svn commit: r279335 - in user/dchagin/lemul/sys: compat/linprocfs fs/procfs fs/pseudofs modules/procfs
Chagin Dmitry
dchagin at freebsd.org
Thu Mar 5 21:57:14 UTC 2015
On Thu, Mar 05, 2015 at 09:45:52PM +0100, Mateusz Guzik wrote:
> On Fri, Feb 27, 2015 at 10:53:29PM +0300, Chagin Dmitry wrote:
> > On Thu, Feb 26, 2015 at 11:03:42PM +0100, Mateusz Guzik wrote:
> > > On Thu, Feb 26, 2015 at 09:30:41PM +0000, Dmitry Chagin wrote:
> > > > +int
> > > > +procfs_dofdlink(PFS_FILL_ARGS)
> > > > +{
> > > > + char *fullpath, *freepath, *endfileno;
> > > > + struct filedesc *fdp;
> > > > + struct vnode *vp;
> > > > + struct file *fp;
> > > > + int fileno, error;
> > > > +
> > > > + if (vnode_name == NULL)
> > > > + return (ENOENT);
> > > > +
> > > > + fileno = (int)strtol(vnode_name, &endfileno, 10);
> > > > + if (fileno == 0 && (vnode_namelen > 1 ||
> > > > + (vnode_namelen == 1 && vnode_name[0] != '0')))
> > > > + return (ENOENT);
> > > > + if (vnode_namelen != endfileno - vnode_name)
> > > > + return (ENOENT);
> > > > +
> > > > + fdp = fdhold(p);
> > > > + if (fdp == NULL)
> > > > + return (ENOENT);
> > > > +
> > > > + error = fget_unlocked(fdp, fileno, NULL, &fp, NULL);
> > > > + if (error != 0)
> > > > + goto out;
> > > > +
> > > > + freepath = NULL;
> > > > + fullpath = "-";
> > > > + vp = fp->f_vnode;
> > > > + if (vp != NULL) {
> > > > + vref(vp);
> > > > + error = vn_fullpath(td, vp, &fullpath, &freepath);
> > > > + vrele(vp);
> > > > + }
> > > > + if (error == 0)
> > > > + error = sbuf_printf(sb, "%s", fullpath);
> > > > + if (freepath != NULL)
> > > > + free(freepath, M_TEMP);
> > > > + fdrop(fp, td);
> > > > +
> > > > + out:
> > > > + fddrop(fdp);
> > > > + return (error);
> > > > +}
> > > >
> > >
> > >
> > > fdhold does not protect file descriptor table, it only makes sure struct
> > > filedesc itself is not freed.
> > >
> > > Here you need to lock it and inspect fd_refcnt. See e.g.
> > > kern_proc_filedesc_out.
> > >
> > pfs_readlink does a PHOLD and PRELE around calling fill method, is
> > this not enought?
> >
>
> This does not prevent execve, so you can dump data for a now-privileged
> process.
hmm, I think I begin to understand. Thanks
>
> > > While this guarantees data consistency, is in fact still incorrect since
> > > the process you are inspecing can exec setuid in the meantime and thus
> > > make security checks (if any performed) stale.
> > >
> > > I have an old WIP patch which provides appropriate interfaces to ensure
> > > stability of the process (no exit, no exec), but this needs additional
> > > changes. HOpefully i'll have the time to deal with it in March.
> > ok, give me see the patch, pls.
>
> http://people.freebsd.org/~mjg/patches/sx-imagelock.patch
>
modifying struct proc this way you break KBI
> afair there was a lor which needs to be resolved. something in devfs was
> taking proctree or allproc lock, which could be avoided.
>
> I don't remember the details, maybe i'll work on this this month.
>
> Feel free to debug it yourslef. :)
>
> --
> Mateusz Guzik <mjguzik gmail.com>
--
Have fun!
chd
More information about the svn-src-user
mailing list