diff options
author | Dave Brolley <brolley@redhat.com> | 2009-04-22 11:57:00 -0400 |
---|---|---|
committer | Dave Brolley <brolley@redhat.com> | 2009-04-22 11:57:00 -0400 |
commit | 88e8da383e47adafc9e75c4f10aecd0ce4ad959f (patch) | |
tree | 0770182c737b0779554a7b0bcd1786fb37b6b8c9 | |
parent | 623a41aeb47995f6b5790e38f9e0e10959f98b4e (diff) | |
download | systemtap-steved-88e8da383e47adafc9e75c4f10aecd0ce4ad959f.tar.gz systemtap-steved-88e8da383e47adafc9e75c4f10aecd0ce4ad959f.tar.xz systemtap-steved-88e8da383e47adafc9e75c4f10aecd0ce4ad959f.zip |
2009-04-22 Dave Brolley <brolley@redhat.com>
* elaborate.h (unprivileged_whitelist): Removed.
(unprivileged_ok): New member of match_node.
(allow_unprivileged,unprivileged_allowed): New methods of match_node.
* elaborate.cxx (match_node): Initialize unprivileged_ok. Remove
initialization of unprivileged_whitelist.
(allow_unprivileged,unprivileged_allowed): New methods of match_node.
(matchnode::find_and_build): Remove check of unprivileged_whitelist.
Call unprivileged_allowed.
* tapsets.cxx (dwarf_derived_probe::register_function_and_statement_variants):
New parameter: unprivileged_ok.
(dwarf_derived_probe::register_function_variants): Likewise.
(dwarf_derived_probe::register_statement_variants): Likeiwse.
(register_standard_tapsets): Call allow_unprivileged for nodes which are
safe for unprivileged users.
-rw-r--r-- | elaborate.cxx | 40 | ||||
-rw-r--r-- | elaborate.h | 6 | ||||
-rw-r--r-- | tapsets.cxx | 85 |
3 files changed, 82 insertions, 49 deletions
diff --git a/elaborate.cxx b/elaborate.cxx index b5d6046b..a1c2e652 100644 --- a/elaborate.cxx +++ b/elaborate.cxx @@ -261,9 +261,8 @@ match_key::globmatch(match_key const & other) const // ------------------------------------------------------------------------ match_node::match_node() - : end(NULL) + : end(NULL), unprivileged_ok (false) { - unprivileged_whitelist.push_back ("process"); } match_node * @@ -306,6 +305,18 @@ match_node::bind_num(string const & k) return bind(match_key(k).with_number()); } +match_node* +match_node::allow_unprivileged (bool b) +{ + unprivileged_ok = b; + return this; +} + +bool +match_node::unprivileged_allowed () const +{ + return unprivileged_ok; +} void match_node::find_and_build (systemtap_session& s, @@ -313,23 +324,6 @@ match_node::find_and_build (systemtap_session& s, vector<derived_probe *>& results) { assert (pos <= loc->components.size()); - - // If we are in --unprivileged mode, exclude all "unsafe" probes. - if (s.unprivileged && pos == 0) - { - unsigned i; - for (i = 0; i < unprivileged_whitelist.size(); i++) - { - if (unprivileged_whitelist[i] == loc->components[pos]->functor) - break; - } - if (i == unprivileged_whitelist.size()) { - throw semantic_error (string("probe class ") + - loc->components[pos]->functor + - " is not allowed for unprivileged users"); - } - } - if (pos == loc->components.size()) // matched all probe point components so far { derived_probe_builder *b = end; // may be 0 if only nested names are bound @@ -350,6 +344,14 @@ match_node::find_and_build (systemtap_session& s, param_map[loc->components[i]->functor] = loc->components[i]->arg; // maybe 0 + // Are we compiling for unprivileged users? */ + if (s.unprivileged) + { + // Is this probe point ok for unprivileged users? + if (! unprivileged_allowed ()) + throw semantic_error (string("probe point is not allowed for unprivileged users")); + } + b->build (s, p, loc, param_map, results); } else if (isglob(loc->components[pos]->functor)) // wildcard? diff --git a/elaborate.h b/elaborate.h index ca0182d1..36439c4f 100644 --- a/elaborate.h +++ b/elaborate.h @@ -236,8 +236,7 @@ match_node typedef std::map<match_key, match_node*>::iterator sub_map_iterator_t; sub_map_t sub; derived_probe_builder* end; - - std::vector<std::string> unprivileged_whitelist; + bool unprivileged_ok; public: match_node(); @@ -252,6 +251,9 @@ match_node match_node* bind_str(std::string const & k); match_node* bind_num(std::string const & k); void bind(derived_probe_builder* e); + + match_node* allow_unprivileged (bool b = true); + bool unprivileged_allowed () const; }; // ------------------------------------------------------------------------ diff --git a/tapsets.cxx b/tapsets.cxx index f99fbef4..deb9044c 100644 --- a/tapsets.cxx +++ b/tapsets.cxx @@ -2578,11 +2578,14 @@ struct dwarf_derived_probe: public derived_probe // Pattern registration helpers. static void register_statement_variants(match_node * root, - dwarf_builder * dw); + dwarf_builder * dw, + bool unprivileged_ok = false); static void register_function_variants(match_node * root, - dwarf_builder * dw); + dwarf_builder * dw, + bool unprivileged_ok = false); static void register_function_and_statement_variants(match_node * root, - dwarf_builder * dw); + dwarf_builder * dw, + bool unprivileged_ok = false); static void register_patterns(systemtap_session& s); }; @@ -5499,25 +5502,28 @@ dwarf_derived_probe::dwarf_derived_probe(const string& funcname, void dwarf_derived_probe::register_statement_variants(match_node * root, - dwarf_builder * dw) + dwarf_builder * dw, + bool unprivileged_ok) { - root->bind(dw); + root->allow_unprivileged(unprivileged_ok)->bind(dw); } void dwarf_derived_probe::register_function_variants(match_node * root, - dwarf_builder * dw) + dwarf_builder * dw, + bool unprivileged_ok) { - root->bind(dw); - root->bind(TOK_INLINE)->bind(dw); - root->bind(TOK_CALL)->bind(dw); - root->bind(TOK_RETURN)->bind(dw); - root->bind(TOK_RETURN)->bind_num(TOK_MAXACTIVE)->bind(dw); + root->allow_unprivileged(unprivileged_ok)->bind(dw); + root->bind(TOK_INLINE)->allow_unprivileged(unprivileged_ok)->bind(dw); + root->bind(TOK_CALL)->allow_unprivileged(unprivileged_ok)->bind(dw); + root->bind(TOK_RETURN)->allow_unprivileged(unprivileged_ok)->bind(dw); + root->bind(TOK_RETURN)->allow_unprivileged(unprivileged_ok)->bind_num(TOK_MAXACTIVE)->bind(dw); } void dwarf_derived_probe::register_function_and_statement_variants(match_node * root, - dwarf_builder * dw) + dwarf_builder * dw, + bool unprivileged_ok) { // Here we match 4 forms: // @@ -5526,10 +5532,10 @@ dwarf_derived_probe::register_function_and_statement_variants(match_node * root, // .statement("foo") // .statement(0xdeadbeef) - register_function_variants(root->bind_str(TOK_FUNCTION), dw); - register_function_variants(root->bind_num(TOK_FUNCTION), dw); - register_statement_variants(root->bind_str(TOK_STATEMENT), dw); - register_statement_variants(root->bind_num(TOK_STATEMENT), dw); + register_function_variants(root->bind_str(TOK_FUNCTION), dw, unprivileged_ok); + register_function_variants(root->bind_num(TOK_FUNCTION), dw, unprivileged_ok); + register_statement_variants(root->bind_str(TOK_STATEMENT), dw, unprivileged_ok); + register_statement_variants(root->bind_num(TOK_STATEMENT), dw, unprivileged_ok); } void @@ -5545,11 +5551,10 @@ dwarf_derived_probe::register_patterns(systemtap_session& s) register_function_and_statement_variants(root->bind_str(TOK_MODULE), dw); root->bind(TOK_KERNEL)->bind_num(TOK_STATEMENT)->bind(TOK_ABSOLUTE)->bind(dw); root->bind(TOK_KERNEL)->bind_str(TOK_FUNCTION)->bind_str(TOK_LABEL)->bind(dw); - root->bind_str(TOK_PROCESS)->bind_str(TOK_FUNCTION)->bind_str(TOK_LABEL)->bind(dw); - - register_function_and_statement_variants(root->bind_str(TOK_PROCESS), dw); - root->bind_str(TOK_PROCESS)->bind_str(TOK_MARK)->bind(dw); - root->bind_str(TOK_PROCESS)->bind_num(TOK_MARK)->bind(dw); + root->bind_str(TOK_PROCESS)->bind_str(TOK_FUNCTION)->bind_str(TOK_LABEL)->allow_unprivileged()->bind(dw); + register_function_and_statement_variants(root->bind_str(TOK_PROCESS), dw, true/*unprivileged_ok*/); + root->bind_str(TOK_PROCESS)->bind_str(TOK_MARK)->allow_unprivileged()->bind(dw); + root->bind_str(TOK_PROCESS)->bind_num(TOK_MARK)->allow_unprivileged()->bind(dw); } void @@ -11758,14 +11763,14 @@ perfmon_derived_probe_group::emit_module_init (translator_output* o) void register_standard_tapsets(systemtap_session & s) { - s.pattern_root->bind(TOK_BEGIN)->bind(new be_builder(BEGIN)); - s.pattern_root->bind_num(TOK_BEGIN)->bind(new be_builder(BEGIN)); - s.pattern_root->bind(TOK_END)->bind(new be_builder(END)); - s.pattern_root->bind_num(TOK_END)->bind(new be_builder(END)); - s.pattern_root->bind(TOK_ERROR)->bind(new be_builder(ERROR)); - s.pattern_root->bind_num(TOK_ERROR)->bind(new be_builder(ERROR)); + s.pattern_root->bind(TOK_BEGIN)->allow_unprivileged()->bind(new be_builder(BEGIN)); + s.pattern_root->bind_num(TOK_BEGIN)->allow_unprivileged()->bind(new be_builder(BEGIN)); + s.pattern_root->bind(TOK_END)->allow_unprivileged()->bind(new be_builder(END)); + s.pattern_root->bind_num(TOK_END)->allow_unprivileged()->bind(new be_builder(END)); + s.pattern_root->bind(TOK_ERROR)->allow_unprivileged()->bind(new be_builder(ERROR)); + s.pattern_root->bind_num(TOK_ERROR)->allow_unprivileged()->bind(new be_builder(ERROR)); - s.pattern_root->bind(TOK_NEVER)->bind(new never_builder()); + s.pattern_root->bind(TOK_NEVER)->allow_unprivileged()->bind(new never_builder()); timer_builder::register_patterns(s); s.pattern_root->bind(TOK_TIMER)->bind("profile")->bind(new profile_builder()); @@ -11778,57 +11783,81 @@ register_standard_tapsets(systemtap_session & s) // XXX: user-space starter set s.pattern_root->bind_num(TOK_PROCESS) ->bind_num(TOK_STATEMENT)->bind(TOK_ABSOLUTE) + ->allow_unprivileged() ->bind(new uprobe_builder ()); s.pattern_root->bind_num(TOK_PROCESS) ->bind_num(TOK_STATEMENT)->bind(TOK_ABSOLUTE)->bind(TOK_RETURN) + ->allow_unprivileged() ->bind(new uprobe_builder ()); // utrace user-space probes s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_BEGIN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_BEGIN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind(TOK_PROCESS)->bind(TOK_BEGIN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_END) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_END) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind(TOK_PROCESS)->bind(TOK_END) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_THREAD)->bind(TOK_BEGIN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_THREAD)->bind(TOK_BEGIN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind(TOK_PROCESS)->bind(TOK_THREAD)->bind(TOK_BEGIN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_THREAD)->bind(TOK_END) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_THREAD)->bind(TOK_END) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind(TOK_PROCESS)->bind(TOK_THREAD)->bind(TOK_END) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_SYSCALL) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_SYSCALL) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind(TOK_PROCESS)->bind(TOK_SYSCALL) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_SYSCALL)->bind(TOK_RETURN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_SYSCALL)->bind(TOK_RETURN) + ->allow_unprivileged() ->bind(new utrace_builder ()); s.pattern_root->bind(TOK_PROCESS)->bind(TOK_SYSCALL)->bind(TOK_RETURN) + ->allow_unprivileged() ->bind(new utrace_builder ()); // itrace user-space probes s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_INSN) + ->allow_unprivileged() ->bind(new itrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_INSN) + ->allow_unprivileged() ->bind(new itrace_builder ()); s.pattern_root->bind_str(TOK_PROCESS)->bind(TOK_INSN)->bind(TOK_BLOCK) + ->allow_unprivileged() ->bind(new itrace_builder ()); s.pattern_root->bind_num(TOK_PROCESS)->bind(TOK_INSN)->bind(TOK_BLOCK) + ->allow_unprivileged() ->bind(new itrace_builder ()); // marker-based parts |