lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211008000540.GA31220@kbox>
Date:   Thu, 7 Oct 2021 17:05:40 -0700
From:   Beau Belgrave <beaub@...ux.microsoft.com>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     rostedt@...dmis.org, linux-trace-devel@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] user_events: Enable user processes to create and write
 to trace events

On Fri, Oct 08, 2021 at 08:12:49AM +0900, Masami Hiramatsu wrote:
> > Please see v2 patch, I do this pattern except it's '(Used by ftrace)'
> > instead of '# Used by ftrace'.
> > 
> > Format is id:name status
> 
> Hm, why I suggested to use "# status" is that the comment will be
> removed when writing it. So you can do
> 
> cat user_events > ~/saved_events
> (reboot)
> cat ~/saved_events > user_events
> 
> to restore events :)
> 
Nice, good idea.

> > 
> > > > The other thing is we need ref counting to know if the event is busy.
> > > > Having the ID in the packet avoids having a fd per-event, but it also
> > > > makes ref counting process lifetime of each event quite hard.
> > > 
> > > Hmm, I don't think so. You can use an array of the pointer to
> > > events on the private data of the struct file.
> > > When you add (or start using) an event (this is identified by ioctl),
> > > you can increment the event refcount and add it to the array.
> > > When the file is closed (in exiting process), it will loop on the
> > > array and decrement the refcount for each event.
> > > Then, after all tracers disabled the event, ftrace can remove the
> > > event in background (unless it is defined through 'dynamic_events' or
> > > 'user_events').
> > > 
> > Yes, I didn't say it's impossible :) It's quite hard and takes a lot
> > more management. I don't see a clear benefit to that approach, why is it
> > better than an fd lifetime? Not trying to be difficult, just trying to
> > be pragmatic about what approach is best.
> 
> I'm not sure this point, you mean 1 fd == 1 event model?
> 
Yeah, I like the idea of not having an fd per event. I want to make
sure the complexity is worth it. Is the overhead of an FD per event in
user space too much? What happens to the first 4 bytes (ID)? Does it not
show up in the buffer? This would be fine as long as the rel_loc idea
gets into ftrace, etc.

This would require a global array as well as a local per-FD array. I'm
wondering if the per-FD array becoming large mitigates the gain by
simply having an FD per-event.

> > > > We also want
> > > > predicate filtering to work as cheap as possible. I would really like to
> > > > keep offset manipulation entirely in the user space to avoid confusion
> > > > across the various tracing mechanisms and avoid probing the user data
> > > > upon each call (eBPF programs only selectively probe in data).
> > > 
> > > OK, so let's add __rel_loc__ attribute. The rel_loc type will be
> > > 
> > > struct rel_loc {
> > > 	uint16_t len;	/* The data size (including '\0' if string )*/
> > > 	uint16_t offs;	/* The offset of actual data from this field */
> > > } __packed;
> > > 
> > > Hmm, btw, this will be good for probe events... I don't need to pass
> > > the base address with this attribute.
> > > 
> > What's the difference between __rel_loc__ and __data_loc? Seems like
> > instead of just offset it's length + offset?
> 
> In my idea, rel_loc is similar to the data_loc. It has the offset, but
> the offset is the data offset from the rel_loc, not from the entry of
> the recorded data. So kernel doesn't need to adjust it.
> 
Got it, makes sense and would eliminate the need for the IOCTL for
offsets. I like it.

Thanks,
-Beau
> Thank you,
> 
> -- 
> Masami Hiramatsu <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ