On Mon 04 Nov 2013 08:06:18 AM EST, Jovi Zhangwei wrote: >>> I planed to use a command option like "guru mode"(similar with Systemtap) >>> in ktap, but I also doubt whether the command option really is enough to >>> make >>> ktap safe, user still can crash the kernel easily on ktap installed >>> system, like >>> the example you posted, just call the schedule in atomic context. >>> ktapc will be able to detect whehter user is using FFI API later because we will be parsing C function defitnion and generating ktap vm chunk accordingly. So IMHO guru mode is enough to prevent user running FFI enabled ktap script in compilation time. That said, they can still feed in unsafe chunk directly to ktap VM, which I doubt anyone will do unless they want to crash the kernel intentionally ;p So if we want to have a complete safe ktap runtime, CONFIG_KTAP_FFI and sysctl is the way to go. FFI should be easy to disable at runtme since all FFI features are accessed by indexing into global C table, we can just set that table to nil.