Why can't I dtrace processes running in a jail from the host?

Mark Johnston markj at freebsd.org
Thu Aug 9 14:53:06 UTC 2018

On Thu, Aug 09, 2018 at 01:09:00PM +0200, Patrick M. Hausen wrote:
> Hi all,
> I'm wondering why on a busy hosting server with hundreds of PHP-FPM
> workers running in jails "dtrace -l" on the host does not show any
> PHP specific probes. PHP *is* compiled with dtrace support for all the
> jails.
> Enabling /dev/dtrace/* via devfs.rules for a specific jail and then repeating
> the process *inside* the jail works as expected.
> Shouldn't jailed processes be transparently visible from the host system
> but not vice versa?

For userland static probes to be globally visible, the process needs to
register them with the kernel when it starts.  This is done
automatically using a constructor which issues ioctls to
/dev/dtrace/helper, hence the requirement for /dev/dtrace/* in the jail.

In general it is still possible to use unregistered userland probes in
this scenario: dtrace(1) can discover them when it attaches to a
specified process.  I'm not sure how well this will work if the process
is jailed and dtrace(1) is invoked on the host, but it's worth trying.

I would be rather wary of enabling access to /dev/dtrace/* in a jail.
The kernel code which parses probe metadata has a large attack surface
and has had security holes in the past.

More information about the freebsd-virtualization mailing list