strace 是Linux下常用的跟踪程序系统调用的工具。
strace简介
可使用 strace
下面给出一个简单的使用 strace 的例子:
$ strace ls > /dev/null
execve("/bin/ls", ["ls"], [/* 73 vars */]) = 0
brk(NULL) = 0xe0b000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
... 省略若干记录 ...
open(".", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
getdents(3, /* 5 entries */, 32768) = 144
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 19), ...}) = 0
write(1, "ss.txt\ts.txt test.txt\n", 23) = 23
close(1) = 0
close(2) = 0
exit_group(0) = ?
+++ exited with 0 +++
strace -f strace ls
当想要了解 strace ls 这一程序调用了哪些系统调用时,很自然的想法是使用 strace -f strace ls ,在shell中键入了该命令后,得到如下结果:
execve("/usr/bin/strace", ["strace", "ls"], [/* 73 vars */]) = 0
brk(NULL) = 0x5622d1bbe000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
... 省略若干记录 ...
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2c05b119d0) = 26385
ptrace(PTRACE_SEIZE, 26385, NULL, NULL) = -1 EPERM (Operation not permitted)
kill(26385, SIGKILL) = 0
wait4(26385, strace: Exit of unknown pid 26385 ignored
[{WIFSIGNALED(s) && WTERMSIG(s) == SIGKILL}], 0, NULL) = 26385
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=26385, si_uid=1000, si_status=SIGKILL, si_utime=0, si_stime=0} ---
stat("/usr/local/sbin/ls", 0x7ffe6b864fc0) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/ls", 0x7ffe6b864fc0) = -1 ENOENT (No such file or directory)
stat("/usr/sbin/ls", 0x7ffe6b864fc0) = -1 ENOENT (No such file or directory)
stat("/usr/bin/ls", 0x7ffe6b864fc0) = -1 ENOENT (No such file or directory)
stat("/sbin/ls", 0x7ffe6b864fc0) = -1 ENOENT (No such file or directory)
stat("/bin/ls", {st_mode=S_IFREG|0755, st_size=126584, ...}) = 0
stat("/bin/ls", {st_mode=S_IFREG|0755, st_size=126584, ...}) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2c05b119d0) = 26386
strace: Process 26386 attached
[pid 26384] rt_sigaction(SIGTTOU, {SIG_IGN, [], SA_RESTORER, 0x7f2c0557c4b0}, NULL, 8) = 0
[pid 26384] rt_sigaction(SIGTTIN, {SIG_IGN, [], SA_RESTORER, 0x7f2c0557c4b0},
[pid 26386] ptrace(PTRACE_TRACEME, 0, NULL, NULL
[pid 26384] <... rt_sigaction resumed> NULL, 8) = 0
[pid 26386] <... ptrace resumed> ) = -1 EPERM (Operation not permitted)
... 省略若干记录 ...
[pid 26384] wait4(-1,
[pid 26386] write(2, "strace: ptrace(PTRACE_TRACEME, ."..., 61strace: ptrace(PTRACE_TRACEME, ...): Operation not permitted
) = 61
[pid 26386] exit_group(1) = ?
[pid 26386] +++ exited with 1 +++
<... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], __WALL, NULL) = 26386
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26386, si_uid=1000, si_status=1, si_utime=0, si_stime=0} ---
rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT PIPE TERM], NULL, 8) = 0
write(2, "+++ exited with 1 +++\n", 22+++ exited with 1 +++
) = 22
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
wait4(-1, 0x7ffe6b8660f4, __WALL, NULL) = -1 ECHILD (No child processes)
rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT PIPE TERM], NULL, 8) = 0
exit_group(1) = ?
+++ exited with 1 +++
可以看到 ptrace(PTRACE_TRACEME, 0, NULL, NULL) = -1 EPERM (Operation not permitted) 这一条记录。
出现的原因可能是没有以root身份运行。当使用root运行时若还出现了这种情况,则可以修改 /proc/sys/kernel/yama/ptrace_scope 这一文件,以root权限运行 echo 0 > /proc/sys/kernel/yama/ptrace_scope 命令,修改ptrace 的相关权限
使用 strace strace ls 是不会出现上述问题的,因为第一个strace只跟踪后一个strace进程,而不会进一步跟踪其子进程。