From owner-svn-src-user@FreeBSD.ORG  Thu Mar  5 21:57:14 2015
Return-Path: <owner-svn-src-user@FreeBSD.ORG>
Delivered-To: svn-src-user@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DC076C0A;
 Thu,  5 Mar 2015 21:57:13 +0000 (UTC)
Received: from dchagin.static.corbina.net (dchagin.static.corbina.ru
 [78.107.232.239])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "dchagin.static.corbina.net",
 Issuer "dchagin.static.corbina.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 73FBAE12;
 Thu,  5 Mar 2015 21:57:12 +0000 (UTC)
Received: from dchagin.static.corbina.net (localhost [127.0.0.1])
 by dchagin.static.corbina.net (8.14.9/8.14.9) with ESMTP id t25Lv9Ku004311
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 6 Mar 2015 00:57:10 +0300 (MSK)
 (envelope-from dchagin@dchagin.static.corbina.net)
Received: (from dchagin@localhost)
 by dchagin.static.corbina.net (8.14.9/8.14.9/Submit) id t25Lv90F004310;
 Fri, 6 Mar 2015 00:57:09 +0300 (MSK) (envelope-from dchagin)
Date: Fri, 6 Mar 2015 00:57:09 +0300
From: Chagin Dmitry <dchagin@freebsd.org>
To: Mateusz Guzik <mjguzik@gmail.com>
Subject: Re: svn commit: r279335 - in user/dchagin/lemul/sys:
 compat/linprocfs fs/procfs fs/pseudofs modules/procfs
Message-ID: <20150305215709.GA4287@dchagin.static.corbina.net>
References: <201502262130.t1QLUfwf027872@svn.freebsd.org>
 <20150226220342.GC3799@dft-labs.eu>
 <20150227195329.GA7995@dchagin.static.corbina.net>
 <20150305204552.GC11164@dft-labs.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150305204552.GC11164@dft-labs.eu>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: src-committers@freebsd.org, svn-src-user@freebsd.org
X-BeenThere: svn-src-user@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "SVN commit messages for the experimental &quot; user&quot;
 src tree" <svn-src-user.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-user/>
List-Post: <mailto:svn-src-user@freebsd.org>
List-Help: <mailto:svn-src-user-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 21:57:14 -0000

On Thu, Mar 05, 2015 at 09:45:52PM +0100, Mateusz Guzik wrote:
> On Fri, Feb 27, 2015 at 10:53:29PM +0300, Chagin Dmitry wrote:
> > On Thu, Feb 26, 2015 at 11:03:42PM +0100, Mateusz Guzik wrote:
> > > On Thu, Feb 26, 2015 at 09:30:41PM +0000, Dmitry Chagin wrote:
> > > > +int
> > > > +procfs_dofdlink(PFS_FILL_ARGS)
> > > > +{
> > > > +	char *fullpath, *freepath, *endfileno;
> > > > +	struct filedesc *fdp;
> > > > +	struct vnode *vp;
> > > > +	struct file *fp;
> > > > +	int fileno, error;
> > > > +
> > > > +	if (vnode_name == NULL)
> > > > +		return (ENOENT);
> > > > +
> > > > +	fileno = (int)strtol(vnode_name, &endfileno, 10);
> > > > +	if (fileno == 0 && (vnode_namelen > 1 ||
> > > > +	    (vnode_namelen == 1 && vnode_name[0] != '0')))
> > > > +		return (ENOENT);
> > > > +	if (vnode_namelen != endfileno - vnode_name)
> > > > +		return (ENOENT);
> > > > +
> > > > +	fdp = fdhold(p);
> > > > +	if (fdp == NULL)
> > > > +		return (ENOENT);
> > > > +
> > > > +	error = fget_unlocked(fdp, fileno, NULL, &fp, NULL);
> > > > +	if (error != 0)
> > > > +		goto out;
> > > > +
> > > > +	freepath = NULL;
> > > > +	fullpath = "-";
> > > > +	vp = fp->f_vnode;
> > > > +	if (vp != NULL) {
> > > > +		vref(vp);
> > > > +		error = vn_fullpath(td, vp, &fullpath, &freepath);
> > > > +		vrele(vp);
> > > > +	}
> > > > +	if (error == 0)
> > > > +		error = sbuf_printf(sb, "%s", fullpath);
> > > > +	if (freepath != NULL)
> > > > +		free(freepath, M_TEMP);
> > > > +	fdrop(fp, td);
> > > > +
> > > > + out:
> > > > +	fddrop(fdp);
> > > > +	return (error);
> > > > +}
> > > >
> > > 
> > > 
> > > fdhold does not protect file descriptor table, it only makes sure struct
> > > filedesc itself is not freed.
> > > 
> > > Here you need to lock it and inspect fd_refcnt. See e.g.
> > > kern_proc_filedesc_out.
> > > 
> > pfs_readlink does a PHOLD and PRELE around calling fill method, is
> > this not enought?
> > 
> 
> This does not prevent execve, so you can dump data for a now-privileged
> process.
hmm, I think I begin to understand. Thanks
> 
> > > While this guarantees data consistency, is in fact still incorrect since
> > > the process you are inspecing can exec  setuid in the meantime and thus
> > > make security checks (if any performed) stale.
> > > 
> > > I have an old WIP patch which provides appropriate interfaces to ensure
> > > stability of the process (no exit, no exec), but this needs additional
> > > changes. HOpefully i'll have the time to deal with it in March.
> > ok, give me see the patch, pls.
> 
> http://people.freebsd.org/~mjg/patches/sx-imagelock.patch
> 
modifying struct proc this way you break KBI 

> afair there was a lor which needs to be resolved. something in devfs was
> taking proctree or allproc lock, which could be avoided.
> 
> I don't remember the details, maybe i'll work on this this month.
> 
> Feel free to debug it yourslef. :)
> 
> -- 
> Mateusz Guzik <mjguzik gmail.com>

-- 
Have fun!
chd