From 1be3a8c1400debd5239b23db2686faab3276c59c Mon Sep 17 00:00:00 2001 From: Johannes Stoelp Date: Sun, 13 Mar 2022 16:37:12 +0100 Subject: add systemd,core,ptrace_scope --- src/SUMMARY.md | 5 +++ src/linux/README.md | 5 +++ src/linux/coredump.md | 92 +++++++++++++++++++++++++++++++++++++++++++++++ src/linux/ptrace_scope.md | 21 +++++++++++ src/linux/systemd.md | 68 +++++++++++++++++++++++++++++++++++ 5 files changed, 191 insertions(+) create mode 100644 src/linux/README.md create mode 100644 src/linux/coredump.md create mode 100644 src/linux/ptrace_scope.md create mode 100644 src/linux/systemd.md (limited to 'src') diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 830812f..c32741e 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -49,6 +49,11 @@ - [symbol versioning](./development/symbolver.md) - [python](./development/python.md) +- [Linux](./linux/README.md) + - [systemd](./linux/systemd.md) + - [coredump](./linux/coredump.md) + - [ptrace_scope](./linux/ptrace_scope.md) + - [Arch](./arch/README.md) - [x86_64](./arch/x86_64.md) - [arm64](./arch/arm64.md) diff --git a/src/linux/README.md b/src/linux/README.md new file mode 100644 index 0000000..bd80476 --- /dev/null +++ b/src/linux/README.md @@ -0,0 +1,5 @@ +# Linux + +- [systemd](./systemd.md) +- [coredump](./coredump.md) +- [ptrace_scope](./ptrace_scope.md) diff --git a/src/linux/coredump.md b/src/linux/coredump.md new file mode 100644 index 0000000..7dd72c9 --- /dev/null +++ b/src/linux/coredump.md @@ -0,0 +1,92 @@ +# core(5) + +There are multiple requirements that must be satisfied that `coredumps` are +being generated, a full list can be found in [core(5)][man-core]. + +An important one is to configure the soft resource limit `RLMIT_CORE` +(typically as unlimited during debugging). +In a typical bash/zsh this can be done as +```bash +ulimit -Sc unlimited +``` + +## Naming of coredump files + +There are two important kernel configs to control the naming: +```config +/proc/sys/kernel/core_pattern + => Specifies a name pattern for the coredump file. This can + include certain FORMAT specifier. + | => Coredump is pipe through stdin to the user space process + specified by the cmdline, this can also contain FORMAT specifier. + + FORMAT specifier (full list, see core(5)): + %E Pathname of the executable ('/' replaced by '!'). + %p PID of the dumping process in its pid namespace. + %P PID of the dumping process in the initial pid namespace. + %u Real UID of dumping process. + %s Signal number causing the dump. + + +/proc/sys/kernel/core_uses_pid + 1 => Append "." suffic to the coredump file name + (pid of the dumping process). + 0 => Do not append the suffix. +``` + +## Control which segments are dumped + +Each process has a coredump filter defined in `/proc//coredump_filter` +which specifies which memory segments are being dumped. +Filters are preseved across `fork/exec` calls and hence child processes inherit +the parents filters. + +The filter is a bitmask where `1` indicates to dump the given type. +``` +From core(5): + bit 0 Dump anonymous private mappings. + bit 1 Dump anonymous shared mappings. + bit 2 Dump file-backed private mappings. + bit 3 Dump file-backed shared mappings. + bit 4 Dump ELF headers. + bit 5 Dump private huge pages. + bit 6 Dump shared huge pages. + bit 7 Dump private DAX pages. + bit 8 Dump shared DAX pages. + +Default filter 0x33. +``` + +# Some examples out there + +## coredumpctl (systemd) + +```bash +# List available coredumps. +coredumpctl list + TIME PID UID GID SIG COREFILE EXE SIZE + ... + Fri 2022-03-11 12:10:48 CET 6363 1000 1000 SIGSEGV present /usr/bin/sleep 18.1K + +# Get detailed info on specific coredump. +coredumpctl info 6363 + +# Debug specific coredump. +coredumpctl debug 6363 + +# Dump specific coredump to file. +coredumpctl dump 6363 -o +``` + +## apport (ubuntu) + +Known crash report locations: +- `/var/crash` + +To get to the raw coredump, crash reports can be unpacked as: +```bash +apport-unpack +``` +The coredump resides under `/CoreDump`. + +[man-core]: https://man7.org/linux/man-pages/man5/core.5.html diff --git a/src/linux/ptrace_scope.md b/src/linux/ptrace_scope.md new file mode 100644 index 0000000..72e8353 --- /dev/null +++ b/src/linux/ptrace_scope.md @@ -0,0 +1,21 @@ +# ptrace_scope + +In case the kernel was compiled with the `yama` security module +(`CONFIG_SECURITY_YAMA`), tracing processes with `ptrace(2)` can be restricted. + +```config +/proc/sys/kernel/yama/ptrace_scope + 0 => No restrictions. + 1 => Restricted attach, only the following can attach + - A process in the parent hierarchy. + - A process with CAP_SYS_PTRACE. + - A process with the PID that the tracee allowed by via + PR_SET_PTRACER. + 2 => Only processes with CAP_SYS_PTRACE in the user namespace of the tracee + can attach. + 3 => No tracing allowed. +``` + +Further details in [`ptrace(2)`][man-ptrace]. + +[man-ptrace]: https://man7.org/linux/man-pages/man2/ptrace.2.html diff --git a/src/linux/systemd.md b/src/linux/systemd.md new file mode 100644 index 0000000..14ced0b --- /dev/null +++ b/src/linux/systemd.md @@ -0,0 +1,68 @@ +# systemd + +## systemctl + +Inspect units: +```text +systemctl [opts] [cmd] +[opts] + --user + +[cmd] + list-units List units in memory + + status Show runtime status of unit + + start Start a unit + stop Stop a unit + restart Restart a unit + reload Reload a unit + + enable Enable a unit (persistent) + disable Disable a unit + + cat Print unit file + show Show properties of unit +``` + +### Example: Trivial user unit + +```bash +# Generate unit +mkdir -p ~/.config/systemd/user +echo '[Unit] +Description=Test logger + +[Service] +Type=oneshot +ExecStart=logger "Hello from test unit"' > ~/.config/systemd/user/test.service + +# Run unit +systemctl --user start test + +# See log message +journalctl --user -u test -n 5 +``` + +## journalctl + +Inspect journal logs: +```text +journalctl [opts] [matches] + --user Current user journal (system by default) + -u Show logs for specified + -n Show only last + -f Follow journal + -g Grep for +``` + +Cleanup: +```text +journalctl [opts] + --disk-usage Show current disk usage + --vacuum-size= Reduce journal log to (K/M/G) +``` + +## References +- [man systemd.unit(5)](https://www.man7.org/linux/man-pages/man5/systemd.unit.5.html) +- [man systemd.service(5)](https://www.man7.org/linux/man-pages/man5/systemd.service.5.html) -- cgit v1.2.3