ptrace is asystem call found inUnix and severalUnix-likeoperating systems. By using ptrace (an abbreviation of "process trace") oneprocess can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used bydebuggers and other code-analysis tools, mostly as aids to software development.
ptrace is used by debuggers (such asgdb anddbx), by tracing tools likestrace andltrace, and bycode coverage tools. ptrace is also used by specialized programs to patch running programs, to avoid unfixed bugs or to overcome security features. It can further be used as asandbox[1][2] and as a run-time environment simulator (like emulating root access for non-root software[2][3]).
By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target. This includes manipulation of itsfile descriptors, memory, andregisters. It cansingle-step through the target's code, can observe and intercept system calls and their results, and can manipulate the target'ssignal handlers and both receive and send signals on its behalf. The ability to write into the target's memory allows not only its data store to be changed, but also the application's owncode segment, allowing the controller to installbreakpoints and patch the running code of the target.[4]
As the ability to inspect and alter another process is very powerful, ptrace can attach only to processes that the owner can send signals to (typically only their own processes); thesuperuser account can ptrace almost any process (exceptinit on kernels before 2.6.26). In Linux systems wherePOSIX capabilities are used, the ability to ptrace is further limited by the CAP_SYS_PTRACE capability[5] or by the YAMALinux Security Module.[6] InFreeBSD, it is limited byFreeBSD jails andMandatory Access Control policies.
Communications between the controller and target take place using repeated calls of ptrace, passing a small fixed-size block of memory between the two (necessitating twocontext switches per call); this is acutely inefficient when accessing large amounts of the target's memory, as this can only be done inword sized blocks (with a ptrace call for each word).[7] For this reason the 8th edition of Unix introducedprocfs, which allows permitted processes direct access to the memory of another process - 4.4BSD followed, and the use of/proc for debugger support was inherited by Solaris, BSD, and AIX, and mostly copied by Linux.[7] Some, such asSolaris, have removed ptrace as a system call altogether, retaining it as a library call that reinterprets calls to ptrace in terms of the platform's procfs.[8] Such systems useioctls on thefile descriptor of the opened/proc file to issue commands to the controlled process.[8]FreeBSD, on the other hand, extended ptrace to remove mentioned problems, and declaredprocfs obsolete due to its inherent design problems.[vague][citation needed]
ptrace only provides the most basic interface necessary to support debuggers and similar tools. Programs using it must have intimate knowledge of the specifics of the OS and architecture, including stack layout,application binary interface,system call mechanism,name mangling, theformat of any debug data, and are responsible for understanding and disassemblingmachine code themselves. Further, programs that inject executable code into the target process or (like gdb) allow the user to enter commands that are executed in the context of the target must generate and load that code themselves, generally without the help of theprogram loader.
ptrace was first implemented inVersion 6 Unix,[9] and was present in both theSVr4 and4.3BSD branches of Unix.[5] ptrace is available as a system call onIRIX,[10]IBM AIX,[11]NetBSD,[12]FreeBSD,[13]OpenBSD,[14] andLinux.[5] ptrace is implemented as a library call on Solaris, built on the Solaris kernel's procfs filesystem; Sun notes that ptrace on Solaris is intended for compatibility, and recommends that new implementations use the richer interface that proc supplies instead.[8]UnixWare also features a limited ptrace[15] but like Sun, SCO recommends implementers use the underlying procfs features instead.[16]HP-UX supported ptrace until release 11i v3 (it was deprecated in favour ofttrace, a similar OS-specific call, in 11i v1).[17]
Apple'smacOS also implements ptrace as a system call. Apple's version adds a special option PT_DENY_ATTACH – if a process invokes this option on itself, subsequent attempts to ptrace the process will fail.[18] Apple uses this feature to limit the use of debuggers on programs that manipulateDRM-ed content, includingiTunes.[19] PT_DENY_ATTACH on also disablesDTrace's ability to monitor the process.[20] Debuggers on OS X typically use a combination of ptrace and theMach VM and thread APIs.[21] ptrace (again with PT_DENY_ATTACH) is available to developers for the AppleiPhone.[22]
Linux also gives processes the ability to prevent other processes from attaching to them. Processes can call theprctl syscall and clear theirPR_SET_DUMPABLE flag; in later kernels this prevents non-root processes from ptracing the calling process; theOpenSSH authentication agent uses this mechanism to prevent ssh session hijacking via ptrace.[23][24][25] Later Ubuntu versions ship with a Linux kernel configured to prevent ptrace attaches from processes other than the traced process' parent; this allows gdb and strace to continue to work when running a target process, but prevents them from attaching to an unrelated running process.[23] Control of this feature is performed via the/proc/sys/kernel/yama/ptrace_scope setting.[23] On systems where this feature is enabled, commands like "gdb --attach" and "strace -p" will not work.
Starting inUbuntu 10.10, ptrace is only allowed to be called on child processes.[23]
For someAndroid phones with a locked boot loader, ptrace is used to gain control over the init process to enable a '2nd boot' and replace the system files.[citation needed]