Date: Thu, 24 Jun 2021 18:15:48 GMT From: Mariusz Zaborski <oshogbo@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 6ba108e52d17 - main - rc.subr: use _pidcmd to determine pid for protect Message-ID: <202106241815.15OIFmVm026415@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by oshogbo: URL: https://cgit.FreeBSD.org/src/commit/?id=6ba108e52d175b6833437c8627ae5d0546a4e102 commit 6ba108e52d175b6833437c8627ae5d0546a4e102 Author: Mariusz Zaborski <oshogbo@FreeBSD.org> AuthorDate: 2021-06-24 18:14:31 +0000 Commit: Mariusz Zaborski <oshogbo@FreeBSD.org> CommitDate: 2021-06-24 18:14:31 +0000 rc.subr: use _pidcmd to determine pid for protect This is a more reliable method that accounts for existing pidfiles, procname and interpreter settings. Current method of obtaining the pid for oomprotect="YES"|"ALL" processes in certain cases fails to find a unique pid. One such case are rc.d scripts defining command as: command="daemon" which results in all processes started via daemon being selected and passed to protect(1) which fails and prints usage: $ /etc/rc.d/exampled restart Stopping exampled. Starting exampled. usage: protect [-i] command protect [-cdi] -g pgrp | -p pid Running the same with -x reveals what happens: + pid='3051 4268 4390 4421 4427 4470 4588 4733 4740 4870 4949 4954 4979 5835 5866 55487 55583 56525 57643 57789 57882 58072 58167 99419' + /usr/bin/protect -p 3051 4268 4390 4421 4427 4470 4588 4733 4740 4870 4949 4954 4979 5835 5866 55487 55583 56525 57643 57789 57882 58072 58167 99419 usage: protect [-i] command protect [-cdi] -g pgrp | -p pid We have a more reliable way of obtaining pid already defined in rc.subr and available when protect(1) needs it. We can simply `eval $_pidcmd` which also invokes `check_process` but properly accounts for existing pidfile, procname and interpreter settings. With the change the pidfile is properly obtained. Submitted by: Adam Wolk <a.wolk at fudosecurity.com> Sponsored by: Fudo Security Differential Revision: https://reviews.freebsd.org/D30367 --- libexec/rc/rc.subr | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr index e859ae06962f..b027fa5facf4 100644 --- a/libexec/rc/rc.subr +++ b/libexec/rc/rc.subr @@ -1272,13 +1272,13 @@ $command $rc_flags $command_args" # We cannot use protect(1) inside jails. if [ -n "$_oomprotect" ] && [ -f "${PROTECT}" ] && [ "$(sysctl -n security.jail.jailed)" -eq 0 ]; then - pid=$(check_process $command) + [ -z "${rc_pid}" ] && eval $_pidcmd case $_oomprotect in [Aa][Ll][Ll]) - ${PROTECT} -i -p ${pid} + ${PROTECT} -i -p ${rc_pid} ;; [Yy][Ee][Ss]) - ${PROTECT} -p ${pid} + ${PROTECT} -p ${rc_pid} ;; esac fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106241815.15OIFmVm026415>