From owner-svn-src-all@FreeBSD.ORG Fri Jul 11 09:56:01 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B4A06CB; Fri, 11 Jul 2014 09:56:01 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2D2312605; Fri, 11 Jul 2014 09:56:01 +0000 (UTC) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id s6B9tpow051681 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jul 2014 12:55:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua s6B9tpow051681 Received: (from kostik@localhost) by tom.home (8.14.9/8.14.9/Submit) id s6B9tpCI051678; Fri, 11 Jul 2014 12:55:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Fri, 11 Jul 2014 12:55:51 +0300 From: Konstantin Belousov To: Mateusz Guzik Subject: Re: svn commit: r267760 - head/sys/kern Message-ID: <20140711095551.GA93733@kib.kiev.ua> References: <201406230128.s5N1SIYK097224@svn.freebsd.org> <20140623064044.GD93733@kib.kiev.ua> <20140623070652.GA27040@dft-labs.eu> <20140623072519.GE93733@kib.kiev.ua> <20140623080501.GB27040@dft-labs.eu> <20140623081823.GG93733@kib.kiev.ua> <20140623131653.GC27040@dft-labs.eu> <20140623163523.GK93733@kib.kiev.ua> <20140711024351.GA18214@dft-labs.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HrG051WEavH+0eil" Content-Disposition: inline In-Reply-To: <20140711024351.GA18214@dft-labs.eu> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Mateusz Guzik X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 09:56:01 -0000 --HrG051WEavH+0eil Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 11, 2014 at 04:43:51AM +0200, Mateusz Guzik wrote: > On Mon, Jun 23, 2014 at 07:35:23PM +0300, Konstantin Belousov wrote: > > On Mon, Jun 23, 2014 at 03:16:53PM +0200, Mateusz Guzik wrote: > > > If traversal while transition to P_INEXEC is allowed, execve dealing > > > with a setuid binary is problematic. This is more of hypothetical nat= ure, > > > but with sufficienly long delay it could finish the syscall and start > > > opening some files, which paths would now be visible for an unprivile= ged > > > reader. > > >=20 > > > That said, I propose adding a counter to struct proc which would which > > > would block execve. It would be quite similar to p_lock. > > I thought about this too. In fact, I considered using PHOLD for this. > >=20 > > >=20 > > > iow execve would: > > >=20 > > > PROC_LOCK(p); > > > p->p_flag |=3D P_INEXEC;=20 > > > while (p->p_execlock > 0) > > > msleep(&p->p_execlock, &p->p_mtx, PWAIT, "execlock", = 0); > > > PROC_UNLOCK(p); > > >=20 > > > And it would be mandatory for external fdp consumers to grab the coun= ter. > > >=20 > > > I'm tempted to add P_GETPIN which would both increase p_lock and p_ex= eclock, > > > that way the process is guaranteed not to exit and not to execve even > > > after proc lock is dropped. > > See above about PHOLD. > >=20 > > >=20 > > > There is a separate question if p_execlock should be renamed and > > > extended to also block any kind of credential changes. > > >=20 > > > Then the guarantee is even stronger since we know that credentials we > > > checked against are not going to change for the duration of our > > > operations, but it is unclear if we need this. > >=20 > > If doing separate execlock/p_lock, I think that it could be possible > > to use per-process sx lock instead of hand-rolling the counter. The > > accessors would lock sx shared, while kern_execve would take it in > > exclusive mode. >=20 > Both patches need some cleaning up. The name 'keeplock' is no exactly > the best either. >=20 > In both cases the same mechanism blocks both exec and exit, this can be > split if needed (p_lock would still cover exit, p_something would cover > exec). >=20 > Here is a version with sx lock: >=20 > http://people.freebsd.org/~mjg/patches/exec-exit-hold-wait.patch >=20 > I'm not really happy with this. Reading foreign fdt is very rare and > this adds lock + unlock for every exec and exit. >=20 > On the other hand mere counter version is rather simple: >=20 > http://people.freebsd.org/~mjg/patches/exec-exit-hold-nolock.patch >=20 > I don't have strong opinion here, but prefer the latter. I suggest the name 'imagelock' for the beast. The nolock version requires two atomics on both entry and leave from the protected region, while sx-locked variant requires only one atomic for entry and leave. I am not sure why you decided to acquire p->p_keeplock in after the proc lock in pget(), which indeed causes the complications of dropping the proc_lock and rechecking to avoid LOR. Did you tried to add a flag to pfind*() functions to indicate that p_keeplock should be acquired, instead ? --HrG051WEavH+0eil Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTv7SnAAoJEJDCuSvBvK1BAYgQAKl+bSs59vopapEjbicfPH9W S0BdPmWjIJcFIsrO6YTGtqMMXs5z3oCx3f1CvnbaSQ/NNqYIpexlSoo3CmI3sECe AJ5HAJfPT36EdAwNeISkHk2QJklal3quR4pSH4c4deMw1+ssf9U3IFTqIamA9PyI ncTCgNkxaBG+ChYxBfVf80xUoX/hiwwd4CKxiBTj4GxIOEsvPmX7lzzun3S77ySP fTm5gpavscdGVVLuQDzkOKrgSM1KVi75hUF3MBWjRVGl2CnwoQxvpqzr1PL0H+5v t6QtpW3eD05yN3rObAC7T/j6jMnhUZtkVmod10iJqWGc0IKJSRvXRYNLn9Gxfb8F 0DmDzOw7IGBkqgN2BvUJPLOld11pQqgoacwdIm9c8kiwB0RpNzjdPBdeNjj9qRhq VHIStZUwu3viYtkLBaKXqRYVJZplLDR/3R4v7j9bTzX5FLhUkouy4yOC00RBKpSQ 78AYIdEE1Zf2OM4pPdhqRlihdVMiGH7RLefDYmfb7Jiq25xazcLb9r3vhT/B2txZ G3TyE1I/Hrc2zX6d8hxIh5VzfHSd46DZBBfl3q5caE7mMfmiy+wkMUkRsDUJO2wz VGvM8nN+UJXUofocZJEm5znz3zg8gOzzBWzBiMx8F7gzfoCfJ4IgRUNTGwGExXx/ taAGadfSavLPUIQDHXxa =QOFj -----END PGP SIGNATURE----- --HrG051WEavH+0eil--