Skip to content

waitid

Intro

waitid - Wait for processes or process groups to change state

Description

waitid allows the caller to block until one of the caller's child processes changes state, or until a signal being caught by the caller is triggered. The caller may request information about the child process on which it blocked, its status and its resource usage data. If a process group ID is given, instead of a process ID, waitid will wait for any member of the given process group to change state.

Due to time of check, time of use (TOCTOU), race conditions and similar issues, waitid should be used carefully as the process changing state may not be the one expected and other issues may arise.

Arguments

  • idtype:int[K] - Type of ID to wait for. It can be P_PID, P_PGID or P_ALL.
  • id:pid_t[K] - Process or process group ID.
  • infop:struct siginfo*[U] - Const pointer to a siginfo_t struct. If non NULL, the status of the child process will be stored there.
  • options:int[K] - Value can have the WEXITED or WNOHANG flag set, amongst others.
  • rusage:struct rusage*[U] - Pointer to a rusage_t structure. If non NULL the resource usage data of the process on which it blocked will be stored there.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_wait4

Type

Kprobes.

Purpose

Trace when a waitid syscall is executed.

Example Use Case

waitid can be used when a child process must complete a certain task before continuing execution. The calling process can wait for the child to change its state using waitid, for example when the child terminates.

Issues

Due to TOCTOU-like issues, waitid should be used with extra care as the process changing state may not be the one expected.

  • waitpid
  • wait4
  • wait

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.