| Age | Commit message (Collapse) | Author |
|---|
|
take interp[MAXPATHLEN] off the stack. from mickey, ok otto
while here, switch above from malloc to pool, remove stupid casts
tedu@ miod@ ok
|
|
setuid-script and are attempting to dup is the specific setuid-script
fd via such a pathname; ok tedu pedro millert
|
|
uses rfork(RFTHREAD) to create threads, which are presently processes
that are a little more tightly bound together. several new syscalls
added to facilitate a userland thread library.
all conditional on RTHREADS, currently disabled.
ok deraadt
|
|
'go for it' deraadt@
|
|
|
|
- Don't copy the pathbuf into kernel space unless we're systracing.
deraadt@ ok
|
|
fixes resource accounting in a mmap malloc world
ok "too busy but looks right" tedu, tdeval
|
|
|
|
ok deraadt@ mickey@ millert@
|
|
deraadt@ ok
|
|
|
|
the argv[0] would be normalized, and hence break scripts
that depend on how they were called.
this fixes an issue in the ports builds.
ok provos@ deraadt@; lots of testing during hackathon sturm@ naddy@
|
|
- add an exec message so that whenever a set-uid/gid process
exec's a new image which we may control, the exec does not
go by unnoticed.
- take special care to check for P_SUGIDEXEC as well as
P_SUGID, corresponding to the same changes that were made in
the ptrace code a while ago
ok niels@, sturm@; thanks to naddy for testing
|
|
|
|
|
|
ok deraadt@ millert@
|
|
had previously increased the reference count. Should not happen, but...
From dhartmei@; ok deraadt@
|
|
from Patrick Latifi <patrick.l@hermes.usherb.ca>
ok jason@ tedu@
|
|
add e_flags to struct emul. this stores on/off and native flags.
check for emul enabled in check_exec(). gather all the emuls into a
emulsw so a sysctl can find them. create sysctl. move maxhdrsiz calcualation
into init_main so it cleans up sys_execve codepath. teach sysctl utility
to grok kern.emul hierarchy.
requested and ok deraadt@ some comments from mickey@
|
|
use them to correctly emulate linux brk.
update to TNF copyright in linux_exec.c.
from netbsd, mostly from a diff by Kurt Miller in pr3318.
this should fix java. no regressions in testing by kurt and sturm@.
be prepared for "proc size mismatch" -- recompile ps and friends.
ok deraadt@
|
|
|
|
Close PR 3262
|
|
The first one is an mquery(2) syscall. It's for asking the VM system
about where to map things. It will be used by ld.so, read the man page
for details.
The second change is related and is a centralization of uvm_map hint
that all callers of uvm_map calculated. This will allow us to adjust
this hint on architectures that have segments for non-exec mappings.
deraadt@ drahn@ ok.
|
|
man page. Instead of just clearing P_SUGIDEXEC if real and effective
uids/gids matched, we now set P_SUGIDEXEC if there is a mismatch in
the real, effective, or saved uid/gid and clear it otherwise.
deraadt@ and tholo@ OK.
|
|
|
|
|
|
|
|
|
|
You mark one section with VMCMD_BASE and the rest are marked RELATIVE.
Use that to load ELF interpreter correctly in all cases.
Inspired by NetBSD. Great debugging help from drahn@
deraadt@ ok
|
|
the time.
This could lead to problems when a process wants to do an exec on the same
vnode it's being run from and needs to copy in arguments from an uncached
page in the data segment. When that happens uvm detects a vnode deadlock
and returns an error causing execve() return EFAULT.
This fixes the regress test in regress/sys/kern/exec_self
Also, initialize scriptvp early in exec_script because it could be
used uninitialized in a failure case.
|
|
|
|
an uvm aobj, copy out the signal trampoline into it and share that page
among all processes for the same emulation.
This also requires us to actually be able to tell signal code where the
trampoline is located, so introduce a new field in struct proc - p_sigcode
that is a pointer to sigcode. This allows us to remove all the ugly
calculations of the signal trampoline address done in every sendsig
function in the tree (that's why so many files are changed).
Tested by various people. ok deraadt@
|
|
/dev/null to fd's 0-2 for a setuid program; deraadt@ and art@ OK
|
|
|
|
|
|
the same semantics as NetBSD anyway, so it's good to avoid name collissions.
- Always fdremove before freeing the file, not the other way around.
- falloc FREFs the file.
- have FILE_SET_MATURE FRELE the file (It feels like a good ortogonality to
falloc FREFing the file).
- Use closef as much as possible instead of ffree in error paths of
falloc:ing functions. closef is much more careful with the fd and can
deal with the fd being forcibly closed by dup2. Also try to avoid
manually calling *fo_close when closef can do that for us (this makes
some error paths mroe complicated (sys_socketpair and sys_pipe), but
others become simpler (sys_open)).
|
|
and procfs (and possibly more places in the future) and simply refuse to
fiddle with the execing process. This is an ugly hack, but this far we
haven't been successful in creating a race-free exec.
|
|
machines or some configurations or in some phase of the moon (we actually
don't know when or why) files disappeared. Since we've not been able to
track down the problem in two weeks intense debugging and we need -current
to be stable, back out everything to a state it had before UBC.
We apologise for the inconvenience.
|
|
code is written mostly by Chuck Silvers <chuq@chuq.com>/<chs@netbsd.org>.
Tested for the past few weeks by many developers, should be in a pretty stable
state, but will require optimizations and additional cleanups.
|
|
|
|
(Look ma, I might have broken the tree)
|
|
any anyone. Every caller of falloc matures the fd when it's usable.
- Since every lookup in the fd table must now check this flag and all of
them do the same thing, move all the necessary checks into a function -
fd_getfile.
|
|
|
|
not int. Shouldn't affect any archs except sparc64 (now one step closer to a working userland).
|
|
it slightly harder to write generic buffer overflows. This doesn't really
give any real security, but it raises the bar for script-kiddies and it's
really cheap.
The range of the random offsets is controlled by the sysctl
kern.stackgap_random (must be a power of 2).
This is disabled by default right now, but we'll set it to a reasonable value
(1024?) soon, after some more testing.
|
|
|
|
Add proc_cansugid that checks if a process may raise it's privileges.
Rework exec to remove the old sugid workaround and check proc_cansugid
just before raising privileges.
|
|
|
|
|
|
Remove the ugly hack added in last revision.
|
