[Bug 178396] [kernel] [patch] Add jid to kernel log when a process has been forced closed

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Jan 6 05:32:46 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178396

Mateusz Guzik <mjg at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mjg at FreeBSD.org

--- Comment #4 from Mateusz Guzik <mjg at FreeBSD.org> ---
The feature is definitely desirable.

I would argue the complete solution would just support jail-aware dmesgs and
print jail-specific stuff specific stuff with appropriate prefix to the 'main'
dmesg. This would require some effort and may be off the table for now.

Regardless, it would be good if the new message here got the format one would
expect to see in the more advanced case.

There is further issue with increased infoleaks - now not only you learn what
segfaulting programs are being used by other jails, you get their (host)names.

Either way, the patch is wrong:

+                       if (jailed(p->p_ucred)) {
+                               char buf[MAXHOSTNAMELEN + 3];
+                               if (strcmp(p->p_ucred->cr_prison->pr_hostname,
"") != 0) {
+                                       sprintf(buf, " (%s)",
p->p_ucred->cr_prison->pr_hostname);
+                               } else {
+                                       *buf = '\0';
+                               }

This should have used getcredhostname, assuming hostname is desirable. I would
argue hostname is not the field you are interested in - after all, jail can
change it. Instead, you should obtain jail name.

Also, this patch does not handle hierarchical jails.

+                               log(LOG_INFO,
+                                   "pid %d (%s), uid %d, jid %d%s: exited on
signal %d%s\n",
+                                   p->p_pid, p->p_comm,
+                                   td->td_ucred->cr_uid,
+                                   p->p_ucred->cr_prison->pr_id,
+                                   buf,
+                                   sig &~ WCOREFLAG,
+                                   sig & WCOREFLAG ? " (core dumped)" : "");
+                       } else {
+                               log(LOG_INFO,
+                                   "pid %d (%s), uid %d: exited on signal
%d%s\n",
+                                   p->p_pid, p->p_comm,
+                                   td->td_ucred ? td->td_ucred->cr_uid : -1,
+                                   sig &~ WCOREFLAG,
+                                   sig & WCOREFLAG ? " (core dumped)" : "");
+                       }

As a nit, just should have been handled with one log() call. Missing optional
jail bit could be provided with a pointer to "".

That said, I would be in favor of messages like this one:
[$jailname] $msg

That is:
pid 857 (perl), uid 1001: exited on signal 6

is turned into:
[foo] pid 857 (perl), uid 1001: exited on signal 6

Assuming jail name is 'foo'. For hierarchical jails this would be [foo.bar].

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list