<li><a href="process/migrate.stp">process/migrate.stp</a> - Track the Migration of Specific Executables<br>
keywords: <a href="keyword-index.html#SCHEDULER">SCHEDULER</a> <br>
<p>The migrate.stp script takes an argument which is the executable name of the task it should monitor. Each time a task with that executable name migrates between processors an entry is printed with the process id (pid), the executable name, the processor off loading the task, and the process taking the task. Note that the task may or may not be executing at the time of the migration.</p></li>
+<li><a href="process/noptrace.stp">process/noptrace.stp</a> - disable ptrace(2) from hierarchies of processes<br>
+keywords: <a href="keyword-index.html#PROCESS">PROCESS</a> <a href="keyword-index.html#SECURITY">SECURITY</a> <br>
+<p>noptrace.stp blocks ptrace(2) attempts from processes identified by stap -c/-x, as also specifiable from /proc/systemtap/stap_XXX/ control files. Processes may be added or removed from the blocked list.</p></li>
<li><a href="process/pf2.stp">process/pf2.stp</a> - Profile kernel functions<br>
keywords: <a href="keyword-index.html#PROFILING">PROFILING</a> <br>
<p>The pf2.stp script sets up time-based sampling. Every five seconds it prints out a sorted list with the top ten kernel functions with samples.</p></li>
executing at the time of the migration.
+process/noptrace.stp - disable ptrace(2) from hierarchies of processes
+keywords: process security
+
+ noptrace.stp blocks ptrace(2) attempts from processes identified by
+ stap -c/-x, as also specifiable from /proc/systemtap/stap_XXX/
+ control files. Processes may be added or removed from the blocked
+ list.
+
+
process/pf2.stp - Profile kernel functions
keywords: profiling
</ul>
<h2>Examples by Keyword</h2>
-<p><tt><a href="#ALLOCATOR">ALLOCATOR</a> <a href="#AUTOFS">AUTOFS</a> <a href="#BACKTRACE">BACKTRACE</a> <a href="#BUFFER">BUFFER</a> <a href="#CALLGRAPH">CALLGRAPH</a> <a href="#CPU">CPU</a> <a href="#DEVICE">DEVICE</a> <a href="#DISK">DISK</a> <a href="#FILES">FILES</a> <a href="#FILESYSTEM">FILESYSTEM</a> <a href="#FORMAT">FORMAT</a> <a href="#FREE">FREE</a> <a href="#FUNCTIONS">FUNCTIONS</a> <a href="#FUTEX">FUTEX</a> <a href="#GRAPH">GRAPH</a> <a href="#HACK">HACK</a> <a href="#INTERRUPT">INTERRUPT</a> <a href="#IO">IO</a> <a href="#LOCKING">LOCKING</a> <a href="#MEMORY">MEMORY</a> <a href="#MONITORING">MONITORING</a> <a href="#NETWORK">NETWORK</a> <a href="#NFS">NFS</a> <a href="#NUMA">NUMA</a> <a href="#PER-PROCESS">PER-PROCESS</a> <a href="#PROCESS">PROCESS</a> <a href="#PROFILING">PROFILING</a> <a href="#READ">READ</a> <a href="#SCHEDULER">SCHEDULER</a> <a href="#SCSI">SCSI</a> <a href="#SIGNALS">SIGNALS</a> <a href="#SIMPLE">SIMPLE</a> <a href="#SLAB">SLAB</a> <a href="#SLEEP">SLEEP</a> <a href="#SOCKET">SOCKET</a> <a href="#STATISTICS">STATISTICS</a> <a href="#SYSCALL">SYSCALL</a> <a href="#TCP">TCP</a> <a href="#TIME">TIME</a> <a href="#TRACE">TRACE</a> <a href="#TRACEPOINT">TRACEPOINT</a> <a href="#TRAFFIC">TRAFFIC</a> <a href="#TTY">TTY</a> <a href="#USE">USE</a> <a href="#WAIT4">WAIT4</a> <a href="#WRITE">WRITE</a> </tt></p>
+<p><tt><a href="#ALLOCATOR">ALLOCATOR</a> <a href="#AUTOFS">AUTOFS</a> <a href="#BACKTRACE">BACKTRACE</a> <a href="#BUFFER">BUFFER</a> <a href="#CALLGRAPH">CALLGRAPH</a> <a href="#CPU">CPU</a> <a href="#DEVICE">DEVICE</a> <a href="#DISK">DISK</a> <a href="#FILES">FILES</a> <a href="#FILESYSTEM">FILESYSTEM</a> <a href="#FORMAT">FORMAT</a> <a href="#FREE">FREE</a> <a href="#FUNCTIONS">FUNCTIONS</a> <a href="#FUTEX">FUTEX</a> <a href="#GRAPH">GRAPH</a> <a href="#HACK">HACK</a> <a href="#INTERRUPT">INTERRUPT</a> <a href="#IO">IO</a> <a href="#LOCKING">LOCKING</a> <a href="#MEMORY">MEMORY</a> <a href="#MONITORING">MONITORING</a> <a href="#NETWORK">NETWORK</a> <a href="#NFS">NFS</a> <a href="#NUMA">NUMA</a> <a href="#PER-PROCESS">PER-PROCESS</a> <a href="#PROCESS">PROCESS</a> <a href="#PROFILING">PROFILING</a> <a href="#READ">READ</a> <a href="#SCHEDULER">SCHEDULER</a> <a href="#SCSI">SCSI</a> <a href="#S
ECURITY">SECURITY</a> <a href="#SIGNALS">SIGNALS</a> <a href="#SIMPLE">SIMPLE</a> <a href="#SLAB">SLAB</a> <a href="#SLEEP">SLEEP</a> <a href="#SOCKET">SOCKET</a> <a href="#STATISTICS">STATISTICS</a> <a href="#SYSCALL">SYSCALL</a> <a href="#TCP">TCP</a> <a href="#TIME">TIME</a> <a href="#TRACE">TRACE</a> <a href="#TRACEPOINT">TRACEPOINT</a> <a href="#TRAFFIC">TRAFFIC</a> <a href="#TTY">TTY</a> <a href="#USE">USE</a> <a href="#WAIT4">WAIT4</a> <a href="#WRITE">WRITE</a> </tt></p>
<h3><a name="ALLOCATOR">ALLOCATOR</a></h3>
<ul>
<li><a href="memory/vm.tracepoints.stp">memory/vm.tracepoints.stp</a> - Collect slab allocation statistics<br>
<li><a href="process/forktracker.stp">process/forktracker.stp</a> - Trace Creation of Processes<br>
keywords: <a href="keyword-index.html#PROCESS">PROCESS</a> <a href="keyword-index.html#SCHEDULER">SCHEDULER</a> <br>
<p>The forktracker.stp script prints out a time-stamped entry showing each fork and exec operation on the machine. This can be useful to determine what process is creating a flurry of short-lived processes.</p></li>
+<li><a href="process/noptrace.stp">process/noptrace.stp</a> - disable ptrace(2) from hierarchies of processes<br>
+keywords: <a href="keyword-index.html#PROCESS">PROCESS</a> <a href="keyword-index.html#SECURITY">SECURITY</a> <br>
+<p>noptrace.stp blocks ptrace(2) attempts from processes identified by stap -c/-x, as also specifiable from /proc/systemtap/stap_XXX/ control files. Processes may be added or removed from the blocked list.</p></li>
<li><a href="process/pfiles.stp">process/pfiles.stp</a> - print process file descriptors<br>
keywords: <a href="keyword-index.html#PROCESS">PROCESS</a> <a href="keyword-index.html#FILES">FILES</a> <br>
<p>Run pfiles.stp to produce a human-readable summary of all open file descriptors of a given process. Specify the process-id as -x PID for fastest performance.</p></li>
keywords: <a href="keyword-index.html#IO">IO</a> <a href="keyword-index.html#PROFILING">PROFILING</a> <a href="keyword-index.html#SCSI">SCSI</a> <br>
<p>The iostat-scsi.stp script provides a breakdown of the number of blks read and written on the machine's various SCSI devices. The script takes one argument which is the number of seconds between reports.</p></li>
</ul>
+<h3><a name="SECURITY">SECURITY</a></h3>
+<ul>
+<li><a href="process/noptrace.stp">process/noptrace.stp</a> - disable ptrace(2) from hierarchies of processes<br>
+keywords: <a href="keyword-index.html#PROCESS">PROCESS</a> <a href="keyword-index.html#SECURITY">SECURITY</a> <br>
+<p>noptrace.stp blocks ptrace(2) attempts from processes identified by stap -c/-x, as also specifiable from /proc/systemtap/stap_XXX/ control files. Processes may be added or removed from the blocked list.</p></li>
+</ul>
<h3><a name="SIGNALS">SIGNALS</a></h3>
<ul>
<li><a href="process/sig_by_pid.stp">process/sig_by_pid.stp</a> - Signal Counts by Process ID<br>
determine what process is creating a flurry of short-lived processes.
+process/noptrace.stp - disable ptrace(2) from hierarchies of processes
+keywords: process security
+
+ noptrace.stp blocks ptrace(2) attempts from processes identified by
+ stap -c/-x, as also specifiable from /proc/systemtap/stap_XXX/
+ control files. Processes may be added or removed from the blocked
+ list.
+
+
process/pfiles.stp - print process file descriptors
keywords: process files
takes one argument which is the number of seconds between reports.
+= SECURITY =
+
+process/noptrace.stp - disable ptrace(2) from hierarchies of processes
+keywords: process security
+
+ noptrace.stp blocks ptrace(2) attempts from processes identified by
+ stap -c/-x, as also specifiable from /proc/systemtap/stap_XXX/
+ control files. Processes may be added or removed from the blocked
+ list.
+
+
= SIGNALS =
process/sig_by_pid.stp - Signal Counts by Process ID
--- /dev/null
+title: disable ptrace(2) from hierarchies of processes
+name: noptrace.stp
+keywords: process security
+description: noptrace.stp blocks ptrace(2) attempts from processes identified by stap -c/-x, as also specifiable from /proc/systemtap/stap_XXX/ control files. Processes may be added or removed from the blocked list.
+test_check: stap -gp4 noptrace.stp -x $$
+test_installcheck: stap -g noptrace.stp -c 'strace ls'
+
--- /dev/null
+#! /bin/sh
+
+# note use of guru mode, to enable changing of syscall arguments
+//bin/true && exec stap -g $0 ${1+"$@"}
+
+global noptrace # map pid->name: list of pids forbidden from ptrace(2)
+
+
+probe begin { # init. noptrace process list with stap -x PID/-c CMD, if given
+ if (target())
+ noptrace[target()]="?"
+}
+
+probe scheduler.process_fork { # propagate flag to child processes
+ if (parent_pid in noptrace)
+ noptrace[child_pid] = noptrace[parent_pid]
+}
+
+probe syscall.*execve { # update stored pid->name mapping
+ if (pid() in noptrace)
+ noptrace[pid()] = filename
+}
+
+probe syscall.exit { # optional; clean up pid->name mapping table
+ delete noptrace[pid()]
+}
+
+# procfs control files under /proc/systemtap/stap_XXXXX/
+
+probe procfs("blocked").read { # report currently blocked processes
+ foreach (pid in noptrace)
+ $value .= sprintf("%d %s\n",pid,noptrace[pid])
+}
+
+probe procfs("block").write { # block given pid
+ pid = strtol($value,10)
+ noptrace[pid]="?"
+}
+
+probe procfs("unblock").write { # unblock given pid
+ pid = strtol($value,10)
+ delete noptrace[pid]
+}
+
+# payload
+
+probe syscall.ptrace {
+ if (pid() in noptrace) {
+ # disable the ptrace call in progress
+ # if it weren't for PTRACE_TRACEME, we could set $pid=1 => -EPERM
+ # changing it to an invalid request number works too
+ $request=0xbeef # anything invalid should do
+
+ # report
+ printf ("%s[%d] ptrace(%d) blocked: ", execname(), tid(), $request)
+ # (or if desired, accumulate counts and report at probe end {})
+ }
+}
+
+probe syscall.ptrace.return { # should occur instantly
+ if (pid() in noptrace) {
+ printf ("rc=%d\n", $return)
+ }
+}
git://sourceware.org / systemtap.git / commitdiff