PR11256: harden --unprivileged mode

* tapsets-mark.cxx, tapsets.cxx: Don't even publish probe point families that are
  inappropriate for use in --unprivileged mode.
  (dwarf_derived_probe_*unprivileged*): Remove, to default to blanket no-permission
  rather than emit_process_owner_permission mode.
* testsuite/semko/fortyeight.stp: New test.

3 files changed, 17 insertions, 26 deletions

diff --git a/tapset-mark.cxx b/tapset-mark.cxx
index 6dbc55dc..4d873eed 100644
--- a/tapset-mark.cxx
+++ b/tapset-mark.cxx
@@ -714,6 +714,8 @@ mark_builder::build(systemtap_session & sess,
 void
 register_tapset_mark(systemtap_session& s)
 {
+  if (s.unprivileged) return;
+
   match_node* root = s.pattern_root;
   derived_probe_builder *builder = new mark_builder();
 
diff --git a/tapsets.cxx b/tapsets.cxx
index 916e4ddf..bdce18a5 100644
--- a/tapsets.cxx
+++ b/tapsets.cxx
@@ -366,9 +366,6 @@ struct dwarf_derived_probe: public derived_probe
   void emit_probe_local_init(translator_output * o);
   void getargs(std::list<std::string> &arg_set) const;
 
-  void emit_unprivileged_assertion (translator_output*);
-  void print_dupe_stamp(ostream& o);
-
   // Pattern registration helpers.
   static void register_statement_variants(match_node * root,
 					  dwarf_builder * dw);
@@ -3108,23 +3105,6 @@ dwarf_derived_probe::getargs(std::list<std::string> &arg_set) const
 }
 
 
-void
-dwarf_derived_probe::emit_unprivileged_assertion (translator_output* o)
-{
-  // These probes are allowed for unprivileged users, but only in the
-  // context of processes which they own.
-  emit_process_owner_assertion (o);
-}
-
-
-void
-dwarf_derived_probe::print_dupe_stamp(ostream& o)
-{
-  // These probes are allowed for unprivileged users, but only in the
-  // context of processes which they own.
-  print_dupe_stamp_unprivileged_process_owner (o);
-}
-
 
 void
 dwarf_derived_probe::register_statement_variants(match_node * root,
@@ -3170,12 +3150,15 @@ dwarf_derived_probe::register_patterns(systemtap_session& s)
   update_visitor *filter = new dwarf_cast_expanding_visitor(s, *dw);
   s.code_filters.push_back(filter);
 
-  register_function_and_statement_variants(root->bind(TOK_KERNEL), dw);
-  register_function_and_statement_variants(root->bind_str(TOK_MODULE), dw);
-  root->bind(TOK_KERNEL)->bind_num(TOK_STATEMENT)->bind(TOK_ABSOLUTE)
-    ->bind(dw);
-  root->bind(TOK_KERNEL)->bind_str(TOK_FUNCTION)->bind_str(TOK_LABEL)
-    ->bind(dw);
+  if (! s.unprivileged)
+    {
+      register_function_and_statement_variants(root->bind(TOK_KERNEL), dw);
+      register_function_and_statement_variants(root->bind_str(TOK_MODULE), dw);
+      root->bind(TOK_KERNEL)->bind_num(TOK_STATEMENT)->bind(TOK_ABSOLUTE)
+        ->bind(dw);
+      root->bind(TOK_KERNEL)->bind_str(TOK_FUNCTION)->bind_str(TOK_LABEL)
+        ->bind(dw);
+    }
 
   register_function_and_statement_variants(root->bind_str(TOK_PROCESS), dw);
   root->bind_str(TOK_PROCESS)->bind_str(TOK_FUNCTION)->bind_str(TOK_LABEL)
@@ -6516,6 +6499,8 @@ register_standard_tapsets(systemtap_session & s)
     ->bind_num(TOK_STATEMENT)->bind(TOK_ABSOLUTE)->bind(TOK_RETURN)
     ->bind(new uprobe_builder ());
 
+  if (s.unprivileged) return;
+
   // kernel tracepoint probes
   s.pattern_root->bind(TOK_KERNEL)->bind_str(TOK_TRACE)
     ->bind(new tracepoint_builder());
diff --git a/testsuite/semko/fortyeight.stp b/testsuite/semko/fortyeight.stp
new file mode 100755
index 00000000..e79d7a1d
--- /dev/null
+++ b/testsuite/semko/fortyeight.stp
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+# None of these probe types should even be acceptable to pass-2
+stap --unprivileged -p2 -t -e 'probe kernel.function("sys_open")!, kernel.trace("*")!, kernel.mark("*")!, module("*scsi*").function("*") { }'