Date: Sat, 6 Jan 2007 11:14:01 -0800 From: Jonathan Dama <jon@ugcs.caltech.edu> To: freebsd-arch@freebsd.org Cc: Ed Schouten <ed@fxq.nl> Subject: [ed@fxq.nl: Request for PTY/devfs changes] Message-ID: <20070106191401.GC8574@heave.ugcs.caltech.edu>
next in thread | raw e-mail | index | archive | help
I am forwarding this message that was posted to -current to -arch where hopefully it is unlikely to get lost in the noise. ----- Forwarded message from Ed Schouten <ed@fxq.nl> ----- Hello everyone, A few days ago I started to toy around with FreeBSD 7.x and jails with unionfs. After a few hours I got to know the dreaded 'zombie jail' bug (PR kern/89528). I've been reading a lot of kernel source the last few days and I think I now understand a lot of existing problems in the current code. There are a couple of bugs in the FreeBSD kernel that aren't hard to cure, but will lead to a better PTY implementation: - Dev_clone event handlers cannot determine whether a LOOKUP or a CREATE is performed. When you create a small script that performs a stat() on /dev/ptyp0 to /dev/ptySv, you create a bunch of device nodes that aren't bound to a real pty controller (which leads to ucred 'leaks'). Only invoking the event handler when a CREATE is performed simplifies the entire pty design, because we could immediately construct the pty structure. The pts code also suffers from this bug. A simple stat() on /dev/ptmx causes a pts to be created. - Both the pty and pts source contain some small checks to make sure you can't open pty's from other jails. A downside of this approach is that you can see all the system's pty's in /dev. This is thus a small information leak. A nicer implementation that would even be more generic would be to add a flag to cdevsw's d_flags called D_PRISONOWNED. When this flag is set, lookup()'s and readdir()'s inside a jail don't return objects that don't have the same prison as the caller. open() should have a small check to disallow access outside the jail and when not root. PRIV_TTY_PRISON could then be renamed to PRIV_DEVFS_PRISON. When the D_PRISONOWNED flag is unset, make_dev_credv() should make sure cr_prison inside cdev's si_cred is unset to prevent prison leaks. When both changes are implemented, the pty/pts code itself could be changed to be a lot more simple. I would love to send in the patches, but I first like to hear your opinions on this subject. Are my findings correct? If not, why? -- Ed Schouten <ed@fxq.nl> WWW: http://g-rave.nl/ ----- End forwarded message -----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070106191401.GC8574>