From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul_Woegerer@mentor.com (Woegerer, Paul) Date: Fri, 27 Apr 2012 18:15:35 +0200 Subject: [lttng-dev] lttng enable-channel option for blocking In-Reply-To: <20120427124344.GB21048@Krystal> References: <4F992213.2090103@mentor.com> <20120426211627.GB1646@Krystal> <4F9A4A91.7090102@mentor.com> <20120427113321.GA6987@Krystal> <4F9A87F3.5090504@mentor.com> <20120427124344.GB21048@Krystal> Message-ID: <4F9AC627.2090203@mentor.com> On 04/27/2012 02:43 PM, Mathieu Desnoyers wrote: > * Woegerer, Paul (Paul_Woegerer at mentor.com) wrote: >> On 04/27/2012 01:33 PM, Mathieu Desnoyers wrote: >>> A core difference between ulimit and user-space tracing is that ulimit >>> can only be set within the environment (and access right) of the user >>> running the application. System-wide tracing sessions can be initiated >>> by users member of the "tracing" group -- giving them the ability to >>> potentially DoS an application does not appear to me to be a good >>> security practice. Thoughts ? >> Hmm, how would that look in practice ? Lets assume there is the web >> server which was started by an init-script in runlevel 3. How does a >> user that belongs to group tracing hava a chance to DoS the already >> running running web server. As far as I understand the trace session >> concept every tracing user can only see (and affect) the tracing session >> that he initiated. Even if the web server itself runs in a tracing >> session (of user wwwrun) other tracing users wouldn't see it when they >> do a "lttng list", right ? > Let me clarify the concept of tracing session in lttng 2.0. > > We support launching per-user sessiond, which only interact with the > user's applications. That's all fine with security. > > Now, we also support a root system-wide sessiond, which allows kernel > and user-space tracing. The "tracing" group has every right to create a > tracing session and trace the kernel and _all_ applications that were > already or will be running on the system. Ah, I see. I was not aware of the "... and _all_ applications that were already or will be running on the system" aspect of the concept. In that case I would rather invert the semantic in the API and instead of having a tracepoint() function that potentially blocks I would declare tracepoint() to never ever block and additionally provide tracepointb() that does potentially block. -- Paul -- Paul Woegerer | SW Development Engineer Mentor Embedded(tm) | Prinz Eugen Stra?e 72/2/4, Vienna, 1040 Austria P 43.1.535991320 Nucleus? | Linux? | Android(tm) | Services | UI | Multi-OS Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.