From owner-freebsd-arch@FreeBSD.ORG  Mon May 20 22:28:40 2013
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: arch@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id DA06383E;
 Mon, 20 May 2013 22:28:40 +0000 (UTC) (envelope-from jilles@stack.nl)
Received: from mx1.stack.nl (unknown [IPv6:2001:610:1108:5012::107])
 by mx1.freebsd.org (Postfix) with ESMTP id A4C9CA0A;
 Mon, 20 May 2013 22:28:40 +0000 (UTC)
Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131])
 by mx1.stack.nl (Postfix) with ESMTP id 5F2AA1203B1;
 Tue, 21 May 2013 00:28:26 +0200 (CEST)
Received: by snail.stack.nl (Postfix, from userid 1677)
 id 3620A28493; Tue, 21 May 2013 00:28:26 +0200 (CEST)
Date: Tue, 21 May 2013 00:28:26 +0200
From: Jilles Tjoelker <jilles@stack.nl>
To: John Baldwin <jhb@FreeBSD.org>
Subject: Re: Extending MADV_PROTECT
Message-ID: <20130520222825.GB43407@stack.nl>
References: <201305071433.27993.jhb@freebsd.org>
 <201305090814.52166.jhb@freebsd.org>
 <20130509123147.GT3047@kib.kiev.ua>
 <201305101535.50633.jhb@freebsd.org>
 <20130514192115.GA34869@stack.nl> <5192AE7C.10105@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5192AE7C.10105@FreeBSD.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Konstantin Belousov <kostikbel@gmail.com>, arch@freebsd.org
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 22:28:40 -0000

On Tue, May 14, 2013 at 05:37:00PM -0400, John Baldwin wrote:
> On 5/14/13 3:21 PM, Jilles Tjoelker wrote:
> > All this is not very important for process protection because it
> > requires root privileges anyway but future procctl commands may well be
> > accessible to normal users (I'm thinking of avoiding proliferation of
> > pd* calls in particular).

> I originally used that approach in pprotect() since that is what ktrace
> uses.  I did it this way in procctl() to err on the side of reporting
> errors vs not, but I can easily change it.  This is something I wasn't
> sure of and very much appreciate feedback on.

> Do you have any thoughts on having this be more ioctl-like ("automatic"
> copyin/out and size encoded in cmd) vs ptrace-like (explicit sizes and
> in/out keyed off of command)?

If it is ioctl-like, it is possible to redirect ioctl() on a process
descriptor to procctl and use cap_ioctls_limit() infrastructure. I'm not
sure Capsicum people actually like that, though.

In either case, it is possible to have a P_PROCDESC to affect a process
by process descriptor. Capsicum may then need more CAP_*.

-- 
Jilles Tjoelker