From owner-freebsd-current@FreeBSD.ORG Sat Jan 6 15:18:44 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 66B1716A412 for ; Sat, 6 Jan 2007 15:18:44 +0000 (UTC) (envelope-from ed@hoeg.nl) Received: from palm.hoeg.nl (palm.hoeg.nl [83.98.131.212]) by mx1.freebsd.org (Postfix) with ESMTP id 2FB4A13C428 for ; Sat, 6 Jan 2007 15:18:44 +0000 (UTC) (envelope-from ed@hoeg.nl) Received: by palm.hoeg.nl (Postfix, from userid 1000) id 554521CCC2; Sat, 6 Jan 2007 16:01:39 +0100 (CET) Date: Sat, 6 Jan 2007 16:01:39 +0100 From: Ed Schouten To: FreeBSD Current Message-ID: <20070106150139.GB46094@hoeg.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw" Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) X-Mailman-Approved-At: Sat, 06 Jan 2007 15:57:58 +0000 Subject: Request for PTY/devfs changes X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2007 15:18:44 -0000 --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello everyone, A few days ago I started to toy around with FreeBSD 7.x and jails with unionfs. After a few hours I got to know the dreaded 'zombie jail' bug (PR kern/89528). I've been reading a lot of kernel source the last few days and I think I now understand a lot of existing problems in the current code. There are a couple of bugs in the FreeBSD kernel that aren't hard to cure, but will lead to a better PTY implementation: - Dev_clone event handlers cannot determine whether a LOOKUP or a CREATE is performed. When you create a small script that performs a stat() on /dev/ptyp0 to /dev/ptySv, you create a bunch of device nodes that aren't bound to a real pty controller (which leads to ucred 'leaks'). Only invoking the event handler when a CREATE is performed simplifies the entire pty design, because we could immediately construct the pty structure. The pts code also suffers from this bug. A simple stat() on /dev/ptmx causes a pts to be created. - Both the pty and pts source contain some small checks to make sure you can't open pty's from other jails. A downside of this approach is that you can see all the system's pty's in /dev. This is thus a small information leak. A nicer implementation that would even be more generic would be to add a flag to cdevsw's d_flags called D_PRISONOWNED. When this flag is set, lookup()'s and readdir()'s inside a jail don't return objects that don't have the same prison as the caller. open() should have a small check to disallow access outside the jail and when not root. PRIV_TTY_PRISON could then be renamed to PRIV_DEVFS_PRISON. When the D_PRISONOWNED flag is unset, make_dev_credv() should make sure cr_prison inside cdev's si_cred is unset to prevent prison leaks. When both changes are implemented, the pty/pts code itself could be changed to be a lot more simple. I would love to send in the patches, but I first like to hear your opinions on this subject. Are my findings correct? If not, why? --=20 Ed Schouten WWW: http://g-rave.nl/ --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFn7nT52SDGA2eCwURAgpyAJoC3NSSh3s1sC19g6RrQH0k+hGWOwCfZ9Yk g0K7mUf1D69igIEcVeMPsJc= =q6O6 -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw--