From owner-freebsd-dtrace@freebsd.org Fri Sep 11 01:43:25 2015 Return-Path: Delivered-To: freebsd-dtrace@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81695A01C82 for ; Fri, 11 Sep 2015 01:43:25 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D88E1321 for ; Fri, 11 Sep 2015 01:43:25 +0000 (UTC) (envelope-from rysto32@gmail.com) Received: by igbkq10 with SMTP id kq10so30900091igb.0 for ; Thu, 10 Sep 2015 18:43:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=i3KRdSPKHob7nS+gQTdMmtU+CxZrVuy2KUSa2Ii/LsI=; b=dZdYfECpuTnxLPmPBSR/2f50owe2K39BWqheGQ1K2nrjdr7B7tYE/LTBCLR0+nrAgy Muyt6d+ByFfvTX0P3n3AQdbNoWS6aPL5fYck4sYiZC4xOcdbxNjvco8rjSfWPXHT7/n8 UmDlL3SDPCx6UP9exzyUQTxl4UXkIEe7L5hNCbgF/KPxLDRD8mGojuTrH9odp4EDRSF5 qHXAXeaIhfKA+ELsRDakZd3VWpB7wbjR3nQff6DVRiAaicb40o9jELo7/0jiD38sZg+L fbgYMnQRV2eWhuYP6jnWQ5Jlt666cdzeVlX0fS4J8DZQ7RZXkJDvd1zFP960cTHGQPtA A29Q== MIME-Version: 1.0 X-Received: by 10.50.66.232 with SMTP id i8mr11721121igt.34.1441935804618; Thu, 10 Sep 2015 18:43:24 -0700 (PDT) Received: by 10.107.178.67 with HTTP; Thu, 10 Sep 2015 18:43:24 -0700 (PDT) In-Reply-To: References: Date: Thu, 10 Sep 2015 21:43:24 -0400 Message-ID: Subject: Re: Dtrace in a jail From: Ryan Stone To: Ben Woods Cc: "freebsd-dtrace@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-dtrace@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "A discussion list for developers working on DTrace in FreeBSD." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2015 01:43:25 -0000 For testing purposes it would probably suffice to allow everything in /dev/dtrace/* to show up in devfs in the jail. In production this could be dangerous depending on what your use case. I believe that this would allow an untrusted root user within the jail to at least read arbitrary memory contents of the entire system (they might be able to write to arbitrary memory too, which would allow them to escape the jail). There's a good blog post by Bryan Cantril explaining the types of things that Illumos had to do to make DTrace both usable and secure from within a Solaris zone (as I understand it, this is comparable to a jail): http://dtrace.org/blogs/bmc/2012/06/07/dtrace-in-the-zone/ An interesting (but challenging!) DTrace-related project would be to port the DTrace permissions model over to FreeBSD to allow things like restricted use of DTrace by non-root users, or root users within a jail. On Tue, Sep 1, 2015 at 11:32 AM, Ben Woods wrote: > Hi everyone, > > I am just discovering dtrace, having heard about it a number of times but > never investigated further. I like what I see so far! > > Is there a way to use Dtrace to debug programs being run in a jail? > Attempting to run Dtrace from within the jail results in the following > error: > # dtrace -l > dtrace: failed to initialize dtrace: DTrace device not available on system > > I want to debug a program I am running in a jail which is crashing a few > seconds after being run. It doesn't crash in my FreeBSD 10.2 host, but does > in the FreeBSD 9.3 jail. > > Since I want to run Dtrace on the pid provider on my program, I want my > program to be executed by the Dtrace application. Something like: > > # dtrace -l -n 'pid$target::strcmp:entry{}' -c "./foo hello" > > > But this results in the same error about Dtrace device not being available > on the system (within the jail). > > If I instead run Dtrace and pass it the jexec command, I think it is > tracing the jexec program, rather than my program that is then being > executed within the jail. I.e. I don't think this works as expected: > > # dtrace -l -n 'pid$target::strcmp:entry{}' -c "jexec 1 foo hello" > > > Any hints on how I can trace this program running in the jail? > > Thanks, > Ben > > > -- > > -- > From: Benjamin Woods > woodsb02@gmail.com > _______________________________________________ > freebsd-dtrace@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-dtrace > To unsubscribe, send any mail to "freebsd-dtrace-unsubscribe@freebsd.org" >