Systemtap exposes kernel internal data structures and potentially
private user information. Because of this, use of systemtap's
full capabilities are restricted to root and to users who are
members of the groups stapdev and stapusr.
However, a restricted set of systemtap's features can be made
available to trusted, unprivileged users. These users are members
of the group stapusr only, or members of the groups stapusr and
stapsys. These users can load systemtap modules which have been
compiled and certified by a trusted systemtap compile-server. See
the descriptions of the options --privilege and --use-server. See
README.unprivileged in the systemtap source code for information
about setting up a trusted compile server.
The restrictions enforced when --privilege=stapsys is specified
are designed to prevent unprivileged users from:
• harming the system maliciously.
The restrictions enforced when --privilege=stapusr is specified
are designed to prevent unprivileged users from:
• harming the system maliciously.
• gaining access to information which would not normally
be available to an unprivileged user.
• disrupting the performance of processes owned by other
users of the system. Some overhead to the system in
general is unavoidable since the unprivileged user's
probes will be triggered at the appropriate times.
What we would like to avoid is targeted interruption
of another user's processes which would not normally
be possible by an unprivileged user.
PROBE RESTRICTIONS
A member of the groups stapusr and stapsys may use all probe
points.
A member of only the group stapusr may use only the following
probes:
• begin, begin(n)
• end, end(n)
• error(n)
• never
• process.*, where the target process is owned by the
user.
• timer.{jiffies,s,sec,ms,msec,us,usec,ns,nsec}(n)*
• timer.hz(n)
SCRIPT LANGUAGE RESTRICTIONS
The following scripting language features are unavailable to all
unprivileged users:
• any feature enabled by the Guru Mode (-g) option.
• embedded C code.
RUNTIME RESTRICTIONS
The following runtime restrictions are placed upon all
unprivileged users:
• Only the default runtime code (see -R) may be used.
Additional restrictions are placed on members of only the group
stapusr:
• Probing of processes owned by other users is not
permitted.
• Access of kernel memory (read and write) is not
permitted.
COMMAND LINE OPTION RESTRICTIONS
Some command line options provide access to features which must
not be available to all unprivileged users:
• -g may not be specified.
• The following options may not be used by the compile-
server client:
-a, -B, -D, -I, -r, -R
ENVIRONMENT RESTRICTIONS
The following environment variables must not be set for all
unprivileged users:
SYSTEMTAP_RUNTIME
SYSTEMTAP_TAPSET
SYSTEMTAP_DEBUGINFO_PATH
TAPSET RESTRICTIONS
In general, tapset functions are only available for members of
the group stapusr when they do not gather information that an
ordinary program running with that user's privileges would be
denied access to.
There are two categories of unprivileged tapset functions. The
first category consists of utility functions that are
unconditionally available to all users; these include such things
as:
cpu:long ()
exit ()
str_replace:string (prnt_str:string, srch_str:string, rplc_str:string)
The second category consists of so-called myproc-unprivileged
functions that can only gather information within their own
processes. Scripts that wish to use these functions must test the
result of the tapset function is_myproc and only call these
functions if the result is 1. The script will exit immediately if
any of these functions are called by an unprivileged user within
a probe within a process which is not owned by that user.
Examples of myproc-unprivileged functions include:
print_usyms (stk:string)
user_int:long (addr:long)
usymname:string (addr:long)
A compile error is triggered when any function not in either of
the above categories is used by members of only the group
stapusr.
No other built-in tapset functions may be used by members of only
the group stapusr.