I thought I was very close to finishing up an application that uses
the audit system to perform a task formally done by a modified version
of strace. Alas, one of the programs I had working last October no
longer works.
The broken program uses ptrace to add an audit rule for each child
process forked by the traced application. It adds the rule before the
child runs by handling a SIGTRAP generated as a result of tracing the
original child with the PTRACE_O_TRACEFORK option.
I tried to follow to the changes to kernel/ptrace.c via linuxhq, but I
got little from that exercise. I ended up submitting a bug report
here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246330
If there is something else I should be doing, please advise.
I notice there are two other ptrace related bugs reported for Fedora
7. Both have been assigned to Roland McGrath, a primary maintainer of
strace. I bet he gets assigned this bug report too. Roland doesn't
like the changes I make to strace that allows it to display the
security contexts associated with traced objects, so he'll remember
me.
One final question. Has there been any other efforts aimed at
allowing the audit system to follow forks of traced processes?
Alternatives to my ptrace solution would be greatly appreciated at
this time.
John