Dtrace in a jail

Mark Johnston markj at FreeBSD.org
Fri Sep 11 04:54:51 UTC 2015 

On Thu, Sep 10, 2015 at 09:43:24PM -0400, Ryan Stone wrote:
> For testing purposes it would probably suffice to allow everything in
> /dev/dtrace/* to show up in devfs in the jail.

A copy of the kernel binary needs to be available too: the kernel's CTF
section is not automatically mapped into memory during boot, but is
loaded upon first use. CTF isn't strictly needed to use DTrace, though.

> In production this could be
> dangerous depending on what your use case.  I believe that this would allow
> an untrusted root user within the jail to at least read arbitrary memory
> contents of the entire system (they might be able to write to arbitrary
> memory too, which would allow them to escape the jail).

It's definitely possible to modify user process memory, but I'm not sure
about kernel memory. In particular, I'm not sure that one couldn't use
DTrace within a jail to modify a process outside the jail, so enabling
DTrace in a jail on anything other than test systems is not a good idea.

> 
> 
> There's a good blog post by Bryan Cantril explaining the types of things
> that Illumos had to do to make DTrace both usable and secure from within a
> Solaris zone (as I understand it, this is comparable to a jail):
> 
> http://dtrace.org/blogs/bmc/2012/06/07/dtrace-in-the-zone/
> 
> An interesting (but challenging!) DTrace-related project would be to port
> the DTrace permissions model over to FreeBSD to allow things like
> restricted use of DTrace by non-root users, or root users within a jail.
> 
> 
> On Tue, Sep 1, 2015 at 11:32 AM, Ben Woods <woodsb02 at gmail.com> wrote:
> 
> > Hi everyone,
> >
> > I am just discovering dtrace, having heard about it a number of times but
> > never investigated further. I like what I see so far!
> >
> > Is there a way to use Dtrace to debug programs being run in a jail?
> > Attempting to run Dtrace from within the jail results in the following
> > error:
> > # dtrace -l
> > dtrace: failed to initialize dtrace: DTrace device not available on system
> >
> > I want to debug a program I am running in a jail which is crashing a few
> > seconds after being run. It doesn't crash in my FreeBSD 10.2 host, but does
> > in the FreeBSD 9.3 jail.
> >
> > Since I want to run Dtrace on the pid provider on my program, I want my
> > program to be executed by the Dtrace application. Something like:
> >
> > # dtrace -l -n 'pid$target::strcmp:entry{}' -c "./foo hello"
> >
> >
> > But this results in the same error about Dtrace device not being available
> > on the system (within the jail).
> >
> > If I instead run Dtrace and pass it the jexec command, I think it is
> > tracing the jexec program, rather than my program that is then being
> > executed within the jail. I.e. I don't think this works as expected:
> >
> > # dtrace -l -n 'pid$target::strcmp:entry{}' -c "jexec 1 foo hello"
> >
> >
> > Any hints on how I can trace this program running in the jail?
> >
> > Thanks,
> > Ben
> >
> >
> > --
> >
> > --
> > From: Benjamin Woods
> > woodsb02 at gmail.com
> > _______________________________________________
> > freebsd-dtrace at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-dtrace
> > To unsubscribe, send any mail to "freebsd-dtrace-unsubscribe at freebsd.org"
> >
> _______________________________________________
> freebsd-dtrace at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-dtrace
> To unsubscribe, send any mail to "freebsd-dtrace-unsubscribe at freebsd.org"

More information about the freebsd-dtrace mailing list