This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
RE: kprobes on by default in 2.6.20.1 kernel.org kernels
- From: "Keshavamurthy, Anil S" <anil dot s dot keshavamurthy at intel dot com>
- To: "Nathan DeBardeleben" <ndebard at lanl dot gov>
- Cc: <systemtap at sources dot redhat dot com>
- Date: Thu, 1 Mar 2007 16:04:42 -0800
- Subject: RE: kprobes on by default in 2.6.20.1 kernel.org kernels
Ha..If that is you concern, then I think you are lucky. We recently
addressed this issues where
in one can list all the active probes in the system by accessing the
file /sys/kernel/debug/kprobes/list.
And the output look like this
=====================
llm40:~/a # cat /sys/kernel/debug/kprobes/list
c0169ae3 r sys_read+0x0
c0169ae3 k sys_read+0x0
c01694c8 k vfs_write+0x0
c0167d20 r sys_open+0x0
f8e658a6 k reiserfs_delete_inode+0x0 reiserfs
c0120f4a k do_fork+0x0
c0120f4a j do_fork+0x0
c0169b4a r sys_write+0x0
c0169b4a k sys_write+0x0
c0169622 r vfs_read+0x0
====================
Will this help?
Thanks,
-Anil Keshavamurthy
Open Source Technology Center/SSG
Intel Corp.
(w) 503-712-4476
email: anil.s.keshavamurthy@intel.com
-----Original Message-----
From: Nathan DeBardeleben [mailto:ndebard@lanl.gov]
Sent: Thursday, March 01, 2007 3:56 PM
To: Keshavamurthy, Anil S
Cc: systemtap@sources.redhat.com
Subject: Re: kprobes on by default in 2.6.20.1 kernel.org kernels
You know, it's not really me that has a problem with it. I subscribe to
the camp of: If it requires root to run a probe, then someone who has
root can already do some pretty nefarious things to your system.
However, due the fact that with kprobes you can slip in a probe, and
then even hide that probe from being reported, I think some people I
work with are scared that it leaves them slightly more exposed /
vulnerable.
I'd love to be able to convince them to let me run probes on production
systems but at this time they're relegated to test machines. Honestly
I'd like to be able to add to my repertoire a good argument to allow
kprobes on by default on these machines but when you're dealing with
security plans and documents and whatnot a new technology like this is
easily deemed scary, unknown, and just relegated to the "security risk"
column.
-- Nathan
Correspondence
---------------------------------------------------------------------
Nathan DeBardeleben, Ph.D.
Los Alamos National Laboratory
Parallel Tools Team
High Performance Computing Environments (HPC-4)
phone: 505-667-3428
email: ndebard@lanl.gov
---------------------------------------------------------------------
Keshavamurthy, Anil S wrote:
> On Wed, Feb 28, 2007 at 04:24:14PM -0700, Nathan DeBardeleben wrote:
>
>> I just wanted to probe (har har) to see if you guys knew why kprobes
is
>> set to "Y" (in the kernel) by default on the latest 2.6.20.1 kernel I
>> got from kernel.org. I don't consider this a great move and am a
little
>> worried about it. For one thing, I know now we'll actively make
certain
>> it's off in all future kernels we build that are intended for
production
>> machines.
>>
>
> Can you please explain your cause for worry in detail. In what way it
> is causing problems. Hopefully we can address your concerns.
>
>
>> I grabbed the latest kernel to do some kprobes testing, went to
>> configure it to turn probing on and was very surprised to find it on
by
>> default.
>>
> As a matter of fact, KPROBE is enabled by several major OSD like
> Red Hat and SuSE on their enterprise versions and are in
> the market since begining/middle of last year.
>
>
>> What's the process that the kernel maintainers go through to
determine
>> which options are on by default anyway?
>>
>
> AFAIK, their is no formal process(depends on developer community).
> And if you are building a kernel for production machine then I assume
> you just don;t depend on default config which can turn on lots of
stuff
> intended for testing and experimental purposes.
>
> -Anil Keshavamurthy
>
>