02:01 <derek0883> @fche, I did some further testing, if daemon not call _exit(0), just wait for child or sleep, then systemtap able to catch fopen call.

02:19 <fche> hm interesting

04:54 <derek0883> @fche I may figured out, why after daemon called, system couldn't catch fopen call. As daemon call fork, then parent will call exit(0), if parent run first, will exit, and child will became #1's child process,

04:56 <derek0883> which is systemd on my ubuntu, but my systemtap started after systemd, so libc in systemd's address space kept untouched, no hook installed. when child get run, will use glibc in #1's address space, which already loaded

04:57 <derek0883> systemtap can catch sys_open, because that HOOK is installed in kernel space.

13:01 <fche> hmm kind of strange

13:01 <fche> I know at some point some kernels protected pid#1 from some types of introspection (ptrace etc.)

13:01 <fche> but can't think of a mechanism by which an orphaned child process of a normal userspace pid would inherit such protections