On Tue, Nov 5, 2013 at 1:47 AM, Qingping Hou <dave2008713@xxxxxxxxx> wrote: > On Mon 04 Nov 2013 08:06:18 AM EST, Jovi Zhangwei wrote: >>>> I planed to use a command option like "guru mode"(similar with Systemtap) >>>> in ktap, but I also doubt whether the command option really is enough to >>>> make >>>> ktap safe, user still can crash the kernel easily on ktap installed >>>> system, like >>>> the example you posted, just call the schedule in atomic context. >>>> > > ktapc will be able to detect whehter user is using FFI API later because > we will be parsing C function defitnion and generating ktap vm chunk > accordingly. So IMHO guru mode is enough to prevent user running FFI > enabled ktap script in compilation time. That said, they can still feed > in unsafe chunk directly to ktap VM, which I doubt anyone will do unless > they want to crash the kernel intentionally ;p > > So if we want to have a complete safe ktap runtime, CONFIG_KTAP_FFI and > sysctl is the way to go. FFI should be easy to disable at runtme since > all FFI features are accessed by indexing into global C table, we can > just set that table to nil. > Maybe reject the execution in load stage is more clear for user, we don't want to execute script if we can detect FFI needed in script, and then tell user: 1) "FFI is disabled in ktapvm, please check /proc/sys/debug/ktap-intrusive-mod" 2) "FFI isn't compiled in ktapvm, please enable CONFIG_KTAP_FFI" Perhaps we need a FFI flag(generate by ktapc) in ktap_parm, to tell ktapvm the script need FFI support. Jovi