[DTrace-devel] -w destructive actions

[Eugene Loh]

I'm curious how we should be supporting "dtrace -w" -- that is, how to 
prevent users from performing destructive actions unless they are 
explicitly allowed via the -w option.

If I understand correctly, DTv1 does stuff that is not directly 
applicable to DTv2:

*)  some static analysis (which we've gutted out)

*)  an ioctl() (but now we have everything in user space)

I was thinking about one idea.

In dt_cg.c, we define dt_cg_actions[], an array that gives a function -- 
and optionally a dtrace_actkind_t -- for each DT_ACT_*.  Only in a few 
cases is the dtrace_actkind_t set.  I assume that's because if that 
"kind" is needed, it can usually be hardcoded into the function that's 
called.  But, hard to know since so few of these action functions are 
implemented at this point.

One possibility is to define the dtrace_actkind_t, at least for 
destructive actions.  Then, in dt_cg() in

                                 idp = act->dn_expr->dn_ident;
                                 actdp = 
&_dt_cg_actions[DT_ACT_IDX(idp->di_id)];
                                 if (actdp->fun)
                                         actdp->fun(pcb, act->dn_expr,
actdp->kind);

we can check DTRACEACT_ISDESTRUCTIVE(actdp->kind) in the case that 
dtrace_getopt(g_dtp, "destructive", &opt) was not set. Note that 
DTRACEACT_ISDESTRUCTIVE(0) is 0.  So, if a non-destructive action has 
kind==0, you're okay.

Dunno.  I'm fishing for ideas.  This idea might not be great, but it 
should be easy and a substantial improvement over what we have now -- 
that is, nothing.