From 2865d17a48d055b3aef6e45506292908800cdb21 Mon Sep 17 00:00:00 2001 From: Dave Brolley Date: Fri, 9 Oct 2009 11:09:12 -0400 Subject: Generate safety net assertions in probe function not authorized for unprivileged users. 2009-10-08 Dave Brolley * elaborate.h (emit_unprivileged_assertion): New virtual method of deriv ed_probe. (emit_process_owner_assertion): New static method of derived_probe. (check_unprivileged): New virtual method of derived_probe_builder. (match_node::unprivileged_ok): Removed. (match_node::allow_unprivileged): Removed. (match_node::unprivileged_allowed): Removed. * elaborate.cxx (translate.h): #include it. (emit_unprivileged_assertion): New virtual method of derived_probe. (emit_process_owner_assertion): New static method of derived_probe. (check_unprivileged): New virtual method of derived_probe_builder. (match_node::unprivileged_ok): Removed. (match_node::allow_unprivileged): Removed. (match_node::unprivileged_allowed): Removed. (find_and_build): Don't check for unprivileged restrictions here. Call t he builder's check_unprivileged method. (alias_expansion_builder::check_unprivileged): New virtual method. * tapset-been.cxx (be_derived_probe::emit_unprivileged_assertion): New v irtual method. (be_builder::check_unprivileged): Likewise. (never_derived_probe::emit_unprivileged_assertion): Likewise. (never_builder::check_unprivileged): Likewise. (register_tapset_been): Don't call allow_unprivileged. * tapset-itrace.cxx (itrace_derived_probe::emit_unprivileged_assertion): New virtual method. (itrace_builder::check_unprivileged): Likewise. (register_tapset_itrace): Don't call allow_unprivileged. * tapset-utrace.cxx (utrace_derived_probe::emit_unprivileged_assertion): New virtual method. (utrace_builder::check_unprivileged): Likewise. (register_tapset_utrace): Don't call allow_unprivileged. * tapset-timer.cxx (timer_derived_probe::emit_unprivileged_assertion): N ew virtual method. (timer_builder::check_unprivileged): Likewise. (register_tapset_timers): Don't call allow_unprivileged. * tapsets.cxx (uprobe_derived_probe::emit_unprivileged_assertion): New v irtual method. (uprobe_builder::check_unprivileged): Likewise. (register_standard_tapsets): Don't call allow_unprivileged. (register_statement_variants): Remove unprivileged_ok_p parameter. Don't call allow_unprivileged. (register_function_variants): Likewise. (register_function_and_statement_variants): Likewise. (register_patterns): Don't call allow_unprivileged. * translate.cxx (emit_probe): Call v->emit_unprivileged_assertion. --- tapset-timers.cxx | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) (limited to 'tapset-timers.cxx') diff --git a/tapset-timers.cxx b/tapset-timers.cxx index 16dcefcb..de57d81a 100644 --- a/tapset-timers.cxx +++ b/tapset-timers.cxx @@ -37,6 +37,10 @@ struct timer_derived_probe: public derived_probe timer_derived_probe (probe* p, probe_point* l, int64_t i, int64_t r, bool ms=false); virtual void join_group (systemtap_session& s); + + // No assertion need be emitted, since this probe is allowed for unprivileged + // users. + void emit_unprivileged_assertion (translator_output*) {} }; @@ -204,6 +208,10 @@ struct hrtimer_derived_probe: public derived_probe } void join_group (systemtap_session& s); + + // No assertion need be emitted, since these probes are allowed for + // unprivileged users. + void emit_unprivileged_assertion (translator_output*) {} }; @@ -505,6 +513,9 @@ struct timer_builder: public derived_probe_builder vector & finished_results); static void register_patterns(systemtap_session& s); + + virtual void check_unprivileged (const systemtap_session & sess, + const literal_map_t & parameters); }; void @@ -585,6 +596,16 @@ timer_builder::build(systemtap_session & sess, (new hrtimer_derived_probe(base, location, period, rand, scale)); } +void +timer_builder::check_unprivileged (const systemtap_session & sess, + const literal_map_t & parameters) +{ + // All timer probes are allowed except for timer.profile + if (has_null_param(parameters, "profile")) + derived_probe_builder::check_unprivileged (sess, parameters); +} + + void register_tapset_timers(systemtap_session& s) { @@ -594,66 +615,47 @@ register_tapset_timers(systemtap_session& s) root = root->bind(TOK_TIMER); root->bind_num("s") - ->allow_unprivileged() ->bind(builder); root->bind_num("s")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("sec") - ->allow_unprivileged() ->bind(builder); root->bind_num("sec")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("ms") - ->allow_unprivileged() ->bind(builder); root->bind_num("ms")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("msec") - ->allow_unprivileged() ->bind(builder); root->bind_num("msec")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("us") - ->allow_unprivileged() ->bind(builder); root->bind_num("us")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("usec") - ->allow_unprivileged() ->bind(builder); root->bind_num("usec")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("ns") - ->allow_unprivileged() ->bind(builder); root->bind_num("ns")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("nsec") - ->allow_unprivileged() ->bind(builder); root->bind_num("nsec")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("jiffies") - ->allow_unprivileged() ->bind(builder); root->bind_num("jiffies")->bind_num("randomize") - ->allow_unprivileged() ->bind(builder); root->bind_num("hz") - ->allow_unprivileged() ->bind(builder); root->bind("profile") -- cgit