Extending MADV_PROTECT
Konstantin Belousov
kostikbel at gmail.com
Tue Jul 16 17:16:53 UTC 2013
On Tue, Jul 16, 2013 at 11:30:40AM -0400, John Baldwin wrote:
> On Saturday, July 13, 2013 1:58:35 pm Konstantin Belousov wrote:
> > On Fri, Jul 12, 2013 at 05:48:57PM -0400, John Baldwin wrote:
> > > On Friday, June 28, 2013 2:46:01 pm John Baldwin wrote:
> > > > Ok, there isn't really a clear consensus here, but I need a system call to let
> > > > me toggle this flag on existing processes.
> > > >
> > > > One reason I don't like the procctl() approach is I am uneasy about forcing
> > > > a certain behavior for how commands treat pgid (first-fail vs best-effort).
> > > > I guess it can always change in the future so that isn't completely unsolvable.
> > > >
> > > > I guess I am fine just making it use hardcoded sizes instead of full-blown
> > > > ioctl encoding.
> > >
> > > Ok, I have updated patches for this for HEAD. I have not yet implemented the
> > > inheritance bits because I'm loathe to add the first bit to a p_flag2. :-P
> > > However, if that's the best course of action I suppose we can do that.
> > >
> > > The kernel patch is at www.freebsd.org/~jhb/patches/procctl.patch
> > >
> > > The patch for the protect binary is at www.freebsd.org/~jhb/patches/protect.patch
> > >
> >
> > It seems that p_cansee() is called twice, once in kern_procctl(), and
> > then in protect_setchild().
>
> Yes, this is because protect_setchild() can descend to child processes, and
> you might not be able to "see" a child process if it exec'd a suid binary, etc.
>
> > Is AUE_WAIT6 the correct audit event id for procctl ?
>
> Nope. (It probably needs a new one?)
Yes, probably needs a new id.
>
> > I thought proposing to use pget() for P_PID case in kern_procctl(), but
> > indeed open coding of the process lookup is easier, since otherwise
> > you would need to move proctree_lock acquisition to P_PGID.
> >
> > Why do you need PPROT_CLEAR ? If you do need the flag, would it be better
> > to assign a non-zero value to it ?
>
> I need it for 'protect -c' which is similar to 'ktrace -C'. That is, to
> allow protection to be removed from existing processes. I added a constant
> for it to make the code clear as the caller should pick one of PPROT_SET
> or PPROT_CLEAR (kind of like MAP_PRIVATE vs MAP_SHARED for mmap(2)). Otherwise
> you would have 'procctl(..., PROC_SPROTECT, 0)' which is not as obvious
> to me as ', PPROT_CLEAR)'. Also, you can do 'PPROT_CLEAR | PPROT_DESCEND'
> to clear it for all descendants. Having 'PPROT_SET | PPROT_DESCEND' to set
> it for descendenats and just 'PPROT_DESCEND' to clear for descendants doesn't
> seem as readable.
Well, I think that assigning non-zero value is justified.
>
> Do you have any thoughts on p_flag2 (vs some other approach, possibly I
> should create a new field for oom-specific flags instead since we may
> eventually store a priority there?)
p_flag2 is inevitable, it seems. It would be added now, or, even if you
could avoid this, in the nearest future. I do not like mixing a flag
and a priority-like field.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20130716/affdbae6/attachment.sig>
More information about the freebsd-arch
mailing list