Project

General

Profile

Bug #2917

DTrace in a zone should have limited provider access

Added by Joshua M. Clulow about 8 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Category:
DTrace
Start date:
2012-06-22
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Users in zones cannot have the dtrace_kernel privilege, and thus cannot presently utilise various stable probe providers; in particular: proc, sched, vminfo and sysinfo.

This change allows SDT probes to specify that they may be enabled within a zone, but with potentially no access to probe arguments to prevent privileged information escaping.

Upstream commit:

commit 6362fa2ef8de603055ef378e03d09a4330b91a98
Author: Bryan Cantrill <bryan@joyent.com>
Date:   Wed Jun 6 06:15:33 2012 +0000

    OS-1247 need limited access to some DTrace providers in the non-global zone

and on github: https://github.com/joyent/illumos-joyent/commit/6362fa2ef8de603055ef378e03d09a4330b91a98

History

#1

Updated by Electric Monk over 6 years ago

git commit b0f673c4626e4cb1db7785287eaeed2731dfefe8

Author: Bryan Cantrill <bryan@joyent.com>

2915 DTrace in a zone should see "cpu", "curpsinfo", et al
2916 DTrace in a zone should be able to access fds[]
2917 DTrace in a zone should have limited provider access
Reviewed by: Joshua M. Clulow <josh@sysmgr.org>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Approved by: Gordon Ross <gwr@nexenta.com>

#2

Updated by Rich Lowe over 6 years ago

  • Status changed from New to Resolved

Also available in: Atom PDF