clone: print read-only arguments on entering syscall

* clone.c (SYS_FUNC(clone)): Print child_stack, stack_size, and flags
arguments on entering syscall.
* NEWS: Mention this change.

diff --git a/NEWS b/NEWS
index 08817d72d331cded2a3c59226c72fea32878d565..22a00f8087ccba86ae6122912e6a2f6364e40b0c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ Noteworthy changes in release ?.? (????-??-??)
 ==============================================
 
 * Improvements
+  * Enhanced decoding of clone syscall.
   * Updated lists of AUDIT_*, CLONE_*, ETH_*, KEY_*, KVM_*, TIPC_*,
     and V4L2_* constants.
 

diff --git a/clone.c b/clone.c
index 7d088f20bae12866c6d251ea508c99e874ff8a8a..383b8a7465abe370e30de757de6edb463b99e020 100644 (file)
--- a/clone.c
+++ b/clone.c
@@ -77,9 +77,11 @@ print_tls_arg(struct tcb *const tcp, const kernel_ulong_t addr)
 
 SYS_FUNC(clone)
 {
-       if (exiting(tcp)) {
-               const char *sep = "|";
-               kernel_ulong_t flags = tcp->u_arg[ARG_FLAGS];
+       const kernel_ulong_t flags = tcp->u_arg[ARG_FLAGS] & ~CSIGNAL;
+
+       if (entering(tcp)) {
+               const unsigned int sig = tcp->u_arg[ARG_FLAGS] & CSIGNAL;
+
                tprints("child_stack=");
                printaddr(tcp->u_arg[ARG_STACK]);
                tprints(", ");
@@ -89,15 +91,30 @@ SYS_FUNC(clone)
                                tcp->u_arg[ARG_STACKSIZE]);
 #endif
                tprints("flags=");
-               if (!printflags64(clone_flags, flags & ~CSIGNAL, NULL))
+               const char *sep = "|";
+               if (!printflags64(clone_flags, flags, NULL))
                        sep = "";
-               if ((flags & CSIGNAL) != 0) {
+               if (sig != 0) {
                        tprints(sep);
-                       printsignal(flags & CSIGNAL);
+                       printsignal(sig);
                }
+               /*
+                * TODO on syscall entry:
+                * We can clear CLONE_PTRACE here since it is an ancient hack
+                * to allow us to catch children, and we use another hack for that.
+                * But CLONE_PTRACE can conceivably be used by malicious programs
+                * to subvert us. By clearing this bit, we can defend against it:
+                * in untraced execution, CLONE_PTRACE should have no effect.
+                *
+                * We can also clear CLONE_UNTRACED, since it allows to start
+                * children outside of our control. At the moment
+                * I'm trying to figure out whether there is a *legitimate*
+                * use of this flag which we should respect.
+                */
                if ((flags & (CLONE_PARENT_SETTID|CLONE_CHILD_SETTID
                              |CLONE_CHILD_CLEARTID|CLONE_SETTLS)) == 0)
-                       return 0;
+                       return RVAL_DECODED;
+       } else {
                if (flags & CLONE_PARENT_SETTID) {
                        tprints(", parent_tidptr=");
                        printaddr(tcp->u_arg[ARG_PTID]);
@@ -111,18 +128,6 @@ SYS_FUNC(clone)
                        printaddr(tcp->u_arg[ARG_CTID]);
                }
        }
-       /* TODO on syscall entry:
-        * We can clear CLONE_PTRACE here since it is an ancient hack
-        * to allow us to catch children, and we use another hack for that.
-        * But CLONE_PTRACE can conceivably be used by malicious programs
-        * to subvert us. By clearing this bit, we can defend against it:
-        * in untraced execution, CLONE_PTRACE should have no effect.
-        *
-        * We can also clear CLONE_UNTRACED, since it allows to start
-        * children outside of our control. At the moment
-        * I'm trying to figure out whether there is a *legitimate*
-        * use of this flag which we should respect.
-        */
        return 0;
 }