Allow utrace_syscall_args.stp to accepts arm64 use of syscall.openat

[systemtap.git] / README.unprivileged

Unprivileged Mode for Systemtap Users
=====================================

Introduction
------------
In order to use the full capabilities of systemtap, one must run it as root or
as a member of the groups stapusr and stapdev. For other (unprivileged) users, systemtap
does provide support for use of a subset of systemtap's capabilities to perform
limited probing. For example, tracing your own applications or
polling using timers. The intent is to give unprivileged users capabilities
similar to those provided by a debugger.

Below are instructions for running systemtap scripts in unprivileged mode.

Systemtap Compile Server
------------------------
In order to load the kernel module produced by compiling a systemtap script
for an unprivileged user, we must know that the script was compiled correctly
and that the script does not do anything dangerous. A systemap compile server
provides the trusted compilation environment needed to certify both conditions.

NOTE: In order to use a compile server, the nss and nspr packages must be
installed on the client host and systemtap must have been built with
NSS enabled. Run 'stap -V | grep NSS' to find out if NSS is enabled.

NOTE: In order to detect servers on the local network, the avahi package must be
installed on the client host and systemtap must have been built with avahi
enabled. Run 'stap -V | grep AVAHI' to find out if avahi is enabled.

To find out if a suitable server is available on the local network, this
command should produce output similar to the following:

# stap --list-servers --privileged=stapusr
Systemtap Compile Server Status for 'online,trusted,compatible,signer'
 host=somehost ip=10.15.16.156 port=10913 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a"

NOTE: In order for servers to be detected, the port for mDNS (5353/udp)
      must be open on the server and client hosts.

If no servers are listed, then you must ask your system administrator to
make the appropriate compile server available on the local host or on the
local network. The server must be trusted as an ssl peer and as a systemtap
module signer on the local host.

See "Setup and Administration of Unprivileged Users for System Administrators"
below for more details.

Trust of Unprivileged Users
---------------------------
Even with the appropriate compile server available, each
unprivileged user must be explicitly trusted. This is done by adding each
unprivileged user to the group stapusr and possibly the group stapsys
on each host on which they will
run systemtap scripts. To see if you are a member of the group stapusr on the
local host, this command should produce output similar to the following:

# getent group stapusr
stapusr:x:483:someuser,anotheruser

If your userid is listed, then you are already a member of the group stapusr.
If it is not, then you must ask your system administrator to add you to this
group.

Once added, Try the command

    newgrp stapusr

to activate your membership. If all else fails, logging out and back in
again should work. See the manual page for newgrp(1) for details.

Using Systemtap in Unprivileged Mode
------------------------------------
Unprivileged users can compile any systemtap script either directly or using
a compile server, but systemtap will not load the resulting kernel module
for an unprivileged user unless it has been compiled and certified by a
trusted compile server. To do this, as an unprivileged user,
this command should produce output similar to the following:

# stap -e 'probe begin { printf ("Hello\n"); exit (); }'
Hello

For unprivileged users, stap will automatically add the options
--privilege and --use-server (you could also specify them yourself).

   --use-server tells systemtap to compile the script using a server.

   --privilege tells the server to check the script to maker sure it
     doesn't do anything 'dangerous', i.e. nothing that a user
     with the specified privilege credentials shouldn't be able to do.

If the server approves of your script and is able to compile it, systemtap will then load the
resulting module for you even though you are an unprivileged user.

If you save the resulting module by using the -p4 option of stap, then trusted,
unprivileged users can load the module at a later time using staprun:

# stap -e 'probe begin { printf ("Hello\n"); exit (); }' -p4
stap_5330.ko
# staprun stap_5330.ko
Hello

Note that the module has already been certified (signed), so no special options
are needed.

Additional Information
----------------------
o When specifying path names in your script and compiling using a server,
  you must use a server which has access to those paths (e.g. via nfs, or a
  server on the local host) and you must specify the paths in full from the
  servers's point of view. For example, specify

     probe process("foo").begin()

  as

     probe process("/the/full/path/as/seen/by/the/server/to/foo").begin()

o You can use '--privilege=[stapusr|stapsys] -pN' (for 1 <= N <= 4) without --use-server to
  compile and check scripts directly. stap will still check your script for
  'dangerous' behavior, but will not load it for an unprivileged user.

o When using --privilege, all compile time and run time restrictions are
  enforced for all users, including root and members of the group stapdev.



Setup and Administration of Unprivileged Users for System Administrators
========================================================================

Introduction
------------
In order to use the full capabilities of systemtap, one must run it as root or
as a member of the group stapdev. For other (unprivileged) users, systemtap
does provide support for use of a subset of systemtap's capabilities to perform
limited probing. For example, tracing your own applications or
polling using timers. The intent is to give unprivileged users capabilities
similar to those provided by a debugger.

In order for this to happen, the system administrator must first perform some
setup:

o Systemtap compile server(s) must be made available on the local network.
  One server is needed for each kernel version and architecture pair for which
  users will compile scripts.

o The compile server(s) must be trusted as an SSL peer and as a signer of
  systemtap modules on hosts on which unprivileged users will compile and
  run their scripts respectively.

o Unprivileged users must be added to the group stapusr, and possibly the group stapsys
  on the host(s) on which they will run their scripts.

Below are the necessary steps for the system administrator to setup the above
infrastructure.

Systemtap Compile Server
------------------------
In order to load the kernel module produced by compiling a systemtap script
for an unprivileged user, we must know that the script was compiled correctly
and that the script does not do anything dangerous. A systemap compile server
provides a trusted environment needed to certify both conditions.

In order to make a compile server available on the local network the
systemtap-server package and its prerequisites must be installed on the server
host.

The system administrator then uses the following command:

sudo service stap-server start [-r KERNEL-RELEASE] [-a ARCH]

For example:

# sudo service stap-server start -r 2.6.34.7-61.fc13.x86_64 -a x86_64
Starting stap-server -a "x86_64" -r "2.6.34.7-61.fc13.x86_64" -u "stap-server"
                                                           [  OK  ]

This starts a compile server for the specified kernel release and hardware
architecture. The kernel and kernel-devel package for the specified release and
architecture must be installed on the server host. The kernel-debuginfo package
for each kernel release and architecture should also be installed, but is not
relevant for unprivileged users.

If either one (or both) the kernel release and/or architecture is not
specified, the kernel release and/or architecture of the server host will be
used:

# sudo service stap-server start
Starting stap-server -a "x86_64" -r "2.6.34.7-66.fc13.x86_64" -u "stap-server"
                                                           [  OK  ]

As a short cut, to start a server for each kernel release and architecture
installed on the server host, use the command:

# sudo service stap-server start -i
Starting stap-server -a "x86_64" -r "2.6.34.7-61.fc13.x86_64" -u "stap-server"
                                                           [  OK  ]
Starting stap-server -a "x86_64" -r "2.6.34.7-63.fc13.x86_64" -u "stap-server"
                                                           [  OK  ]
Starting stap-server -a "x86_64" -r "2.6.34.7-66.fc13.x86_64" -u "stap-server"
                                                           [  OK  ]

NOTE: Only root can start a systemtap server using the service command.

Trust of Compile Servers
------------------------
Once systemtap compile servers have been made available on the local network,
the system administrator must certify which ones are trusted as SSL peers,
as systemtap kernel module signers or both.

Certifying a compile server as an SSL peer means what the system administrator
trusts that it compiles systemtap scripts correctly.

Certifying a compile server as a module signer means that the system
administrator trusts it to correctly check a systemtap script for
behavior which should not be made available to unprivileged users. When a
script is compiled using the --privilege option, the server checks the
script for such behavior and cryptographically signs the resulting module if it
is safe for use by unprivileged users. Verification of the signature certifies
that the module was certified as 'safe' by the server and that it has not been
altered since it was certified.

Systemtap compile servers started by using the 'service' command are
automatically trusted both as SSL peers and as module signers on the server's
host. No further setup of the servers is necessary for users (clients) on
that same host.

Before clients on another host can make use of a server, the system
administrator of each client host must certify trust in that server.
This is performed in two steps:

1) Identify the server(s) to be trusted.

   # stap --list-servers=online,compatible
   Systemtap Compile Server Status for 'online,compatible'
    host=somehost ip=10.15.16.156 port=26543 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a"

   Identify the server(s) to be trusted by examining the
   host name, ip address and sysinfo (kernel release and architecture). Take
   note of the 'certinfo' field of each server to be trusted.

   NOTE: In order for servers to be detected, the port for mDNS (5353/udp)
   must be open on the server and client hosts.

2) For each server to be trusted for use by unprivileged clients, use the
   command:

   sudo stap --trust-servers=ssl,signer,all-users --use-server=CERTINFO1 [--use-server=CERTINFO2 ...]

   where each CERTINFOn is the value of the 'certinfo' field of a server to be
   trusted (obtained using the previous command).

   For example:

   # sudo stap --trust-servers=ssl,signer,all-users --use-server=00:93:49:be:2a
   Add trust in the following servers as an SSL peer for all users and as a module signer for all users?
      host=somehost ip=10.15.16.156 port=26543 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a"
   [y/N] y

   Using the 'certinfo' to specify each server ensures that the exact servers
   which were intended are the ones which become trusted. Note that only root
   can certify trust in a server as signer in this way.

Now verify the result:

# stap --list-servers --privilege=stapusr
Systemtap Compile Server Status for 'online,trusted,compatible,signer'
 host=somehost ip=10.15.16.156 port=26543 sysinfo="2.6.34.7-66.fc13.x86_64 x86_64" certinfo="00:93:49:be:2a"

Each of the servers you specified in stap 2 above should be listed.

Trust of Unprivileged Users
---------------------------
Finally, once compile servers have been set up and are trusted, each
unprivileged user must be explicitly trusted. This is done by adding each
unprivileged user to the group stapusr, and possibly the group stapsys on each host on which they
will run systemtap scripts:

    sudo usermod -a -G stapusr[,stapsys] USERID

If the user is already logged in, they can try using

    newgrp stapusr

to activate their membership. If all else fails, logging out and back in
again should work. See newgrp(1) for details.