Skip to content

clone

Intro

clone - creates a child process

Description

The clone syscall creates a child process that shares parts of its execution context with its parent process. The parts of the context which are shared are defined by the flags parameter. Advantages of using clone include the ability to modify the child process in the parent process using signals and ptrace, as well as the ability to share memory between the parent and child process without having to use the traditional Unix fork and exec.

Drawbacks of using clone include the complexity of managing the execution context of multiple processes, as well as the potential for unintended sharing of address spaces or execution contexts between processes.

Arguments

  • flags:unsigned long - flags specifying how the process will be created. See the flags section for more information.
  • stack:void* - pointer to the stack space for the child process. Passing NULL will cause the system to allocate the stack space.
  • parent_tid:int* - pointer to the thread ID for the parent process. This parameter is only used in the non-thread primitive case.
  • child_tid:int* - pointer to the thread ID for the child process. This parameter is only used in the non-thread primitive case.
  • tls:unsigned long- pointer to a structure containing the thread local storage data for the child process.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_clone

Type

kprobe

Purpose

To capture the arguments passed to the clone syscall.

Example Use Case

The clone syscall can be used to create a new process with its own address space, but sharing the same execution context as another process. This can be used to create daemons or other services which run alongside an existing process or application.

Issues

One potential issue is that the clone syscall can cause the parent process to enter an inconsistent state if it is interrupted while the child process is being created.

  • fork - syscall which creates a child process with its own address space, but sharing its execution context with the parent process.
  • exec - syscall which reloads a new execution context into a process, destroying the existing execution context.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.