Age | Commit message (Collapse) | Author |
|
|
|
Close PR 3262
|
|
The first one is an mquery(2) syscall. It's for asking the VM system
about where to map things. It will be used by ld.so, read the man page
for details.
The second change is related and is a centralization of uvm_map hint
that all callers of uvm_map calculated. This will allow us to adjust
this hint on architectures that have segments for non-exec mappings.
deraadt@ drahn@ ok.
|
|
man page. Instead of just clearing P_SUGIDEXEC if real and effective
uids/gids matched, we now set P_SUGIDEXEC if there is a mismatch in
the real, effective, or saved uid/gid and clear it otherwise.
deraadt@ and tholo@ OK.
|
|
|
|
|
|
|
|
|
|
You mark one section with VMCMD_BASE and the rest are marked RELATIVE.
Use that to load ELF interpreter correctly in all cases.
Inspired by NetBSD. Great debugging help from drahn@
deraadt@ ok
|
|
the time.
This could lead to problems when a process wants to do an exec on the same
vnode it's being run from and needs to copy in arguments from an uncached
page in the data segment. When that happens uvm detects a vnode deadlock
and returns an error causing execve() return EFAULT.
This fixes the regress test in regress/sys/kern/exec_self
Also, initialize scriptvp early in exec_script because it could be
used uninitialized in a failure case.
|
|
|
|
an uvm aobj, copy out the signal trampoline into it and share that page
among all processes for the same emulation.
This also requires us to actually be able to tell signal code where the
trampoline is located, so introduce a new field in struct proc - p_sigcode
that is a pointer to sigcode. This allows us to remove all the ugly
calculations of the signal trampoline address done in every sendsig
function in the tree (that's why so many files are changed).
Tested by various people. ok deraadt@
|
|
/dev/null to fd's 0-2 for a setuid program; deraadt@ and art@ OK
|
|
|
|
|
|
the same semantics as NetBSD anyway, so it's good to avoid name collissions.
- Always fdremove before freeing the file, not the other way around.
- falloc FREFs the file.
- have FILE_SET_MATURE FRELE the file (It feels like a good ortogonality to
falloc FREFing the file).
- Use closef as much as possible instead of ffree in error paths of
falloc:ing functions. closef is much more careful with the fd and can
deal with the fd being forcibly closed by dup2. Also try to avoid
manually calling *fo_close when closef can do that for us (this makes
some error paths mroe complicated (sys_socketpair and sys_pipe), but
others become simpler (sys_open)).
|
|
and procfs (and possibly more places in the future) and simply refuse to
fiddle with the execing process. This is an ugly hack, but this far we
haven't been successful in creating a race-free exec.
|
|
machines or some configurations or in some phase of the moon (we actually
don't know when or why) files disappeared. Since we've not been able to
track down the problem in two weeks intense debugging and we need -current
to be stable, back out everything to a state it had before UBC.
We apologise for the inconvenience.
|
|
code is written mostly by Chuck Silvers <chuq@chuq.com>/<chs@netbsd.org>.
Tested for the past few weeks by many developers, should be in a pretty stable
state, but will require optimizations and additional cleanups.
|
|
|
|
(Look ma, I might have broken the tree)
|
|
any anyone. Every caller of falloc matures the fd when it's usable.
- Since every lookup in the fd table must now check this flag and all of
them do the same thing, move all the necessary checks into a function -
fd_getfile.
|
|
|
|
not int. Shouldn't affect any archs except sparc64 (now one step closer to a working userland).
|
|
it slightly harder to write generic buffer overflows. This doesn't really
give any real security, but it raises the bar for script-kiddies and it's
really cheap.
The range of the random offsets is controlled by the sysctl
kern.stackgap_random (must be a power of 2).
This is disabled by default right now, but we'll set it to a reasonable value
(1024?) soon, after some more testing.
|
|
|
|
Add proc_cansugid that checks if a process may raise it's privileges.
Rework exec to remove the old sugid workaround and check proc_cansugid
just before raising privileges.
|
|
|
|
|
|
Remove the ugly hack added in last revision.
|
|
To avoid having a ptrace(2)d process from doing an exec of a suid binary
we strip off the suid bits from the executable if the process is traced.
Later we P_SUGID{,EXEC} in the process flags that stops further ptrace
attempts.
The problem is that between the stripping of suid bits and setting
P_SUGID{,EXEC} there is a pretty large window where the process can sleep
and other processes can attach to it with ptrace.
This is a quick fix for that. We set P_SUGID{,EXEC} early and take care to
remove them (we don't want the process to become tainted unnecessarily) if
exec fails.
XXX - exec needs a lot more work, but people are asking for a solution now.
|
|
Correctly initialize the vmcmds in linux_exec.
|
|
to 8.
At the same time it seemed like a good idea to avoid to always malloc a
new vmcmd array, so put the default sized array into struct exec_vmcmd_set.
We might want to make a linked list of vmcmd arrays or exec_vmcmd_sets instead
of reallocating them some time in the future, but right now this seems like a
waste of time.
|
|
okay art@, millert@
|
|
traced proc. The vnode is in the proc and all functions need the proc.
|
|
don't do it by doing namei on /dev/null.
The vnode for the executed file is locked and we had a race where other
processes could lock the parent directories up to the root. When the
executing process did the lookup on /dev/null it could deadlock on the
root vnode while still holding the lock on the executed vnode.
Also, it's really bad idea to depend on certain filesystem layout inside
the kernel. Now we get the null device vnode by cdevvp(getnulldev(), ...
Thanks to Matrin Portmann <map@infinitum.ch> for providing the (large)
ktrace that allowed me to track this down.
Fixes 1369.
|
|
|
|
in a correct way. Use it in all places where the vnode was changed.
(most of the earlier code was incorrect and had races).
|
|
|
|
|
|
|
|
|
|
|
|
open for write on procfs, close it (and, thus, open a /dev/null instead);
problem reported by nergal@idea.avet.com.pl, fix by me, thanks for help
from millert
|
|
|
|
|
|
|
|
|
|
|
|
sure that the fd_freefile hints stay in sync, otherwise free file
descriptors might not be overlooked by fdalloc(); ok millert@
|