From 6ecd877049008c5abe9c6720ea8fc64732f47eb5 Mon Sep 17 00:00:00 2001 From: "Frank Ch. Eigler" Date: Wed, 16 Sep 2009 22:32:28 -0400 Subject: PR10650: markup some unprivileged-safe tapset functions Add /* unprivileged */ to a variety of tapset embedded-c functions, together with uid-assertion-checking code as needed. This is only an initial set, and may need to grow or shrink after further testing. Prototyped-By: Dave Brolley * runtime/runtime.h (is_myproc, assert_is_myproc): New macros. * runtime/addr-map.c (lookup_bad_addr): Reject if !is_myproc in unprivileged mode. * runtime/print.c (_stp_print_kernel_info): Add unprivileged mode info. * tapset/DEVGUIDE: Document /* pure */ and /* unprivileged */. * tapset/*.stp: Add /* unprivileged */ here and there, in questionable cases along with an assert_is_myproc(). --- tapset/DEVGUIDE | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'tapset/DEVGUIDE') diff --git a/tapset/DEVGUIDE b/tapset/DEVGUIDE index 693521a8..5d7c8658 100644 --- a/tapset/DEVGUIDE +++ b/tapset/DEVGUIDE @@ -244,6 +244,23 @@ potentially be invalid. If you're not sure, err on the side of caution. The cost of using kread() is small compared to the cost of your tapset inadvertently crashing a system! +Add the string + /* pure */ +into the body of the embedded-C function if it has no side-effects +such as changing external state, so that systemtap could elide +(optimize away) a call to the function if its results are unused. + +Add the string + /* unprivileged */ +into the body of the embedded-C function, only if it is safe for use +by unprivileged users. In general, this requires the function to be +absolutely robust with respect to its inputs, and expose/modify no +information except that belonging to the user's own processes. +(The assert_is_myproc() macro may help enforce this.) Roughly +speaking, it should only perform operations that the same user +could already do from ordinary userspace interfaces. + + Review & Submission ------------------- All new tapsets and major changes should be reviewed "early and often" -- cgit