use PT_DENY_ATTACH on Mac OS X

Darren Tucker dtucker at zip.com.au
Wed Oct 26 11:30:53 AEDT 2016


Hi.

Mac OS X has a PT_DENY_ATTACH argument to ptrace(2) which does what
it says on the tin:

 PT_DENY_ATTACH
           This request is the other operation used by the traced
           process; it allows a process that is not currently being
           traced to deny future traces by its parent.  All other
           arguments are ignored.  If the process is currently being
           traced, it will exit with the exit status of ENOTSUP; oth-
           erwise, it sets a flag that denies future traces.  An
           attempt by the parent to trace a process which has set this
           flag will result in a segmentation violation in the parent

Any reason not to use it in platform_disable_tracing() ?

diff --git a/configure.ac b/configure.ac
index f5e1378..88c4633 100644
--- a/configure.ac
+++ b/configure.ac
@@ -405,6 +405,7 @@ AC_CHECK_HEADERS([ \
 	sys/poll.h \
 	sys/prctl.h \
 	sys/pstat.h \
+	sys/ptrace.h \
 	sys/select.h \
 	sys/stat.h \
 	sys/stream.h \
diff --git a/platform-tracing.c b/platform-tracing.c
index 81020e7..4c80a28 100644
--- a/platform-tracing.c
+++ b/platform-tracing.c
@@ -20,6 +20,9 @@
 #if defined(HAVE_SYS_PRCTL_H)
 #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
 #endif
+#ifdef HAVE_SYS_PTRACE_H
+#include <sys/ptrace.h>
+#endif
 #ifdef HAVE_PRIV_H
 #include <priv.h> /* For setpflags() and __PROC_PROTECT  */
 #endif
@@ -40,4 +43,9 @@ platform_disable_tracing(int strict)
 	if (setpflags(__PROC_PROTECT, 1) != 0 && strict)
 		fatal("unable to make the process untraceable");
 #endif
+#ifdef PT_DENY_ATTACH
+	/* Mac OS X */
+	if (ptrace(PT_DENY_ATTACH, 0, 0, 0) == -1 && strict)
+		fatal("unable to set PT_DENY_ATTACH");
+#endif
 }

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list