Re: [RFC] Tracepoint proposal

From: Masami Hiramatsu
Date: Tue Jun 24 2008 - 12:06:22 EST

Next message: Jan Kara: "Re: [PATCH] ext3: handle corrupted orphan list at mount"
Previous message: Andreas Herrmann: "Re: [PATCH] x86: enable hpet=force for AMD SB400"
In reply to: Frank Ch. Eigler: "Re: [RFC] Tracepoint proposal"
Next in thread: KOSAKI Motohiro: "Re: [RFC] Tracepoint proposal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Takashi Nishiie wrote:
> Hi
>
> Hiramatsu wrote:
>> One reason why we need markers or other in-the-middle-of-function
>> trace point is that some events happen inside functions, not it's
>> interface.
>
> Each kernel sub-system seems to have its own way of dealing with
> debugging statements. Some of these methods include 'dprintk',
> 'pr_debug', 'dev_debug', 'DEBUGP'. I think that these functions are
> the tracepoints that has been availably mounted without setting up
> the tool set of the outside. I think whether mounting that unites
> these functions can be done if kernel marker and tracepoint are used.

Sure, I think those functions covers each partially, but some requirements
are different.

dynamic printk
- stored in a section
- dynamic activation
- formatted message (multiple messages for each activation group)
- export basic types
- variadic function
- low frequently called
- module support

Marker
- stored in a section
- dynamic activation
- formatted string (single format for each marker)
- export basic types
- variadic function
- low-high frequently called
- module support

Tracepoint
- stored in a section
- dynamic activation
- no message
- export kernel structure
- arguments depending on points
- high frequently called
- no module support (kernel use only)

> By the way, isn't there problem on security?
> What kprobe, jprobe, and kernel marker, etc. offer looks like what
> the framework of Linux Security Module had offered before. Gotten
> kprobe, jprobe, and kernel marker, etc. should not be exported to the
> userland for security because it becomes the hotbed of rootkits. Users
> such as kprobe, jprobe, and kernel marker should not be Loadable Kernel
> Module. I think that there are some solutions in LTTng about this
> security problem. However, will the environment to be able to operate
> SystemTap be really secure?
> 　At least, kernel commandline option to invalidate all of kprobe,
> jprobe, and kernel marker, etc. because of the batch might be
> necessary.

Please, set CONFIG_MODULES=no.
If your system really really needs to be hardened, please
don't make kernel module loadable. Otherwise, any kernel module
can modify any kernel code. So, I think it's not a problem of
any specific functionality.

Anyway, I think selinux will give you more flexible way to
restrict who can load what modules.

Thank you,

--
Masami Hiramatsu

Software Engineer
Hitachi Computer Products (America) Inc.
Software Solutions Division

e-mail: mhiramat@xxxxxxxxxx

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jan Kara: "Re: [PATCH] ext3: handle corrupted orphan list at mount"
Previous message: Andreas Herrmann: "Re: [PATCH] x86: enable hpet=force for AMD SB400"
In reply to: Frank Ch. Eigler: "Re: [RFC] Tracepoint proposal"
Next in thread: KOSAKI Motohiro: "Re: [RFC] Tracepoint proposal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]