This is the mail archive of the
mailing list for the systemtap project.
Re: whitelist for safe-mode probes (or just a better blacklist?)
Martin Hunt wrote:
On Wed, 2006-09-20 at 11:14 -0400, Frank Ch. Eigler wrote:
Martin Hunt <firstname.lastname@example.org> writes:
[...] To guarantee a probe will not crash the kernel it is going to
be necessary to generate a whitelist of probe points.
Sure, except that this guarantee is only as good as the method used to
generate the whitelist.
[...] How would this all work? The whitelist and blacklist would be
files distributed with Systemtap. They would be updated
automatically with a test script. [...]
How do you imagine this test script working? Could it generate a list
roughly matching the "in-our-experience-so-far-safe" set in a
reasonable timeframe? (It would not be very helpful if it took months
to run, or resulted in a small list.)
I imagine this would be a list that would be checked into CVS of
functions that have been tested and never caused problems. The only
reason to use a whitelist instead of a blacklist is because we should be
paranoid and not assume as new functions get added to the kernel, they
are safely probeable, as we do now.
Writing a script to do this testing is not difficult, except for the
problems with lockups which require a way to remotely reboot a system.
This requires we assume the existence of special hardware or that the
test system is running on a specific virtualization system. This needs
done regardless of what we decide about the need for a whitelist. I
hoped to provoke some discussion about this. We've talked about it, but
has anyone actually written any test scripts to test all the kernel
functions this way?
I can tell you that looking into the problems probing
'kernel.function("*")' on x86 over the last couple of days I've rebooted
my test system (what seems like) countless times. I certainly agree
with you that we'll need special hardware (perhaps x10 could be a simple
start) or virtualization to get this going using a script. I do think
that this testing would be extremely useful, even without a whitelist
I wonder if we really might need various levels of "whitelists" to
satisfy customer concerns. Something like anyone in group A can only
probe syscalls, users in group B can probe syscalls + exported kernel
Red Hat, Inc.