Date: Tue, 14 May 2013 17:37:00 -0400 From: John Baldwin <jhb@FreeBSD.org> To: Jilles Tjoelker <jilles@stack.nl> Cc: Konstantin Belousov <kostikbel@gmail.com>, arch@freebsd.org Subject: Re: Extending MADV_PROTECT Message-ID: <5192AE7C.10105@FreeBSD.org> In-Reply-To: <20130514192115.GA34869@stack.nl> References: <201305071433.27993.jhb@freebsd.org> <201305090814.52166.jhb@freebsd.org> <20130509123147.GT3047@kib.kiev.ua> <201305101535.50633.jhb@freebsd.org> <20130514192115.GA34869@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/14/13 3:21 PM, Jilles Tjoelker wrote:
> On Fri, May 10, 2013 at 03:35:50PM -0400, John Baldwin wrote:
>> [snip]
>> +int
>> +kern_procctl(struct thread *td, idtype_t idtype, id_t id, u_long com,
>> + void *data)
>> +{
>> [snip]
>> + case P_PGID:
>> + /*
>> + * Attempt to apply the operation to all members of the
>> + * group. Ignore processes in the group that can't be
>> + * seen. Stop on the first error encountered.
>> + */
>> + pg = pgfind(id);
>> + if (pg == NULL) {
>> + error = ESRCH;
>> + break;
>> + }
>> + PGRP_UNLOCK(pg);
>> + error = ESRCH;
>> + LIST_FOREACH(p, &pg->pg_members, p_pglist) {
>> + PROC_LOCK(p);
>> + if (p->p_state == PRS_NEW ||
>> + p_cansee(td, p) != 0) {
>> + PROC_UNLOCK(p);
>> + continue;
>> + }
>> + error = kern_procctl_single(td, p, com, data);
>> + PROC_UNLOCK(p);
>> + if (error)
>> + break;
>> + }
>> + break;
>
> I think it does not really make sense that the set of affected processes
> depends on the order in &pg->pg_members.
>
> Comparing other functions, kill() returns success if it could signal any
> process (even it could not signal other processes matched by the
> argument). This is also most consistent with general POSIX/Unix
> philosophy that a function only fails if it committed no change (but
> there are various places where this is not the case). On the other hand,
> setpriority() affects all matches processes it can but returns an error
> if any one fails, even if some other process was affected.
>
> All this is not very important for process protection because it
> requires root privileges anyway but future procctl commands may well be
> accessible to normal users (I'm thinking of avoiding proliferation of
> pd* calls in particular).
I originally used that approach in pprotect() since that is what ktrace
uses. I did it this way in procctl() to err on the side of reporting
errors vs not, but I can easily change it. This is something I wasn't
sure of and very much appreciate feedback on.
Do you have any thoughts on having this be more ioctl-like ("automatic"
copyin/out and size encoded in cmd) vs ptrace-like (explicit sizes and
in/out keyed off of command)?
--
John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5192AE7C.10105>