Hi Diego:
Interestingly this same issue came up on another alias today.
Amjad Khan responded with the following detailed and useful
suggestion. Hope this helps you as well.
<Amjad''s message>
When a zone is created in the kernel there is a default set of "safe"
privileges which are used as a mask for all processes that run inside
the zone. These privileges are "safe" in the sense that a privileged
process in the zone cannot affect processes in other non-global zones
on the system or in the global zone. Many of the "unsafe" privileges
are ones which affect a global resource, such as the Real Time(RT),
system clock or physical memory.
A number of customers have requested the ability to augment this
default set of privileges with the understanding that changes in the
zone''s privilege set may open up a security window or allow processes
in one zone to be able to affect processes in other zones by being
able to control a global resource. The Solaris development team
decided to leave the default set of privileges for a non-global zone
unchanged. In order to specify a different privilege mask, a zonecfg
global property is introduced, "limitpriv", which is modeled after the
key of the same name in the user_attr database. The property value
should be a comma-separated privilege set as specified by
priv_str_to_set. The "dtrace_proc" privilege has been introduced to
delegate a privilege to a zone so that dtrace can be used within a non-
global zone. One should be able to modify the zone configuration for
the existing zone or set the privilege at the time of creating new zone.
% zonecfg -z zonetest1
For only dtrace privilege
% zonecfg:zonetest1> set
limitpriv="default,dtrace_proc,dtrace_user"
% zonecfg:zonetest1> info => listing, not the newly added
privilege is listed
% zonecfg:zonetest1>verify
% zonecfg:zonetest1>commit
NOTE: The zone would need to be restarted for this to take effect if
the existing running zone is modified. Privileges are added to non-
global zones by the global zone administrator only.
Once the dtrace privilege is delegated to a zone then you should be
able to use it in that particular non-global zone.
Hope this helps
Angelo
On Dec 2, 2008, at 9:38 AM, Diego Lima wrote:
> Hello,
>
> I have solaris 10 machine and I was trying out dtrace. I downloaded
> some scripts (iotop, errorinfo, prustat) and they all show this error:
>
> dtrace: invalid probe specifier
>
> along with other errors such as:
>
> probe description dtrace:::BEGIN does not match any probes (iotop)
> probe description syscall:::return does not match any probes
> (errorinfo)
>
> I''m running dtrace from inside a zone and SUNWdtrc is properly
> installed. Any ideas as to what is going on?
>
> Thank you!
>
> Diego Lima
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org