Safety And Security - Red Hat ENTERPRISE LINUX 5.4 - SYSTEMTAP LANGUAGE Reference Manual

Chapter 1. SystemTap overview
resulting kernel module into a running Linux kernel to perform the requested system trace or probe
functions. You can supply the script in a named file, from standard input, or from the command line.
The program runs until it is interrupted by the user or a sufficient number of soft errors, or if the script
voluntarily invokes the exit() function.
The stap command does the following:
• Translates the script
• Generates and compiles a kernel module
• Inserts the module; output to stap's stdout
• CTRL-C unloads the module and terminates stap
For a full list of options to the stap command, see the stap(1) manual page.

1.6. Safety and security

SystemTap is an administrative tool. It exposes kernel internal data structures and potentially private
user information. It requires root privileges to actually run the kernel objects it builds using the sudo
command, applied to the staprun program.
staprun is a part of the SystemTap package, dedicated to module loading and unloading and kernel-
to-user data transfer. Since staprun does not perform any additional security checks on the kernel
objects it is given, do not give elevated privileges via sudo to untrusted users.
The translator asserts certain safety constraints. It ensures that no handler routine can run for too
long, allocate memory, perform unsafe operations, or unintentionally interfere with the kernel. Use of
script global variables is locked to protect against manipulation by concurrent probe handlers. Use of
guru mode constructs such as embedded C (see Section Section 3.5, "Embedded C") can violate
these constraints, leading to a kernel crash or data corruption.
The resource use limits are set by macros in the generated C code. These may be overridden with the
-D flag. The following list describes a selection of these macros:
MAXNESTING – The maximum number of recursive function call levels. The default is 10.
MAXSTRINGLEN – The maximum length of strings. The default is 128.
MAXTRYLOCK – The maximum number of iterations to wait for locks on global variables before
declaring possible deadlock and skipping the probe. The default is 1000.
MAXACTION – The maximum number of statements to execute during any single probe hit. The default
is 1000.
MAXMAPENTRIES – The maximum number of rows in an array if the array size is not specified
explicitly when declared. The default is 2048.
MAXERRORS – The maximum number of soft errors before an exit is triggered. The default is 0.
MAXSKIPPED – The maximum number of skipped reentrant probes before an exit is triggered. The
default is 100.
MINSTACKSPACE -- The minimum number of free kernel stack bytes required in order to run a probe
handler. This number should be large enough for the probe handler's own needs, plus a safety margin.
The default is 1024.
4