[Linux] Set permission for gdb to attach

Most modern Linux distributions limit the ptrace scope to allow
attaching only to the direct child processes for security reasons. The
user on such machine has to modify sysctl in order to allow non-root
processes to attach to arbitrary processes, which opens up a potential
security issue. The alternative is what's implemented here - when we
crash and ask gdb to dump the stack we can bless the gdb process and allow
it to attach to our process using prctl(2)

diff --git a/configure.ac b/configure.ac
index d7bfc65a77d237dacf034f05ceab6b07a3c9956e..58e0a50893ccf834e4f44d3a2d4f95c15367ea58 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -428,7 +428,7 @@ AC_PROG_LD_GNU
 
 AM_ICONV()
 
-AC_CHECK_HEADERS(sys/filio.h sys/sockio.h netdb.h utime.h sys/utime.h semaphore.h sys/un.h linux/rtc.h sys/syscall.h sys/mkdev.h sys/uio.h sys/param.h sys/sysctl.h libproc.h)
+AC_CHECK_HEADERS(sys/filio.h sys/sockio.h netdb.h utime.h sys/utime.h semaphore.h sys/un.h linux/rtc.h sys/syscall.h sys/mkdev.h sys/uio.h sys/param.h sys/sysctl.h libproc.h sys/prctl.h)
 AC_CHECK_HEADERS(sys/param.h sys/socket.h sys/ipc.h sys/sem.h sys/utsname.h alloca.h ucontext.h pwd.h sys/select.h netinet/tcp.h netinet/in.h unistd.h sys/types.h link.h asm/sigcontext.h sys/inotify.h arpa/inet.h complex.h)
 AC_CHECK_HEADERS([linux/netlink.h linux/rtnetlink.h],
                   [], [], [#include <stddef.h>
@@ -1176,6 +1176,7 @@ if test x$host_win32 = xno; then
        AC_CHECK_FUNCS(dladdr)
        AC_CHECK_FUNCS(sysconf)
        AC_CHECK_FUNCS(getrlimit)
+       AC_CHECK_FUNCS(prctl)
 
        AC_CHECK_FUNCS(sched_setaffinity)
        AC_CHECK_FUNCS(sched_getcpu)

diff --git a/mono/mini/mini-exceptions.c b/mono/mini/mini-exceptions.c
index bc7d73d855363553958f1def7046ba0be999a304..328f29d1e869c6ffe3f01954cb98852ee472b72a 100644 (file)
--- a/mono/mini/mini-exceptions.c
+++ b/mono/mini/mini-exceptions.c
@@ -38,6 +38,10 @@
 #include <sys/syscall.h>
 #endif
 
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif
+
 #include <mono/metadata/appdomain.h>
 #include <mono/metadata/tabledefs.h>
 #include <mono/metadata/threads.h>
@@ -2214,7 +2218,15 @@ mono_handle_native_sigsegv (int signal, void *ctx, MONO_SIG_HANDLER_INFO_TYPE *i
                 * it will deadlock. Call the syscall directly instead.
                 */
                pid = mono_runtime_syscall_fork ();
-
+#if defined (__linux__) && defined (HAVE_PCRTL)
+               if (pid > 0) {
+                       // Allow gdb to attach to the process even if ptrace_scope sysctl variable is set to
+                       // a value other than 0 (the most permissive ptrace scope). Most modern Linux
+                       // distributions set the scope to 1 which allows attaching only to direct children of
+                       // the current process
+                       prctl (PR_SET_PTRACER, pid, 0, 0, 0);
+               }
+#endif
                if (pid == 0) {
                        dup2 (STDERR_FILENO, STDOUT_FILENO);