ())
throw_error (ex.error, "warning: %s\n%s", reason.c_str (),
sigemptyset (&blocked_mask);
lwp_lwpid_htab_create ();
-
- /* Set the proper function to generate a message when ptrace
- fails. */
- inf_ptrace_me_fail_reason = linux_ptrace_me_fail_reason;
}
\f
/* See nat/fork-inferior.h. */
void
-trace_start_error_with_name (const char *string, const char *append)
+trace_start_error_with_name (const char *string)
{
- trace_start_error ("%s: %s%s", string, safe_strerror (errno), append);
+ trace_start_error ("%s: %s", string, safe_strerror (errno));
}
ATTRIBUTE_NORETURN ATTRIBUTE_PRINTF (1, 2);
/* Like "trace_start_error", but the error message is constructed by
- combining STRING with the system error message for errno, and
- (optionally) with APPEND. This function does not return. */
-extern void trace_start_error_with_name (const char *string,
- const char *append = "")
+ combining STRING with the system error message for errno. This
+ function does not return. */
+extern void trace_start_error_with_name (const char *string)
ATTRIBUTE_NORETURN;
#endif /* NAT_FORK_INFERIOR_H */
#include "linux-procfs.h"
#include "linux-waitpid.h"
#include "gdbsupport/buffer.h"
-#include "gdbsupport/gdb-dlfcn.h"
-#include "nat/fork-inferior.h"
-#include "gdbsupport/filestuff.h"
#ifdef HAVE_SYS_PROCFS_H
#include <sys/procfs.h>
#endif
of 0 means there are no supported features. */
static int supported_ptrace_options = -1;
-typedef int (*selinux_ftype) (const char *);
+/* Find all possible reasons we could fail to attach PID and return these
+ as a string. An empty string is returned if we didn't find any reason. */
-/* Helper function which checks if ptrace is probably restricted
- (i.e., if ERR is either EACCES or EPERM), and returns a string with
- possible workarounds. */
-
-static std::string
-linux_ptrace_restricted_fail_reason (int err)
-{
- if (err != EACCES && err != EPERM)
- {
- /* It just makes sense to perform the checks below if errno was
- either EACCES or EPERM. */
- return {};
- }
-
- std::string ret;
- gdb_dlhandle_up handle;
-
- try
- {
- handle = gdb_dlopen ("libselinux.so.1");
- }
- catch (const gdb_exception_error &e)
- {
- handle.reset (nullptr);
- }
-
- if (handle != nullptr)
- {
- selinux_ftype selinux_get_bool
- = (selinux_ftype) gdb_dlsym (handle, "security_get_boolean_active");
-
- if (selinux_get_bool != NULL
- && (*selinux_get_bool) ("deny_ptrace") == 1)
- string_appendf (ret,
- _("\n\
-The SELinux 'deny_ptrace' option is enabled and preventing GDB\n\
-from using 'ptrace'. You can disable it by executing (as root):\n\
-\n\
- setsebool deny_ptrace off\n"));
- }
-
- gdb_file_up yama_ptrace_scope
- = gdb_fopen_cloexec ("/proc/sys/kernel/yama/ptrace_scope", "r");
-
- if (yama_ptrace_scope != nullptr)
- {
- char yama_scope = fgetc (yama_ptrace_scope.get ());
-
- if (yama_scope != '0')
- string_appendf (ret,
- _("\n\
-The Linux kernel's Yama ptrace scope is in effect, which can prevent\n\
-GDB from using 'ptrace'. You can disable it by executing (as root):\n\
-\n\
- echo 0 > /proc/sys/kernel/yama/ptrace_scope\n"));
- }
-
- if (ret.empty ())
- {
- /* It wasn't possible to determine the exact reason for the
- ptrace error. Let's just emit a generic error message
- pointing the user to our documentation, where she can find
- instructions on how to try to diagnose the problem. */
- ret = _("\n\
-There might be restrictions preventing ptrace from working. Please see\n\
-the appendix \"Linux kernel ptrace restrictions\" in the GDB documentation\n\
-for more details.");
- }
-
- /* The user may be debugging remotely, so we have to warn that
- the instructions above should be performed in the target. */
- string_appendf (ret,
- _("\n\
-If you are debugging the inferior remotely, the ptrace restriction(s) must\n\
-be disabled in the target system (e.g., where GDBserver is running)."));
-
- return ret;
-}
-
-/* Find all possible reasons we could fail to attach PID and return
- these as a string. An empty string is returned if we didn't find
- any reason. Helper for linux_ptrace_attach_fail_reason and
- linux_ptrace_attach_fail_reason_lwp. */
-
-static std::string
-linux_ptrace_attach_fail_reason_1 (pid_t pid)
+std::string
+linux_ptrace_attach_fail_reason (pid_t pid)
{
pid_t tracerpid = linux_proc_get_tracerpid_nowarn (pid);
std::string result;
/* See linux-ptrace.h. */
std::string
-linux_ptrace_attach_fail_reason (pid_t pid, int err)
-{
- std::string result = linux_ptrace_attach_fail_reason_1 (pid);
- std::string ptrace_restrict = linux_ptrace_restricted_fail_reason (err);
-
- if (!ptrace_restrict.empty ())
- result += "\n" + ptrace_restrict;
-
- return result;
-}
-
-/* See linux-ptrace.h. */
-
-std::string
-linux_ptrace_attach_fail_reason_lwp (ptid_t ptid, int err)
+linux_ptrace_attach_fail_reason_string (ptid_t ptid, int err)
{
long lwpid = ptid.lwp ();
- std::string reason = linux_ptrace_attach_fail_reason_1 (lwpid);
+ std::string reason = linux_ptrace_attach_fail_reason (lwpid);
if (!reason.empty ())
return string_printf ("%s (%d), %s", safe_strerror (err), err,
return string_printf ("%s (%d)", safe_strerror (err), err);
}
-/* See linux-ptrace.h. */
-
-std::string
-linux_ptrace_me_fail_reason (int err)
-{
- return linux_ptrace_restricted_fail_reason (err);
-}
-
#if defined __i386__ || defined __x86_64__
/* Address of the 'ret' instruction in asm code block below. */
#endif /* defined __i386__ || defined __x86_64__ */
}
-/* If the PTRACE_TRACEME call on linux_child_function errors, we need
- to be able to send ERRNO back to the parent so that it can check
- whether there are restrictions in place preventing ptrace from
- working. We do that with a pipe. */
-static int errno_pipe[2];
-
/* Helper function to fork a process and make the child process call
the function FUNCTION, passing CHILD_STACK as parameter.
/* Sanity check the function pointer. */
gdb_assert (function != NULL);
- /* Create the pipe that will be used by the child to pass ERRNO
- after the PTRACE_TRACEME call. */
- if (pipe (errno_pipe) != 0)
- trace_start_error_with_name ("pipe");
-
#if defined(__UCLIBC__) && defined(HAS_NOMMU)
#define STACK_SIZE 4096
static int
linux_child_function (void *child_stack)
{
- /* Close read end. */
- close (errno_pipe[0]);
-
- int ret = ptrace (PTRACE_TRACEME, 0, (PTRACE_TYPE_ARG3) 0,
- (PTRACE_TYPE_ARG4) 0);
- int ptrace_errno = errno;
-
- /* Write ERRNO to the pipe, even if it's zero, and close the writing
- end of the pipe. */
- write (errno_pipe[1], &ptrace_errno, sizeof (ptrace_errno));
- close (errno_pipe[1]);
-
- if (ret != 0)
- _exit (0);
-
+ ptrace (PTRACE_TRACEME, 0, (PTRACE_TYPE_ARG3) 0, (PTRACE_TYPE_ARG4) 0);
kill (getpid (), SIGSTOP);
/* Fork a grandchild. */
static void linux_test_for_tracefork (int child_pid);
static void linux_test_for_exitkill (int child_pid);
-/* Helper function to wait for the child to send us the ptrace ERRNO,
- and check if it's OK. */
-
-static void
-linux_check_child_ptrace_errno ()
-{
- int child_errno;
- fd_set rset;
- struct timeval timeout;
-
- /* Close the writing end of the pipe. */
- close (errno_pipe[1]);
-
- FD_ZERO (&rset);
- FD_SET (errno_pipe[0], &rset);
-
- /* One second should be plenty of time to wait for the child's
- reply. */
- timeout.tv_sec = 1;
- timeout.tv_usec = 0;
-
- int ret = select (errno_pipe[0] + 1, &rset, NULL, NULL, &timeout);
-
- if (ret < 0)
- trace_start_error_with_name ("select");
- else if (ret == 0)
- error (_("Timeout while waiting for child's ptrace errno"));
- else
- read (errno_pipe[0], &child_errno, sizeof (child_errno));
-
- if (child_errno != 0)
- {
- /* The child can't use PTRACE_TRACEME. We just bail out. */
- std::string reason = linux_ptrace_restricted_fail_reason (child_errno);
-
- errno = child_errno;
- trace_start_error_with_name ("ptrace", reason.c_str ());
- }
-
- close (errno_pipe[0]);
-}
-
/* Determine ptrace features available on this target. */
void
reporting. */
child_pid = linux_fork_to_function (NULL, linux_child_function);
- /* Check if the child can successfully use ptrace. */
- linux_check_child_ptrace_errno ();
-
ret = my_waitpid (child_pid, &status, 0);
if (ret == -1)
perror_with_name (("waitpid"));
# define TRAP_HWBKPT 4
#endif
-/* Find all possible reasons we could fail to attach PID and return
- these as a string. An empty string is returned if we didn't find
- any reason. If ERR is EACCES or EPERM, we also add a warning about
- possible restrictions to use ptrace. */
-extern std::string linux_ptrace_attach_fail_reason (pid_t pid, int err);
-
-/* Find all possible reasons we could have failed to attach to PID's
- LWPID and return them as a string. ERR is the error PTRACE_ATTACH
- failed with (an errno). Unlike linux_ptrace_attach_fail_reason,
- this function should be used when attaching to an LWP other than
- the leader; it does not warn about ptrace restrictions. */
-extern std::string linux_ptrace_attach_fail_reason_lwp (ptid_t pid, int err);
-
-/* When the call to 'ptrace (PTRACE_TRACEME...' fails, and we have
- already forked, this function can be called in order to try to
- obtain the reason why ptrace failed. ERR should be the ERRNO value
- returned by ptrace.
-
- This function will return a 'std::string' containing the fail
- reason, or an empty string otherwise. */
-extern std::string linux_ptrace_me_fail_reason (int err);
+extern std::string linux_ptrace_attach_fail_reason (pid_t pid);
+
+/* Find all possible reasons we could have failed to attach to PTID
+ and return them as a string. ERR is the error PTRACE_ATTACH failed
+ with (an errno). */
+extern std::string linux_ptrace_attach_fail_reason_string (ptid_t ptid, int err);
extern void linux_ptrace_init_warnings (void);
extern void linux_check_ptrace_features (void);
case PACKET_UNKNOWN:
error (_("This target does not support attaching to a process"));
default:
- {
- std::string errmsg = rs->buf.data ();
-
- if (!errmsg.empty ())
- {
- /* Get rid of the "E." prefix. */
- errmsg.erase (0, 2);
- }
-
- error (_("Attaching to %s failed%s%s"),
- target_pid_to_str (ptid_t (pid)).c_str (),
- !errmsg.empty () ? "\n" : "",
- errmsg.c_str ());
- }
+ error (_("Attaching to %s failed"),
+ target_pid_to_str (ptid_t (pid)).c_str ());
}
set_current_inferior (remote_add_inferior (false, pid, 1, 0));