From 2865d17a48d055b3aef6e45506292908800cdb21 Mon Sep 17 00:00:00 2001
From: Dave Brolley <brolley@redhat.com>
Date: Fri, 9 Oct 2009 11:09:12 -0400
Subject: Generate safety net assertions in probe function not authorized for
 unprivileged users.

2009-10-08  Dave Brolley  <brolley@redhat.com>

        * elaborate.h (emit_unprivileged_assertion): New virtual method of deriv
ed_probe.
        (emit_process_owner_assertion): New static method of derived_probe.
        (check_unprivileged): New virtual method of derived_probe_builder.
        (match_node::unprivileged_ok): Removed.
        (match_node::allow_unprivileged): Removed.
        (match_node::unprivileged_allowed): Removed.

        * elaborate.cxx (translate.h): #include it.
        (emit_unprivileged_assertion): New virtual method of derived_probe.
        (emit_process_owner_assertion): New static method of derived_probe.
        (check_unprivileged): New virtual method of derived_probe_builder.
        (match_node::unprivileged_ok): Removed.
        (match_node::allow_unprivileged): Removed.
        (match_node::unprivileged_allowed): Removed.
        (find_and_build): Don't check for unprivileged restrictions here. Call t
he
        builder's check_unprivileged method.
        (alias_expansion_builder::check_unprivileged): New virtual method.

        * tapset-been.cxx (be_derived_probe::emit_unprivileged_assertion): New v
irtual
        method.
        (be_builder::check_unprivileged): Likewise.
        (never_derived_probe::emit_unprivileged_assertion): Likewise.
        (never_builder::check_unprivileged): Likewise.
        (register_tapset_been): Don't call allow_unprivileged.

        * tapset-itrace.cxx (itrace_derived_probe::emit_unprivileged_assertion):
 New virtual
        method.
        (itrace_builder::check_unprivileged): Likewise.
        (register_tapset_itrace): Don't call allow_unprivileged.

        * tapset-utrace.cxx (utrace_derived_probe::emit_unprivileged_assertion):
 New virtual
        method.
        (utrace_builder::check_unprivileged): Likewise.
        (register_tapset_utrace): Don't call allow_unprivileged.

        * tapset-timer.cxx (timer_derived_probe::emit_unprivileged_assertion): N
ew virtual
        method.
        (timer_builder::check_unprivileged): Likewise.
        (register_tapset_timers): Don't call allow_unprivileged.

        * tapsets.cxx (uprobe_derived_probe::emit_unprivileged_assertion): New v
irtual
        method.
        (uprobe_builder::check_unprivileged): Likewise.
        (register_standard_tapsets): Don't call allow_unprivileged.
        (register_statement_variants): Remove unprivileged_ok_p parameter. Don't
 call
        allow_unprivileged.
        (register_function_variants): Likewise.
        (register_function_and_statement_variants): Likewise.
        (register_patterns): Don't call allow_unprivileged.

        * translate.cxx (emit_probe): Call v->emit_unprivileged_assertion.
---
 tapset-utrace.cxx | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

(limited to 'tapset-utrace.cxx')

diff --git a/tapset-utrace.cxx b/tapset-utrace.cxx
index b13dc290..819a2d87 100644
--- a/tapset-utrace.cxx
+++ b/tapset-utrace.cxx
@@ -60,6 +60,8 @@ struct utrace_derived_probe: public derived_probe
                         bool hp, string &pn, int64_t pd,
 			enum utrace_derived_probe_flags f);
   void join_group (systemtap_session& s);
+
+  void emit_unprivileged_assertion (translator_output*);
 };
 
 
@@ -194,6 +196,21 @@ utrace_derived_probe::join_group (systemtap_session& s)
 }
 
 
+void
+utrace_derived_probe::emit_unprivileged_assertion (translator_output* o)
+{
+  // Process end probes are allowed for unprivileged users, even if the process
+  // does not belong to them. They are required to check is_myproc() from within
+  // their probe script before doing anything "dangerous".
+  if (flags == UDPF_END)
+    return;
+
+  // Other process probes are allowed for unprivileged users, but only in the
+  // context of processes which they own.
+  emit_process_owner_assertion (o);
+}
+
+
 void
 utrace_var_expanding_visitor::visit_target_symbol_cached (target_symbol* e)
 {
@@ -624,6 +641,10 @@ struct utrace_builder: public derived_probe_builder
                                                         has_path, path, pid,
 							flags));
   }
+
+  // No action required. These probes are allowed for unprivileged users.
+  virtual void check_unprivileged (const systemtap_session & sess,
+				   const literal_map_t & parameters) {}
 };
 
 
@@ -1054,22 +1075,16 @@ register_tapset_utrace(systemtap_session& s)
   for (unsigned i = 0; i < roots.size(); ++i)
     {
       roots[i]->bind(TOK_BEGIN)
-	->allow_unprivileged()
 	->bind(builder);
       roots[i]->bind(TOK_END)
-	->allow_unprivileged()
 	->bind(builder);
       roots[i]->bind(TOK_THREAD)->bind(TOK_BEGIN)
-	->allow_unprivileged()
 	->bind(builder);
       roots[i]->bind(TOK_THREAD)->bind(TOK_END)
-	->allow_unprivileged()
 	->bind(builder);
       roots[i]->bind(TOK_SYSCALL)
-	->allow_unprivileged()
 	->bind(builder);
       roots[i]->bind(TOK_SYSCALL)->bind(TOK_RETURN)
-	->allow_unprivileged()
 	->bind(builder);
     }
 }
-- 
cgit