diff options
author | Philip Guenthe <guenther@cvs.openbsd.org> | 2012-08-23 00:08:37 +0000 |
---|---|---|
committer | Philip Guenthe <guenther@cvs.openbsd.org> | 2012-08-23 00:08:37 +0000 |
commit | 0f00c9bf52870a9dbcbd3d7fcc0b9c42b7b8598e (patch) | |
tree | 099f2772294f68fa662748353f8106b5ef3d07c9 /bin | |
parent | 1f26125669866612ffdb6de97081736444827832 (diff) |
Reopen the systrace file in the process that will actually attach to the
target process(es), so that systrace files can be made unsharable.
ok djm@
Diffstat (limited to 'bin')
-rw-r--r-- | bin/systrace/intercept.c | 18 | ||||
-rw-r--r-- | bin/systrace/intercept.h | 4 | ||||
-rw-r--r-- | bin/systrace/systrace.c | 6 |
3 files changed, 18 insertions, 10 deletions
diff --git a/bin/systrace/intercept.c b/bin/systrace/intercept.c index 0c0ffe310ed..3dfb223b716 100644 --- a/bin/systrace/intercept.c +++ b/bin/systrace/intercept.c @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.c,v 1.58 2011/10/18 20:01:28 matthew Exp $ */ +/* $OpenBSD: intercept.c,v 1.59 2012/08/23 00:08:36 guenther Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -266,7 +266,7 @@ intercept_setpid(struct intercept_pid *icpid, uid_t uid, gid_t gid) } pid_t -intercept_run(int bg, int fd, uid_t uid, gid_t gid, +intercept_run(int bg, int *fdp, uid_t uid, gid_t gid, char *path, char *const argv[]) { struct intercept_pid *icpid; @@ -285,6 +285,13 @@ intercept_run(int bg, int fd, uid_t uid, gid_t gid, if (ohandler == SIG_ERR) err(1, "signal"); + /* + * If systrace process will be the child then we must reopen + * the fd in the child after the fork + */ + if (bg) + close(*fdp); + pid = getpid(); cpid = fork(); if (cpid == -1) @@ -295,9 +302,6 @@ intercept_run(int bg, int fd, uid_t uid, gid_t gid, * the parent, or vice versa. */ if ((!bg && cpid == 0) || (bg && cpid != 0)) { - /* Needs to be closed */ - close(fd); - if (bg) { /* Wait for child to "detach" */ cpid = wait(&status); @@ -366,6 +370,10 @@ intercept_run(int bg, int fd, uid_t uid, gid_t gid, kill(pid, SIGKILL); err(1, "daemon"); } + if ((*fdp = intercept_open()) == -1) { + kill(pid, SIGKILL); + err(1, "intercept_open"); + } } return (pid); diff --git a/bin/systrace/intercept.h b/bin/systrace/intercept.h index 9a2f23b50ed..9ae38689f65 100644 --- a/bin/systrace/intercept.h +++ b/bin/systrace/intercept.h @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.h,v 1.25 2011/09/18 23:24:14 matthew Exp $ */ +/* $OpenBSD: intercept.h,v 1.26 2012/08/23 00:08:36 guenther Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -143,7 +143,7 @@ struct intercept_replace { TAILQ_HEAD(intercept_tlq, intercept_translate); int intercept_init(void); -pid_t intercept_run(int, int, uid_t, gid_t, char *, char * const *); +pid_t intercept_run(int, int *, uid_t, gid_t, char *, char * const *); int intercept_open(void); int intercept_attach(int, pid_t); int intercept_attachpid(int, pid_t, char *); diff --git a/bin/systrace/systrace.c b/bin/systrace/systrace.c index 0c998e125ee..2395e04b07a 100644 --- a/bin/systrace/systrace.c +++ b/bin/systrace/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.56 2007/11/26 09:28:33 martynas Exp $ */ +/* $OpenBSD: systrace.c,v 1.57 2012/08/23 00:08:36 guenther Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -762,10 +762,10 @@ main(int argc, char **argv) args[i] = NULL; if (setcredentials) - trpid = intercept_run(background, trfd, + trpid = intercept_run(background, &trfd, cr_uid, cr_gid, args[0], args); else - trpid = intercept_run(background, trfd, 0, 0, + trpid = intercept_run(background, &trfd, 0, 0, args[0], args); if (trpid == -1) err(1, "fork"); |