[Bug runtime/14245] New: Support debugfs mounted 0700

[Bug runtime/14245] New: Support debugfs mounted 0700

[jistone at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14245

             Bug #: 14245
           Summary: Support debugfs mounted 0700
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: runtime
        AssignedTo: systemtap@sourceware.org
        ReportedBy: jistone@redhat.com
    Classification: Unclassified


Related to bug #14244, it would be nice we could support non-root users running
on systems with mode 0700 debugfs.  Apparently Ubuntu has started defaulting
this way.  See again this thread:
http://sourceware.org/ml/systemtap/2012-q2/msg00243.html

There I briefly started brainstorming what would be needed, "We could open the
directory in staprun and do the access check with faccessat().  Then we'd have
to also pass a control_channel fd across the exec to stapio, since it can't
open that path itself."

This will require a good dose of security-conscious caution.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug runtime/14245] Support debugfs mounted 0700

[fche at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14245

Frank Ch. Eigler <fche at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fche at redhat dot com

--- Comment #1 from Frank Ch. Eigler <fche at redhat dot com> 2012-06-15 02:22:49 UTC ---
Another possibility would be for the translator or staprun to scout out a
suitable alternate mountopint, such as a pre-existing /proc, and pass that to
the built module for use.  We don't really use debugfs facilities per se; just
need a namespace to hang the ctl/data files off from.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Re: [Bug runtime/14245] Support debugfs mounted 0700

[Pasi Savanainen]

On Jun 15, 2012, at 5:22 AM, fche at redhat dot com wrote:

> http://sourceware.org/bugzilla/show_bug.cgi?id=14245
> 
> Frank Ch. Eigler <fche at redhat dot com> changed:
> 
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                 CC|                            |fche at redhat dot com
> 
> --- Comment #1 from Frank Ch. Eigler <fche at redhat dot com> 2012-06-15 02:22:49 UTC ---
> Another possibility would be for the translator or staprun to scout out a
> suitable alternate mountopint, such as a pre-existing /proc, and pass that to
> the built module for use.  We don't really use debugfs facilities per se; just
> need a namespace to hang the ctl/data files off from.
> 

What about under /sys/module/<stap_###_##/  ? It is created anyway when the module is loaded.

PS. 
By the way if debugfs is not mounted already then systemtap  seems to mount it so that all works
just fine.

br,
Pasi

[Bug runtime/14245] Support debugfs mounted 0700

[pasi.savanainen at nixu dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14245

--- Comment #2 from pasi.savanainen at nixu dot com 2012-06-15 07:31:04 UTC ---
On Jun 15, 2012, at 5:22 AM, fche at redhat dot com wrote:

> http://sourceware.org/bugzilla/show_bug.cgi?id=14245
> 
> Frank Ch. Eigler <fche at redhat dot com> changed:
> 
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                 CC|                            |fche at redhat dot com
> 
> --- Comment #1 from Frank Ch. Eigler <fche at redhat dot com> 2012-06-15 02:22:49 UTC ---
> Another possibility would be for the translator or staprun to scout out a
> suitable alternate mountopint, such as a pre-existing /proc, and pass that to
> the built module for use.  We don't really use debugfs facilities per se; just
> need a namespace to hang the ctl/data files off from.
> 

What about under /sys/module/<stap_###_##/  ? It is created anyway when the
module is loaded.

PS. 
By the way if debugfs is not mounted already then systemtap  seems to mount it
so that all works
just fine.

br,
Pasi

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug runtime/14245] Support debugfs mounted 0700

[jistone at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14245

--- Comment #3 from Josh Stone <jistone at redhat dot com> 2012-10-08 22:23:22 UTC ---
FYI, Fedora rawhide now appears to boot with mode 0700 debugfs too.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug runtime/14245] Support debugfs mounted 0700

[fche at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14245

Frank Ch. Eigler <fche at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from Frank Ch. Eigler <fche at redhat dot com> 2012-10-10 22:33:11 UTC ---
commit c5f7c84

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.