Re: [RFC] Tracepoint proposal

[Masami Hiramatsu <mhiramat@redhat.com>]

Hi,

Takashi Nishiie wrote:
> Hi
> 
> Hiramatsu wrote:
>> One reason why we need markers or other in-the-middle-of-function 
>> trace point is that some events happen inside functions, not it's 
>> interface.
> 
>   Each kernel sub-system seems to have its own way of dealing with 
> debugging statements. Some of these methods include 'dprintk', 
> 'pr_debug', 'dev_debug', 'DEBUGP'. I think that these functions are
> the tracepoints that has been availably mounted without setting up 
> the tool set of the outside. I think whether mounting that unites 
> these functions can be done if kernel marker and tracepoint are used.

Sure, I think those functions covers each partially, but some requirements
are different.

dynamic printk
 - stored in a section
 - dynamic activation
 - formatted message (multiple messages for each activation group)
 - export basic types
 - variadic function
 - low frequently called
 - module support

Marker
 - stored in a section
 - dynamic activation
 - formatted string (single format for each marker)
 - export basic types
 - variadic function
 - low-high frequently called
 - module support

Tracepoint
 - stored in a section
 - dynamic activation
 - no message
 - export kernel structure
 - arguments depending on points
 - high frequently called
 - no module support (kernel use only)


>   By the way, isn't there problem on security?
>   What kprobe, jprobe, and kernel marker, etc. offer looks like what
> the framework of Linux Security Module had offered before. Gotten
> kprobe, jprobe, and kernel marker, etc. should not be exported to the
> userland for security because it becomes the hotbed of rootkits. Users
> such as kprobe, jprobe, and kernel marker should not be Loadable Kernel
> Module. I think that there are some solutions in LTTng about this
> security problem. However, will the environment to be able to operate
> SystemTap be really secure?
> 　At least, kernel commandline option to invalidate all of kprobe,
> jprobe, and kernel marker, etc. because of the batch might be
> necessary.

Please, set CONFIG_MODULES=no.
If your system really really needs to be hardened, please
don't make kernel module loadable. Otherwise, any kernel module
can modify any kernel code. So, I think it's not a problem of
any specific functionality.

Anyway, I think selinux will give you more flexible way to
restrict who can load what modules.

Thank you,

-- 
Masami Hiramatsu

Software Engineer
Hitachi Computer Products (America) Inc.
Software Solutions Division

e-mail: mhiramat@redhat.com