From: Steven Rostedt <rostedt@goodmis.org>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: Jordan Rome <linux@jordanrome.com>,
linux-security-module@vger.kernel.org,
linux-trace-kernel@vger.kernel.org,
Andrii Nakryiko <andrii@kernel.org>,
Kernel Team <kernel-team@fb.com>, Serge Hallyn <serge@hallyn.com>,
Yonghong Song <yonghong.song@linux.dev>
Subject: Re: [v1] security: add trace event for cap_capable
Date: Thu, 24 Oct 2024 20:23:07 -0400 [thread overview]
Message-ID: <20241024202307.196a2993@rorschach.local.home> (raw)
In-Reply-To: <CAEf4BzaZvSHnHBPcgkznq62sm_E2JNi1Bwg3g_a9PutfZLicmQ@mail.gmail.com>
On Thu, 24 Oct 2024 10:48:55 -0700
Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
> > You record cred, targ_ns and capable_ns but don't use it in TP_printk?
> >
> > It's fine to print pointers there. Is there a reason you do not?
>
> Are those pointers really useful for anything? Maybe it's better to
> print ns->ns.inum instead? At least that's something that is usable
> from user space side, no?
Pointers are actually useful from user space. It allows you to add
eprobes to get data from the structure. Yes, you can do this from BPF
but sometimes a shell script is nicer to use.
$ gdb vmlinux
(gdb) print &(((struct user_namespace *)0)->ns.inum)
$2 = (unsigned int *) 0xe8
# cd /sys/kernel/tracing
# echo 'e:cap capability/capable num=+0e8($capable-ns)' > dynamic_events
# echo 1 > events/eprobes/cap/enable
# cat trace
Thus pointers give a nice way of getting info dynamically, and having
the pointer printed out in the TP_printk also helps to know you can do
this.
I realize that eprobes is not documented well (or at all) which needs
to be fixed.
-- Steve
next prev parent reply other threads:[~2024-10-25 0:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-24 10:40 [v1] security: add trace event for cap_capable Jordan Rome
2024-10-24 13:19 ` Steven Rostedt
2024-10-24 13:40 ` Jordan Rome
2024-10-24 17:48 ` Andrii Nakryiko
2024-10-25 0:23 ` Steven Rostedt [this message]
2024-10-24 17:50 ` Andrii Nakryiko
2024-10-24 19:37 ` [PATCH v1] " Paul Moore
2024-10-24 20:28 ` [v1] " sergeh
2024-10-25 1:15 ` Jordan Rome
2024-10-25 11:18 ` sergeh
2024-10-25 11:22 ` Jordan Rome
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241024202307.196a2993@rorschach.local.home \
--to=rostedt@goodmis.org \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=kernel-team@fb.com \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=linux@jordanrome.com \
--cc=serge@hallyn.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).