Reopen the systrace file in the process that will actually attach to the

target process(es), so that systrace files can be made unsharable.

ok djm@

1 files changed, 13 insertions, 5 deletions

diff --git a/bin/systrace/intercept.c b/bin/systrace/intercept.c
index 0c0ffe310ed..3dfb223b716 100644
--- a/bin/systrace/intercept.c
+++ b/bin/systrace/intercept.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: intercept.c,v 1.58 2011/10/18 20:01:28 matthew Exp $	*/
+/*	$OpenBSD: intercept.c,v 1.59 2012/08/23 00:08:36 guenther Exp $	*/
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
@@ -266,7 +266,7 @@ intercept_setpid(struct intercept_pid *icpid, uid_t uid, gid_t gid)
 }
 
 pid_t
-intercept_run(int bg, int fd, uid_t uid, gid_t gid,
+intercept_run(int bg, int *fdp, uid_t uid, gid_t gid,
     char *path, char *const argv[])
 {
 	struct intercept_pid *icpid;
@@ -285,6 +285,13 @@ intercept_run(int bg, int fd, uid_t uid, gid_t gid,
 	if (ohandler == SIG_ERR)
 		err(1, "signal");
 
+	/*
+	 * If systrace process will be the child then we must reopen
+	 * the fd in the child after the fork
+	 */
+	if (bg)
+		close(*fdp);
+
 	pid = getpid();
 	cpid = fork();
 	if (cpid == -1)
@@ -295,9 +302,6 @@ intercept_run(int bg, int fd, uid_t uid, gid_t gid,
 	 * the parent, or vice versa.
 	 */
 	if ((!bg && cpid == 0) || (bg && cpid != 0)) {
-		/* Needs to be closed */
-		close(fd);
-
 		if (bg) {
 			/* Wait for child to "detach" */
 			cpid = wait(&status);
@@ -366,6 +370,10 @@ intercept_run(int bg, int fd, uid_t uid, gid_t gid,
 			kill(pid, SIGKILL);
 			err(1, "daemon");
 		}
+		if ((*fdp = intercept_open()) == -1) {
+			kill(pid, SIGKILL);
+			err(1, "intercept_open");
+		}
 	}
 
 	return (pid);