Dtrace in a jail
Ryan Stone
rysto32 at gmail.com
Fri Sep 11 01:43:25 UTC 2015
For testing purposes it would probably suffice to allow everything in
/dev/dtrace/* to show up in devfs in the jail. In production this could be
dangerous depending on what your use case. I believe that this would allow
an untrusted root user within the jail to at least read arbitrary memory
contents of the entire system (they might be able to write to arbitrary
memory too, which would allow them to escape the jail).
There's a good blog post by Bryan Cantril explaining the types of things
that Illumos had to do to make DTrace both usable and secure from within a
Solaris zone (as I understand it, this is comparable to a jail):
http://dtrace.org/blogs/bmc/2012/06/07/dtrace-in-the-zone/
An interesting (but challenging!) DTrace-related project would be to port
the DTrace permissions model over to FreeBSD to allow things like
restricted use of DTrace by non-root users, or root users within a jail.
On Tue, Sep 1, 2015 at 11:32 AM, Ben Woods <woodsb02 at gmail.com> wrote:
> Hi everyone,
>
> I am just discovering dtrace, having heard about it a number of times but
> never investigated further. I like what I see so far!
>
> Is there a way to use Dtrace to debug programs being run in a jail?
> Attempting to run Dtrace from within the jail results in the following
> error:
> # dtrace -l
> dtrace: failed to initialize dtrace: DTrace device not available on system
>
> I want to debug a program I am running in a jail which is crashing a few
> seconds after being run. It doesn't crash in my FreeBSD 10.2 host, but does
> in the FreeBSD 9.3 jail.
>
> Since I want to run Dtrace on the pid provider on my program, I want my
> program to be executed by the Dtrace application. Something like:
>
> # dtrace -l -n 'pid$target::strcmp:entry{}' -c "./foo hello"
>
>
> But this results in the same error about Dtrace device not being available
> on the system (within the jail).
>
> If I instead run Dtrace and pass it the jexec command, I think it is
> tracing the jexec program, rather than my program that is then being
> executed within the jail. I.e. I don't think this works as expected:
>
> # dtrace -l -n 'pid$target::strcmp:entry{}' -c "jexec 1 foo hello"
>
>
> Any hints on how I can trace this program running in the jail?
>
> Thanks,
> Ben
>
>
> --
>
> --
> From: Benjamin Woods
> woodsb02 at gmail.com
> _______________________________________________
> freebsd-dtrace at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-dtrace
> To unsubscribe, send any mail to "freebsd-dtrace-unsubscribe at freebsd.org"
>
More information about the freebsd-dtrace
mailing list