This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: [RFC] [PATCH 6/6] Kprobes: Remove breakpoints from the copied pages
On Tue, May 09, 2006 at 06:04:50PM +0100, Hugh Dickins wrote:
> On Tue, 9 May 2006, Prasanna S Panchamukhi wrote:
> > This patch removes the breakpoints if the pages read from the page
> > cache contains breakpoints. If the pages containing the breakpoints
> > is copied from the page cache, the copied image would also contain
> > breakpoints in them. This could be a major problem for tools like
> > tripwire etc and cause security concerns, hence must be prevented.
> > This patch hooks up the actor routine, checks if the executable was
> > a probed executable using the file inode and then replaces the
> > breakpoints with the original opcodes in the copied image.
>
> You've done a nice job of making the code look like kernel code
> throughout, it's a much tidier patchset than many.
>
> With that said... it looks to me like one of the scariest and
> most inappropriate sets I can remember. Getting the kernel to
> connive in presenting an incoherent view of its pagecache:
> I don't think we'd ever want that.
>
As Andi Kleen and Christoph suggested pagecache contention can be avoided
using the COW approach.
Advantages of COW:
1. No need to hookup file_read_actor() to remove the breakpoints if a
the probed page was read from pagecache.
2. No need to hookup readpage(s)() to insert probes when pages are
read into the memory.
Some thoughts about COW implications AFAIK
1. Need to hookup mmap() to make a per process copy.
2. Bring in the pages just to insert the probes.
3. All the text pages need to be in memory until process exits.
4. Free up the per process text pages by hooking exit() and exec().
5. Maskoff probes visible across fork(), by hooking fork().
Any implications ?
Thanks
Prasanna
--
Prasanna S Panchamukhi
Linux Technology Center
India Software Labs, IBM Bangalore
Email: prasanna@in.ibm.com
Ph: 91-80-41776329