From 2865d17a48d055b3aef6e45506292908800cdb21 Mon Sep 17 00:00:00 2001 From: Dave Brolley Date: Fri, 9 Oct 2009 11:09:12 -0400 Subject: Generate safety net assertions in probe function not authorized for unprivileged users. 2009-10-08 Dave Brolley * elaborate.h (emit_unprivileged_assertion): New virtual method of deriv ed_probe. (emit_process_owner_assertion): New static method of derived_probe. (check_unprivileged): New virtual method of derived_probe_builder. (match_node::unprivileged_ok): Removed. (match_node::allow_unprivileged): Removed. (match_node::unprivileged_allowed): Removed. * elaborate.cxx (translate.h): #include it. (emit_unprivileged_assertion): New virtual method of derived_probe. (emit_process_owner_assertion): New static method of derived_probe. (check_unprivileged): New virtual method of derived_probe_builder. (match_node::unprivileged_ok): Removed. (match_node::allow_unprivileged): Removed. (match_node::unprivileged_allowed): Removed. (find_and_build): Don't check for unprivileged restrictions here. Call t he builder's check_unprivileged method. (alias_expansion_builder::check_unprivileged): New virtual method. * tapset-been.cxx (be_derived_probe::emit_unprivileged_assertion): New v irtual method. (be_builder::check_unprivileged): Likewise. (never_derived_probe::emit_unprivileged_assertion): Likewise. (never_builder::check_unprivileged): Likewise. (register_tapset_been): Don't call allow_unprivileged. * tapset-itrace.cxx (itrace_derived_probe::emit_unprivileged_assertion): New virtual method. (itrace_builder::check_unprivileged): Likewise. (register_tapset_itrace): Don't call allow_unprivileged. * tapset-utrace.cxx (utrace_derived_probe::emit_unprivileged_assertion): New virtual method. (utrace_builder::check_unprivileged): Likewise. (register_tapset_utrace): Don't call allow_unprivileged. * tapset-timer.cxx (timer_derived_probe::emit_unprivileged_assertion): N ew virtual method. (timer_builder::check_unprivileged): Likewise. (register_tapset_timers): Don't call allow_unprivileged. * tapsets.cxx (uprobe_derived_probe::emit_unprivileged_assertion): New v irtual method. (uprobe_builder::check_unprivileged): Likewise. (register_standard_tapsets): Don't call allow_unprivileged. (register_statement_variants): Remove unprivileged_ok_p parameter. Don't call allow_unprivileged. (register_function_variants): Likewise. (register_function_and_statement_variants): Likewise. (register_patterns): Don't call allow_unprivileged. * translate.cxx (emit_probe): Call v->emit_unprivileged_assertion. --- elaborate.cxx | 69 ++++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 47 insertions(+), 22 deletions(-) (limited to 'elaborate.cxx') diff --git a/elaborate.cxx b/elaborate.cxx index 01c6e3cd..e8795a6c 100644 --- a/elaborate.cxx +++ b/elaborate.cxx @@ -9,6 +9,7 @@ #include "config.h" #include "elaborate.h" +#include "translate.h" #include "parse.h" #include "tapsets.h" #include "session.h" @@ -132,10 +133,50 @@ derived_probe::sole_location () const } +void +derived_probe::emit_unprivileged_assertion (translator_output* o) +{ + // Emit code which will cause compilation to fail if it is compiled in + // unprivileged mode. + o->newline() << "#ifndef STP_PRIVILEGED"; + o->newline() << "#error Internal Error: Probe "; + probe::printsig (o->line()); + o->line() << " generated in --unprivileged mode"; + o->newline() << "#endif"; +} + + +void +derived_probe::emit_process_owner_assertion (translator_output* o) +{ + // Emit code which will abort should the current target not belong to the + // user in unprivileged mode. + o->newline() << "#ifndef STP_PRIVILEGED"; + o->newline(1) << "if (! is_myproc ()) {"; + o->newline(1) << "snprintf(c->error_buffer, sizeof(c->error_buffer),"; + o->newline() << " \"Internal Error: Process %d does not belong to user %d in probe %s in --unprivileged mode\","; + o->newline() << " current->tgid, _stp_uid, c->probe_point);"; + o->newline() << "c->last_error = c->error_buffer;"; + o->newline() << "goto out;"; + o->newline(-1) << "}"; + o->newline(-1) << "#endif"; +} + // ------------------------------------------------------------------------ // Members of derived_probe_builder +void +derived_probe_builder::check_unprivileged (const systemtap_session & sess, + const literal_map_t & parameters) +{ + // By default, probes are not allowed for unprivileged users. + if (sess.unprivileged) + { + throw semantic_error (string("probe point is not allowed for unprivileged users")); + } +} + bool derived_probe_builder::get_param (std::map const & params, const std::string& key, @@ -261,7 +302,6 @@ match_key::globmatch(match_key const & other) const // ------------------------------------------------------------------------ match_node::match_node() - : unprivileged_ok (false) { } @@ -303,19 +343,6 @@ match_node::bind_num(string const & k) return bind(match_key(k).with_number()); } -match_node* -match_node::allow_unprivileged (bool b) -{ - unprivileged_ok = b; - return this; -} - -bool -match_node::unprivileged_allowed () const -{ - return unprivileged_ok; -} - void match_node::find_and_build (systemtap_session& s, probe* p, probe_point *loc, unsigned pos, @@ -340,18 +367,11 @@ match_node::find_and_build (systemtap_session& s, param_map[loc->components[i]->functor] = loc->components[i]->arg; // maybe 0 - // Are we compiling for unprivileged users? */ - if (s.unprivileged) - { - // Is this probe point ok for unprivileged users? - if (! unprivileged_allowed ()) - throw semantic_error (string("probe point is not allowed for unprivileged users")); - } - // Iterate over all bound builders for (unsigned k=0; kcheck_unprivileged (s, param_map); b->build (s, p, loc, param_map, results); } } @@ -573,6 +593,11 @@ alias_expansion_builder } return false; } + + // No action required. The actual probes will be checked when they are + // built. + virtual void check_unprivileged (const systemtap_session & sess, + const literal_map_t & parameters) {} }; -- cgit