Execution tracing is a technique that allows a program to monitor the execution of another program. The traced program can be executed step by step, until a signal is received, or until a system call is invoked. Execution tracing is widely used by debuggers, together with other techniques like the insertion of breakpoints in the debugged program and run-time access to its variables. We focus on how the kernel supports execution tracing rather than discussing how debuggers work.
In Linux, execution tracing is performed through the ptrace( ) system call, which can handle the commands listed in Table 20-5. Processes having the cap_sys_ptrace capability flag set are allowed to trace any process in the system except init. Conversely, a process P with no cap_sys_ptrace capability is allowed to trace only processes having the same owner as P. Moreover, a process cannot be traced by two processes at the same time.
Continue reading here: Table 205 The ptrace commands
Was this article helpful?