Linux – How to Find What Ring a Process is Running On

64bitlinuxprivilegesprocess

How can I find out which protection ring a given process is running in, and if possible can I produce a list of running processes with their respective rings? This thread gives some insight into what rings are utilised on an x86 processor: https://stackoverflow.com/questions/18717016/what-are-ring-0-and-ring-3-in-the-context-of-operating-systems

I would like to know how to find out what protection ring level processes are running in myself, not be given a description of what rings processes will be running in (although you can include it if you want).

Best Answer

On x86, the current privilege level is determined by the bottom two bits of the code segment selector, i.e. the value stored in the CS register. So "all" you need to do to determine the current privilege level of a process is look at the value of its CS register.

You can do that quite easily for your own program (assuming 64-bit x86):

#include <stdint.h>
#include <stdio.h>

int main (int argc, char **argv) {
    uint64_t rcs = 0;
    asm ("mov %%cs, %0" : "=r" (rcs));
    printf("%d\n", (int) (rcs & 3));
    return 0;
}

For other processes, you'd have to attach to them using something like ptrace, and examine their registers. You can do this manually using gdb: identify a process, attach to it (if you're allowed to) using gdb --pid ..., then issue the gdb command info registers cs to see the current value of CS, and extract the value of the least-significant two bits.

On Linux on x86 you'll quickly see that the current privilege level is always 3: user processes always run in ring 3, except when they’re in system calls (which run in ring 0) — but you won’t be able to see them in ring 0 externally, except by tracing kernel code using ftrace for example.

Related Solutions

Linux – Why kernel threads are treated as processes

Quoting Linux Device Drivers, 3rd Edition. I didn't use the Quote button, as I wanted to bold the options

Except where specified otherwise, all of these options are found under the "kernel hacking" menu in whatever kernel configuration tool you prefer. Note that some of these options are not supported by all architectures.

CONFIG_DEBUG_KERNEL
This option just makes other debugging options available; it should be turned on but does not, by itself, enable any features.

CONFIG_DEBUG_SLAB
This crucial option turns on several types of checks in the kernel memory allocation functions; with these checks enabled, it is possible to detect a number of memory overrun and missing initialization errors. Each byte of allocated memory is set to 0xa5 before being handed to the caller and then set to 0x6b when it is freed. If you ever see either of those "poison" patterns repeating in output from your driver (or often in an oops listing), you'll know exactly what sort of error to look for. When debugging is enabled, the kernel also places special guard values before and after every allocated memory object; if those values ever get changed, the kernel knows that somebody has overrun a memory allocation, and it complains loudly. Various checks for more obscure errors are enabled as well.

CONFIG_DEBUG_PAGEALLOC
Full pages are removed from the kernel address space when freed. This option can slow things down significantly, but it can also quickly point out certain kinds of memory corruption errors.

CONFIG_DEBUG_SPINLOCK
With this option enabled, the kernel catches operations on uninitialized spinlocks and various other errors (such as unlocking a lock twice).

CONFIG_DEBUG_SPINLOCK_SLEEP
This option enables a check for attempts to sleep while holding a spinlock. In fact, it complains if you call a function that could potentially sleep, even if the call in question would not sleep.

CONFIG_INIT_DEBUG
Items marked with _ _init (or _ _initdata) are discarded after system initialization or module load time. This option enables checks for code that attempts to access initialization-time memory after initialization is complete.

CONFIG_DEBUG_INFO
This option causes the kernel to be built with full debugging information included. You'll need that information if you want to debug the kernel with gdb. You may also want to enable CONFIG_FRAME_POINTER if you plan to use gdb.

CONFIG_MAGIC_SYSRQ
Enables the "magic SysRq" key. We look at this key in Section 4.5.2 later in this chapter.

CONFIG_DEBUG_STACKOVERFLOW CONFIG_DEBUG_STACK_USAGE
These options can help track down kernel stack overflows. A sure sign of a stack overflow is an oops listing without any sort of reasonable back trace. The first option adds explicit overflow checks to the kernel; the second causes the kernel to monitor stack usage and make some statistics available via the magic SysRq key.

CONFIG_KALLSYMS
This option (under "General setup/Standard features") causes kernel symbol information to be built into the kernel; it is enabled by default. The symbol information is used in debugging contexts; without it, an oops listing can give you a kernel traceback only in hexadecimal, which is not very useful.

CONFIG_IKCONFIG CONFIG_IKCONFIG_PROC
These options (found in the "General setup" menu) cause the full kernel configuration state to be built into the kernel and to be made available via /proc. Most kernel developers know which configuration they used and do not need these options (which make the kernel bigger). They can be useful, though, if you are trying to debug a problem in a kernel built by somebody else.

CONFIG_ACPI_DEBUG
Under "Power management/ACPI." This option turns on verbose ACPI (Advanced Configuration and Power Interface) debugging information, which can be useful if you suspect a problem related to ACPI.

CONFIG_DEBUG_DRIVER
Under "Device drivers." Turns on debugging information in the driver core, which can be useful for tracking down problems in the low-level support code. We'll look at the driver core in Chapter 14.

CONFIG_SCSI_CONSTANTS
This option, found under "Device drivers/SCSI device support," builds in information for verbose SCSI error messages. If you are working on a SCSI driver, you probably want this option.

CONFIG_INPUT_EVBUG
This option (under "Device drivers/Input device support") turns on verbose logging of input events. If you are working on a driver for an input device, this option may be helpful. Be aware of the security implications of this option, however: it logs everything you type, including your passwords.

CONFIG_PROFILING
This option is found under "Profiling support." Profiling is normally used for system performance tuning, but it can also be useful for tracking down some kernel hangs and related problems.

Explanation

Enabling these options enable you to receive output should the Thread Daemon Crash. In some instaces these will give you more information on running items/threads. An Explanation of a Worker thread is available here. RCU_Scheduler is the tick mechanism for ReadCopyUpdate. What is ReadCopyUpdate in the Linux Kernel?

Kernel Threads handle items used while the Kernel is doing work. The should not be killed by userspace tools.

Linux – Differences between system processes, and user processes, kernel control paths and kernel thread

In the case of Linux, a task (kernel internal idea of a thread; threads can share resources, like memory and open files; some run only inside the kernel) can run in userland, or (it's thread of execution) can transfer into the kernel (and back) to execute a system call. A user thread can be highjacked temporarily to execute an interrupt (but that isn't really that thread running).

That a process is a "system process" or a regular user process is completely irrelevant in Unix, they are handled just the same. In Linux case, some tasks run in-kernel to handle miscellaneous jobs. They are kernel jobs, not "system processes" however.

One big caveat: Text books on complex software products (compilers and operating systems are particularly egregious examples) tend to explain simplistic algorithms (often ones that haven't been used in earnest for half a century), because real world machines and user requirements are much too complex to be handled in some way that can be described in a structured, simple way. Much of a compiler is ad-hoc tweaks (particularly in the area of code optimization, the transformations are mostly the subset of possibilities that show up in practical use). In the case of Linux, most of the code is device drivers (mentioned in passing as device-dependent in operating system texts), and of this code a hefty slice is handling misbehaving devices, which do not comply to their own specifications, or which behave differently between versions of "the same device". Often what is explained in minute detail is just the segment of the job that can be reduced to some nice theory, leaving the messy, irregular part (almost) completely out. For instance, Cris Fraser and David Hanson in their book describing the LCC compiler state that typical compiler texts contain mostly explanations on lexical analysis and parsing, and very little on code generation. Those tasks are some 5% of the code of their (engineered to be simple!) compiler, and had negligible error rate. The complex part of the compiler is just not covered in standard texts.

Best Answer

Related Solutions

Linux – Why kernel threads are treated as processes

Explanation

Linux – Differences between system processes, and user processes, kernel control paths and kernel thread

Related Question