From owner-svn-src-all@FreeBSD.ORG Mon Jun 23 16:35:31 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ACD26C9C; Mon, 23 Jun 2014 16:35:31 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 333DA2A49; Mon, 23 Jun 2014 16:35:31 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id s5NGZNHP060814; Mon, 23 Jun 2014 19:35:23 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua s5NGZNHP060814 Received: (from kostik@localhost) by tom.home (8.14.9/8.14.8/Submit) id s5NGZNQv060813; Mon, 23 Jun 2014 19:35:23 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 23 Jun 2014 19:35:23 +0300 From: Konstantin Belousov To: Mateusz Guzik Subject: Re: svn commit: r267760 - head/sys/kern Message-ID: <20140623163523.GK93733@kib.kiev.ua> References: <201406230128.s5N1SIYK097224@svn.freebsd.org> <20140623064044.GD93733@kib.kiev.ua> <20140623070652.GA27040@dft-labs.eu> <20140623072519.GE93733@kib.kiev.ua> <20140623080501.GB27040@dft-labs.eu> <20140623081823.GG93733@kib.kiev.ua> <20140623131653.GC27040@dft-labs.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="d6iqOn7HZPWKXx18" Content-Disposition: inline In-Reply-To: <20140623131653.GC27040@dft-labs.eu> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Mateusz Guzik X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2014 16:35:31 -0000 --d6iqOn7HZPWKXx18 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 23, 2014 at 03:16:53PM +0200, Mateusz Guzik wrote: > On Mon, Jun 23, 2014 at 11:18:23AM +0300, Konstantin Belousov wrote: > > On Mon, Jun 23, 2014 at 10:05:01AM +0200, Mateusz Guzik wrote: > > > On Mon, Jun 23, 2014 at 10:25:19AM +0300, Konstantin Belousov wrote: > > > > On Mon, Jun 23, 2014 at 09:06:52AM +0200, Mateusz Guzik wrote: > > > > > The table is modified in these functions and is reachable from th= e rest > > > > > of the kernel (can be found by e.g. sysctl_kern_proc_filedesc), t= hus > > > > > XLOCK is needed to ensure consistency for readers. It can also be > > > > > altered by mountcheckdirs, although not in a way which disrupts a= ny of > > > > > these functions. > > > > I would think that such cases should be avoided by testing for P_IN= EXEC, > > > > but I do not insist on this. > > > >=20 > > >=20 > > > proc lock has to be dropped before filedesc lock is taken and I don't > > > see any way to prevent the proc from transitioning to P_INEXEC afterw= ards. > > > Since sysctl_kern_proc_filedesc et al can take a long time it does not > > > seem feasible to pursue this. > > >=20 >=20 > After a second look this problem has to be dealt with. >=20 > If traversal while transition to P_INEXEC is allowed, execve dealing > with a setuid binary is problematic. This is more of hypothetical nature, > but with sufficienly long delay it could finish the syscall and start > opening some files, which paths would now be visible for an unprivileged > reader. >=20 > That said, I propose adding a counter to struct proc which would which > would block execve. It would be quite similar to p_lock. I thought about this too. In fact, I considered using PHOLD for this. >=20 > iow execve would: >=20 > PROC_LOCK(p); > p->p_flag |=3D P_INEXEC;=20 > while (p->p_execlock > 0) > msleep(&p->p_execlock, &p->p_mtx, PWAIT, "execlock", 0); > PROC_UNLOCK(p); >=20 > And it would be mandatory for external fdp consumers to grab the counter. >=20 > I'm tempted to add P_GETPIN which would both increase p_lock and p_execlo= ck, > that way the process is guaranteed not to exit and not to execve even > after proc lock is dropped. See above about PHOLD. >=20 > There is a separate question if p_execlock should be renamed and > extended to also block any kind of credential changes. >=20 > Then the guarantee is even stronger since we know that credentials we > checked against are not going to change for the duration of our > operations, but it is unclear if we need this. If doing separate execlock/p_lock, I think that it could be possible to use per-process sx lock instead of hand-rolling the counter. The accessors would lock sx shared, while kern_execve would take it in exclusive mode. --d6iqOn7HZPWKXx18 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTqFdKAAoJEJDCuSvBvK1ByesP/3O3VMR+fSO9C4laRxens4do NOBAA1n7HiR6RlLNcynFk9POCcXycDJGTXezIRkDbEOmLa/OJSV0xU584s6QsJgO IcpbNf+kXTo5MPh5nuHHpaqc1OOGUATb0VvYg4+bOF/Oa/KfLgFe/oNW4oE+/FtQ pltr1NeFqRUcnx0M78vpVb1QraMZ/Rm2YxaRvTb/ZRn4es2pcARqa4rN3QHvgCjf zzkuyV1xYNqrBifD4j9K+zvjzy4q6x6NXWLHaqzjNGCYqmde1STvlhUwchToP2bl dx6VvY2awJpYZ1sMdhAmDAlOfd8LxWJGCygUfeQj8iLopAVaBZObDOKvtTl8jv9a PmYqzkI2/Z7Wo31z1TTEqSVMu9X940lBiX8J14YeNHIaF8mVG/xHDbqGaR8L3kr2 e5E2Xvk9Xx3s1Y8lCEkuurLip2cav2MN4jPEokEXyNASvz2HLlTm1OlBRf/Z0Alg AEssNhUkr8aZ6nKQr/cNSiptIAnMYxRWOM+mkiSrgXKVK1G5o4HRPHhgMSHe4fU3 KZ0LLa9WTx+m334/WdR0cDS7v4Dx8LMFuB2wumCwDoFmBU/md/c25nTXL2jgRZ5e 7VQgSkdb2ngmzmuakaSqYRQBDHMNbJVt/8p54KNMY/ooKLByx0ICE+6ttM2fQDCg Ro1HyH80rKXWB+7UtRrB =QEZ4 -----END PGP SIGNATURE----- --d6iqOn7HZPWKXx18--