Skip to content

prctl

Intro

prctl - function that allows to set certain process and resource limits.

Description

The prctl() call is a function provided by the Linux kernel that allows a process to set various limits and control flags on itself, as well as retrieve various information about the process or its current resource limits. Additionally it can be used to remove the capability to send signals to the process.

The main purpose of the prctl() call is to give the process more control over its environment. This can be especially useful for process tracing tools, as it allows for more reliable tracking of process resources.

Arguments

  • option:int[K] - the operation to perform.
  • arg2:unsigned long[K] - depends on the option argument.
  • arg3:unsigned long[K] - depends on the option argument.
  • arg4:unsigned long[K] - depends on the option argument.
  • arg5:unsigned long[K] - depends on the option argument.

Available Tags

  • K - Originated from kernel-space.

Hooks

sys_prctl

Type

Kprobe

Purpose

To trace the prctl system call.

Example Use Case

For example, a process can use the prctl() call to add/remove memory limits, limit the number of open files, set the process name, or to alter the process's virtual memory size.

Issues

Since the procedure is relatively complex and lengthy, it can be slow and unsafe when used to execute a task in critical paths. The calling program can be more prone to TOCTOU (time of check, time of use) attacks.

sys_exit, set_on_exit, duplicate_process

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.