From owner-svn-src-user@FreeBSD.ORG  Thu Mar  5 20:45:59 2015
Return-Path: <owner-svn-src-user@FreeBSD.ORG>
Delivered-To: svn-src-user@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D7DADD16;
 Thu,  5 Mar 2015 20:45:58 +0000 (UTC)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com
 [IPv6:2a00:1450:400c:c05::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 768716CF;
 Thu,  5 Mar 2015 20:45:58 +0000 (UTC)
Received: by wivr20 with SMTP id r20so9781128wiv.3;
 Thu, 05 Mar 2015 12:45:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:content-disposition:in-reply-to:user-agent;
 bh=eDegR5nbQHeLG8yBDJgCHFrykCvsYjlMieqvssiBlIE=;
 b=d+t25Hr7zUsgrunUC9XSrG4pU8tmfJdUVLNZZPa2vFPiRfDO6oJuA8NR/SHTp2YbiJ
 7WbL5tkEPnwJq+ntJLyx80IirgNf/Mm+PPue09AvjU8PB+F2ML17HCij+IxSf4UkRmzf
 DxQJdOsDg7C8tqLQdKGL16nQWQb59bZKNv5y27AuaYptgNLueIJgSCu4zcO9esCGf2c3
 gEwqXbTV0qe9U4aHSyM9tMXjlrANibONXxzyRhrQVvIiC+hUNIcKbpkhBdJrOZ0SynDq
 YS/CzS16Dk/h7/+cObPFUNAGD/m2xp9c6KdtSRYqHNqGvGY3hJHN/crGXUZ6nwcF4Lr5
 3TPg==
X-Received: by 10.180.149.206 with SMTP id uc14mr69297830wib.57.1425588356845; 
 Thu, 05 Mar 2015 12:45:56 -0800 (PST)
Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net.
 [2001:470:1f08:1f7::2])
 by mx.google.com with ESMTPSA id u6sm13179930wix.12.2015.03.05.12.45.54
 (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
 Thu, 05 Mar 2015 12:45:55 -0800 (PST)
Date: Thu, 5 Mar 2015 21:45:52 +0100
From: Mateusz Guzik <mjguzik@gmail.com>
To: Chagin Dmitry <dchagin@freebsd.org>
Subject: Re: svn commit: r279335 - in user/dchagin/lemul/sys:
 compat/linprocfs fs/procfs fs/pseudofs modules/procfs
Message-ID: <20150305204552.GC11164@dft-labs.eu>
References: <201502262130.t1QLUfwf027872@svn.freebsd.org>
 <20150226220342.GC3799@dft-labs.eu>
 <20150227195329.GA7995@dchagin.static.corbina.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20150227195329.GA7995@dchagin.static.corbina.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: src-committers@freebsd.org, svn-src-user@freebsd.org
X-BeenThere: svn-src-user@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "SVN commit messages for the experimental &quot; user&quot;
 src tree" <svn-src-user.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-user/>
List-Post: <mailto:svn-src-user@freebsd.org>
List-Help: <mailto:svn-src-user-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 20:45:59 -0000

On Fri, Feb 27, 2015 at 10:53:29PM +0300, Chagin Dmitry wrote:
> On Thu, Feb 26, 2015 at 11:03:42PM +0100, Mateusz Guzik wrote:
> > On Thu, Feb 26, 2015 at 09:30:41PM +0000, Dmitry Chagin wrote:
> > > +int
> > > +procfs_dofdlink(PFS_FILL_ARGS)
> > > +{
> > > +	char *fullpath, *freepath, *endfileno;
> > > +	struct filedesc *fdp;
> > > +	struct vnode *vp;
> > > +	struct file *fp;
> > > +	int fileno, error;
> > > +
> > > +	if (vnode_name == NULL)
> > > +		return (ENOENT);
> > > +
> > > +	fileno = (int)strtol(vnode_name, &endfileno, 10);
> > > +	if (fileno == 0 && (vnode_namelen > 1 ||
> > > +	    (vnode_namelen == 1 && vnode_name[0] != '0')))
> > > +		return (ENOENT);
> > > +	if (vnode_namelen != endfileno - vnode_name)
> > > +		return (ENOENT);
> > > +
> > > +	fdp = fdhold(p);
> > > +	if (fdp == NULL)
> > > +		return (ENOENT);
> > > +
> > > +	error = fget_unlocked(fdp, fileno, NULL, &fp, NULL);
> > > +	if (error != 0)
> > > +		goto out;
> > > +
> > > +	freepath = NULL;
> > > +	fullpath = "-";
> > > +	vp = fp->f_vnode;
> > > +	if (vp != NULL) {
> > > +		vref(vp);
> > > +		error = vn_fullpath(td, vp, &fullpath, &freepath);
> > > +		vrele(vp);
> > > +	}
> > > +	if (error == 0)
> > > +		error = sbuf_printf(sb, "%s", fullpath);
> > > +	if (freepath != NULL)
> > > +		free(freepath, M_TEMP);
> > > +	fdrop(fp, td);
> > > +
> > > + out:
> > > +	fddrop(fdp);
> > > +	return (error);
> > > +}
> > >
> > 
> > 
> > fdhold does not protect file descriptor table, it only makes sure struct
> > filedesc itself is not freed.
> > 
> > Here you need to lock it and inspect fd_refcnt. See e.g.
> > kern_proc_filedesc_out.
> > 
> pfs_readlink does a PHOLD and PRELE around calling fill method, is
> this not enought?
> 

This does not prevent execve, so you can dump data for a now-privileged
process.

> > While this guarantees data consistency, is in fact still incorrect since
> > the process you are inspecing can exec  setuid in the meantime and thus
> > make security checks (if any performed) stale.
> > 
> > I have an old WIP patch which provides appropriate interfaces to ensure
> > stability of the process (no exit, no exec), but this needs additional
> > changes. HOpefully i'll have the time to deal with it in March.
> ok, give me see the patch, pls.

http://people.freebsd.org/~mjg/patches/sx-imagelock.patch

afair there was a lor which needs to be resolved. something in devfs was
taking proctree or allproc lock, which could be avoided.

I don't remember the details, maybe i'll work on this this month.

Feel free to debug it yourslef. :)

-- 
Mateusz Guzik <mjguzik gmail.com>