Date: Mon, 17 Apr 2023 14:39:03 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: "Simon J. Gerraty" <sjg@juniper.net> Cc: "Stephen J. Kiernan" <stevek@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 4819e5aeda4e - main - Add new privilege PRIV_KDB_SET_BACKEND Message-ID: <ZD0v19gDgWpMH8ya@kib.kiev.ua> In-Reply-To: <11356.1681707027@kaos.jnpr.net> References: <202304161838.33GIcJiX079190@gitrepo.freebsd.org> <ZDxe9Jux8fbqBtHV@kib.kiev.ua> <11356.1681707027@kaos.jnpr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Apr 16, 2023 at 09:50:27PM -0700, Simon J. Gerraty wrote: > Konstantin Belousov <kostikbel@gmail.com> wrote: > > > @@ -484,6 +485,11 @@ int > > > kdb_dbbe_select(const char *name) > > > { > > > struct kdb_dbbe *be, **iter; > > > + int error; > > > + > > > + error = priv_check(curthread, PRIV_KDB_SET_BACKEND); > > priv_check() fails for jailed, or even simply non-root process. > > kdb_dbbe_select() is called from a random context, e.g. from > > kdb_alt_break_gdb(), where it inherits whatever thread was running > > at the moment of break to debugger. > > That sounds like a bug? Definitely. > > > In other words, this function no longer works reliably. > > > > > + if (error) > > > + return (error); > > > > > > SET_FOREACH(iter, kdb_dbbe_set) { > > > be = *iter; > > > diff --git a/sys/sys/priv.h b/sys/sys/priv.h > > > index 20bfc7312ce3..cb4dcecea4aa 100644 > > > --- a/sys/sys/priv.h > > > +++ b/sys/sys/priv.h > > > @@ -515,10 +515,15 @@ > > > #define PRIV_KMEM_READ 680 /* Open mem/kmem for reading. */ > > > #define PRIV_KMEM_WRITE 681 /* Open mem/kmem for writing. */ > > > > > > +/* > > > + * Kernel debugger privileges. > > > + */ > > > +#define PRIV_KDB_SET_BACKEND 690 /* Allow setting KDB backend. */ > > > + > > > /* > > > * Track end of privilege list. > > > */ > > > -#define _PRIV_HIGHEST 682 > > > +#define _PRIV_HIGHEST 691 > > > > > > /* > > > * Validate that a named privilege is known by the privilege system. Invalid
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZD0v19gDgWpMH8ya>