svn commit: r367290 - head/sys/compat/linux

[Conrad Meyer]

Author: cem
Date: Tue Nov  3 02:10:54 2020
New Revision: 367290
URL: https://svnweb.freebsd.org/changeset/base/367290

Log:
  linux(4) prctl(2): Implement PR_[GS]ET_DUMPABLE
  
  Proxy the flag to the roughly analogous FreeBSD procctl 'TRACE'.
  
  TRACE-disabled processes are not coredumped, and Linux !DUMPABLE processes
  can not be ptraced.  There are some additional semantics around ownership of
  files in the /proc/[pid] pseudo-filesystem, which we do not attempt to
  emulate correctly at this time.
  
  Reviewed by:	markj (earlier version)
  Differential Revision:	https://reviews.freebsd.org/D27015

Modified:
  head/sys/compat/linux/linux_misc.c
  head/sys/compat/linux/linux_misc.h

Modified: head/sys/compat/linux/linux_misc.c
==============================================================================
--- head/sys/compat/linux/linux_misc.c	Tue Nov  3 01:38:16 2020	(r367289)
+++ head/sys/compat/linux/linux_misc.c	Tue Nov  3 02:10:54 2020	(r367290)
@@ -1937,7 +1937,7 @@ linux_prctl(struct thread *td, struct linux_prctl_args
 	int error = 0, max_size;
 	struct proc *p = td->td_proc;
 	char comm[LINUX_MAX_COMM_LEN];
-	int pdeath_signal;
+	int pdeath_signal, trace_state;
 
 	switch (args->option) {
 	case LINUX_PR_SET_PDEATHSIG:
@@ -1955,10 +1955,46 @@ linux_prctl(struct thread *td, struct linux_prctl_args
 		return (copyout(&pdeath_signal,
 		    (void *)(register_t)args->arg2,
 		    sizeof(pdeath_signal)));
+	/*
+	 * In Linux, this flag controls if set[gu]id processes can coredump.
+	 * There are additional semantics imposed on processes that cannot
+	 * coredump:
+	 * - Such processes can not be ptraced.
+	 * - There are some semantics around ownership of process-related files
+	 *   in the /proc namespace.
+	 *
+	 * In FreeBSD, we can (and by default, do) disable setuid coredump
+	 * system-wide with 'sugid_coredump.'  We control tracability on a
+	 * per-process basis with the procctl PROC_TRACE (=> P2_NOTRACE flag).
+	 * By happy coincidence, P2_NOTRACE also prevents coredumping.  So the
+	 * procctl is roughly analogous to Linux's DUMPABLE.
+	 *
+	 * So, proxy these knobs to the corresponding PROC_TRACE setting.
+	 */
+	case LINUX_PR_GET_DUMPABLE:
+		error = kern_procctl(td, P_PID, p->p_pid, PROC_TRACE_STATUS,
+		    &trace_state);
+		if (error != 0)
+			return (error);
+		td->td_retval[0] = (trace_state != -1);
+		return (0);
 	case LINUX_PR_SET_DUMPABLE:
-		linux_msg(td, "unsupported prctl PR_SET_DUMPABLE");
-		error = EINVAL;
-		break;
+		/*
+		 * It is only valid for userspace to set one of these two
+		 * flags, and only one at a time.
+		 */
+		switch (args->arg2) {
+		case LINUX_SUID_DUMP_DISABLE:
+			trace_state = PROC_TRACE_CTL_DISABLE_EXEC;
+			break;
+		case LINUX_SUID_DUMP_USER:
+			trace_state = PROC_TRACE_CTL_ENABLE;
+			break;
+		default:
+			return (EINVAL);
+		}
+		return (kern_procctl(td, P_PID, p->p_pid, PROC_TRACE_CTL,
+		    &trace_state));
 	case LINUX_PR_GET_KEEPCAPS:
 		/*
 		 * Indicate that we always clear the effective and

Modified: head/sys/compat/linux/linux_misc.h
==============================================================================
--- head/sys/compat/linux/linux_misc.h	Tue Nov  3 01:38:16 2020	(r367289)
+++ head/sys/compat/linux/linux_misc.h	Tue Nov  3 02:10:54 2020	(r367290)
@@ -50,6 +50,7 @@
 					 * Second arg is a ptr to return the
 					 * signal.
 					 */
+#define	LINUX_PR_GET_DUMPABLE	3
 #define	LINUX_PR_SET_DUMPABLE	4
 #define	LINUX_PR_GET_KEEPCAPS	7	/* Get drop capabilities on setuid */
 #define	LINUX_PR_SET_KEEPCAPS	8	/* Set drop capabilities on setuid */
@@ -61,6 +62,11 @@
 #define	LINUX_PR_SET_PTRACER	1499557217
 
 #define	LINUX_MAX_COMM_LEN	16	/* Maximum length of the process name. */
+
+/* For GET/SET DUMPABLE */
+#define	LINUX_SUID_DUMP_DISABLE	0	/* Don't coredump setuid processes. */
+#define	LINUX_SUID_DUMP_USER	1	/* Dump as user of process. */
+#define	LINUX_SUID_DUMP_ROOT	2	/* Dump as root. */
 
 #define	LINUX_MREMAP_MAYMOVE	1
 #define	LINUX_MREMAP_FIXED	2