Skip to content

clone3

Intro

clone3 - sys_clone3() creates a new process (child process)

Description

Clone3() creates a new process, with a new PID, that shall be a copy of the parent process. This can be used to customize the way a process is created and allows for passing arguments. It includes the standard behavior of clone() along with new features such as customizing the execution domain (which will determine which flags and resources will be used when creating a new process) and allowing for anonymous mapping of memory.

The clone3() entry point allows for customizing the execution configuration. If the invocation of the clone3() entry point is successful then the new child process is returned in the variables pointed to by the cl_args struct.

Arguments

  • cl_args:struct clone_args*[KU] - Pointer to a structure containing arguments to customize the execution configuration.
  • size:size_t[K] - Size of cl_args structure.

Available Tags

  • K - Originated from kernel space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)

Hooks

sys_clone3

Type

Kprobe

Purpose

To track the execution of clone3 system call in the kernel.

Example Use Case

This could be used for running services in Docker containers, as it is possible to customize the execution domain by using clone3.

Issues

It is vulnerable to TOCTOU (time of check, time of use) attacks due to the fact that the arguments passed to the syscall are user supplied.

  • execve - execution of a new program.
  • unshare - creating a process by sharing resources to selectively.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.