Age | Commit message (Collapse) | Author |
|
|
|
the same semantics as NetBSD anyway, so it's good to avoid name collissions.
- Always fdremove before freeing the file, not the other way around.
- falloc FREFs the file.
- have FILE_SET_MATURE FRELE the file (It feels like a good ortogonality to
falloc FREFing the file).
- Use closef as much as possible instead of ffree in error paths of
falloc:ing functions. closef is much more careful with the fd and can
deal with the fd being forcibly closed by dup2. Also try to avoid
manually calling *fo_close when closef can do that for us (this makes
some error paths mroe complicated (sys_socketpair and sys_pipe), but
others become simpler (sys_open)).
|
|
and procfs (and possibly more places in the future) and simply refuse to
fiddle with the execing process. This is an ugly hack, but this far we
haven't been successful in creating a race-free exec.
|
|
machines or some configurations or in some phase of the moon (we actually
don't know when or why) files disappeared. Since we've not been able to
track down the problem in two weeks intense debugging and we need -current
to be stable, back out everything to a state it had before UBC.
We apologise for the inconvenience.
|
|
code is written mostly by Chuck Silvers <chuq@chuq.com>/<chs@netbsd.org>.
Tested for the past few weeks by many developers, should be in a pretty stable
state, but will require optimizations and additional cleanups.
|
|
|
|
(Look ma, I might have broken the tree)
|
|
any anyone. Every caller of falloc matures the fd when it's usable.
- Since every lookup in the fd table must now check this flag and all of
them do the same thing, move all the necessary checks into a function -
fd_getfile.
|
|
|
|
not int. Shouldn't affect any archs except sparc64 (now one step closer to a working userland).
|
|
it slightly harder to write generic buffer overflows. This doesn't really
give any real security, but it raises the bar for script-kiddies and it's
really cheap.
The range of the random offsets is controlled by the sysctl
kern.stackgap_random (must be a power of 2).
This is disabled by default right now, but we'll set it to a reasonable value
(1024?) soon, after some more testing.
|
|
|
|
Add proc_cansugid that checks if a process may raise it's privileges.
Rework exec to remove the old sugid workaround and check proc_cansugid
just before raising privileges.
|
|
|
|
|
|
Remove the ugly hack added in last revision.
|
|
To avoid having a ptrace(2)d process from doing an exec of a suid binary
we strip off the suid bits from the executable if the process is traced.
Later we P_SUGID{,EXEC} in the process flags that stops further ptrace
attempts.
The problem is that between the stripping of suid bits and setting
P_SUGID{,EXEC} there is a pretty large window where the process can sleep
and other processes can attach to it with ptrace.
This is a quick fix for that. We set P_SUGID{,EXEC} early and take care to
remove them (we don't want the process to become tainted unnecessarily) if
exec fails.
XXX - exec needs a lot more work, but people are asking for a solution now.
|
|
Correctly initialize the vmcmds in linux_exec.
|
|
to 8.
At the same time it seemed like a good idea to avoid to always malloc a
new vmcmd array, so put the default sized array into struct exec_vmcmd_set.
We might want to make a linked list of vmcmd arrays or exec_vmcmd_sets instead
of reallocating them some time in the future, but right now this seems like a
waste of time.
|
|
okay art@, millert@
|
|
traced proc. The vnode is in the proc and all functions need the proc.
|
|
don't do it by doing namei on /dev/null.
The vnode for the executed file is locked and we had a race where other
processes could lock the parent directories up to the root. When the
executing process did the lookup on /dev/null it could deadlock on the
root vnode while still holding the lock on the executed vnode.
Also, it's really bad idea to depend on certain filesystem layout inside
the kernel. Now we get the null device vnode by cdevvp(getnulldev(), ...
Thanks to Matrin Portmann <map@infinitum.ch> for providing the (large)
ktrace that allowed me to track this down.
Fixes 1369.
|
|
|
|
in a correct way. Use it in all places where the vnode was changed.
(most of the earlier code was incorrect and had races).
|
|
|
|
|
|
|
|
|
|
|
|
open for write on procfs, close it (and, thus, open a /dev/null instead);
problem reported by nergal@idea.avet.com.pl, fix by me, thanks for help
from millert
|
|
|
|
|
|
|
|
|
|
|
|
sure that the fd_freefile hints stay in sync, otherwise free file
descriptors might not be overlooked by fdalloc(); ok millert@
|
|
Original work done in FreeBSD, but this code was ported from NetBSD by
Chuck Cranor.
|
|
|
|
|
|
Call uvmspace_exec instead of manually cleaning up.
|
|
|
|
vn_close will not decrease v_writecount for the vnode causing panics
|
|
(size_t) and don't return EINVAL if it is < 0 in sys_{read,write}. Remove check for uio_resid < 0 uiomove() now that uio_resid is unsigned and brack remaining panics with #ifdef DIAGNOSTIC. vn_rdwr() must now take a size_t * as its 9th argument so change that and clean up uses of vn_rdwr(). Fixes 549 + more
|
|
|
|
|
|
/dev/null -- future patch will use a dead vnode of some sort) to prevent
reuse (ie. new allocations) of these fd which libc makes many assumptions
about; problem noted by James Youngman
|
|
|
|
|
|
|
|
|