This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Accessing probe info synchronously

From: Lasse Bigum <zenith at zenith dot dk>
To: systemtap at sourceware dot org
Date: Thu, 8 Feb 2007 09:47:44 +0100
Subject: Re: Accessing probe info synchronously
References: <20070207101140.GA18524@meridian.zenith.dk> <y0mwt2uazsr.fsf@ton.toronto.redhat.com>

On 07:59, Wed 07 Feb, Frank Ch. Eigler wrote:
> > So my question is this: Is there any way to access the information
> > that SystemTap probes directly from kernel space, without using
> > relayfs?
> 
> In a sense, sure: the systemtap script "knows" the instant the
> application is invoking a system call, and could take some action.

Yes, and this was our reason for looking more into SystemTap. We would
like to use SystemTap as a sort of library, so that we for each
application will be notified of each system call that an application
makes. We would like to avoid the buffers that relayfs uses, as we want
to know instantaneously about each system call, and not be notified when
two or more system calls have occurred.

> But because normal systemtap scripts are normally non-intrusive, they
> will let the calling thread resume pretty soon (a couple of
> microseconds probably).  This means that they likely won't be able to
> communicate that knowledge to a slow/faraway (user-space) tool in time
> for that tool to take control.

Yes, we are aware of the constraints on the runtime of each probe, and
also of the constraint on the sizes of arrays.

We initially thought about implementing the entire IDS by the way of a
SystemTap script, but after learning of these constraints, it seemed
like a bad idea. We could modify SystemTap of course, but it feels like
a bad hack :)

> There have been experiments with systemtap scripts actively blocking
> threads (by enqueuing a SIGSTOP signal), and this might be part of a
> solution for your problem, but this area hasn't been thoroughly
> explored.  (Hmm, maybe there is a way of supporting this generally via
> prologue code in the syscall tapset...)

This is actually a very good idea, and we will look more into this. It
still leaves us the question of how to be notified synchronously of each
system call, but seems like the way to go about stopping the processes
while determining whether or not the system call should be allowed.

So I guess my initial question still stands:
Is it possible to get notified by SystemTap/use SystemTap as library,
when a probe is fired? In our case the probe will fire each time a
system call is made by some particular application, but I guess the
more general question is about probes firing.

/Lasse

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: Accessing probe info synchronously
  - From: Frank Ch. Eigler

References:
- Accessing probe info synchronously
  - From: Lasse Bigum
- Re: Accessing probe info synchronously
  - From: Frank Ch. Eigler

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]