Reputation: 1823
Last system call from a process in bash
I need to obtain the last system call from a process in a bash script only if I have permission to read. I'm doing this:
# $pid is the pid from the process
cat /proc/$pid/syscall
But when I do this, I get this message:
cat: /proc/21/syscall: Permission denied
or this one:
cat: /proc/2101/syscall: Operation not permitted
is this right? obviously permissions denied means i can't read it. But what does "Operation not permitted" mean?
And from one process, I get this line:
0 0x3 0x717000 0x10000 0x7ffca5422b00 0x0 0x79 0x7ffca5422c50 0x7f840be43810
Which one is the last system call?
Upvotes: 0
Views: 1266
Answers (2)
Reputation: 3877
About Operation not permitted, it is because you have read access to the file (the process is owned by you), but the kernel prohibits you to do so.
If you run dmesg after that error appears, you will see the following line:
ptrace of pid 12304 was attempted by: cat (pid 12342)
That is because the kernel avoids tracing a process that is not a child of the current one. This is controlled via the kernel.yama.ptrace_scope configuration option. If you do
cat /proc/sys/kernel/yama/ptrace_scope
it will have a value of 1.
More info: https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
Upvotes: 3
Reputation: 69198
What about using strace:
$ strace -o /tmp/out command args; tail -n 2 /tmp/out
exit_group(0) = ?
+++ exited with 0 +++
Upvotes: 0
Related Questions
- Identify last active Linux bash process
- Get PID of last executed command (NO BACKGROUND)
- command to capture exit status of last background process in bash
- Last pid process linux
- How to know the last time a script was run?
- Find the id of the last window of a process launched bash linux
- Get pid of last started instance of a certain process
- check last command
- See what process last touched a file
- Get name of last run program in Bash