ptrace is a system call which is used for process tracing
and debugging. This system call is available on many operating systems.
However each operating system has different versions.
I want to explain about my efforts to port
of FreeBSD is similar to
Linux’. The request
PT_SYSCALL is available to stop the traced process at every system call and
exit similar to PTRACE_SYSCALL of Linux.
In addition to that FreeBSD has the requests
PT_TO_SCE and PT_TO_SCX which stops the traced process only at the
beginning of system call entry or exit. This is a feature I really miss on
There is, however, a big difference, I’m inclined to call it a bug, about
ptrace on FreeBSD. When a traced process is stopped
at the entry of a system call, there’s no way to prevent the execution of this
system call. On Linux this is done by changing the system call number to either
something invalid like 0xbadca11 or something harmless like getpid.
We expect the same to happen here, the file foo.bar shouldn’t be created.
But it’s created. Replace the PT_GETREGS and PT_SETREGS calls with a
PT_KILL to terminate process with signal SIGKILL. The file will still
be created! So there’s no way to deny a system call using ptrace which makes
it impossible to port sydbox to
FreeBSD without patching the kernel.
None of the other BSD’s, neither
has the ptrace request PT_SYSCALL so I haven’t checked if the behaviour is the
same on these systems.