| Age | Commit message (Collapse) | Author |
|---|
|
sweep tree to correct NDIINT op and flags ahead of time. document
the requirement. This allows KERNELPATH to be used to bypass
unveil for crash dumps with nosuidcoredump=2 or 3
ok visa@ deraadt@ florian@
|
|
with a sleep between. Reorganize the code for a single check.
ok anton beck florian mpi
|
|
it from the pool.
ok bluhm visa
|
|
This allows to enforce that sleeping priorities will now always be <
PUSER.
ok visa@, ratchov@
|
|
of resource limit structs has been done between processes. By applying
copy-on-write also between threads, threads can read rlimits in
a nearly lock-free manner.
Inspired by code in DragonFly BSD and FreeBSD.
OK mpi@, agreement from jmatthew@ and anton@
|
|
does not block the signal. If all threads block the signal, we
delivered it to the main thread. This does not conform to POSIX.
If any thread unblocks the signal, it should be delivered immediately
to this thread.
Mark such signals pending at the process instead of a single thread.
Then any thread can handle it later.
OK kettenis@ guenther@
|
|
it obviously needs to be called with the kernel lock held, so it
makes sense to check that so we can unlock more code without
introducing bugs that shoot us in the face in the indeterminate
future.
csignal is basically a wrapper around ptsignal, so calls to that
without the kernel lock should be caught by this too.
discussed with mpi@ on bugs@
|
|
ok cheloha deraadt
|
|
|
|
OK deraadt@ anton@
|
|
It centralizes IO signal privilege checking and makes possible to revoke
a registration when the target process or process group is deleted.
Adapted from FreeBSD.
OK kettenis@ mpi@ guenther@
|
|
|
|
side effect pending signals specifically sent to the main thread
were handled by other threads. This made gcj in textproc/pdftk
port build stall.
Noticed and tested by espie@.
|
|
to the process, it is made pending at the main thread. There it
could hang forever. So also check the main thread for signal
delivery. This workaround fixes hung tests in posixtestsuite. The
proper solution would be to split pending signals for process and
threads.
input visa@; OK guenther@
|
|
instead of passing sendsig() the code+type+val, pass a siginfo_t*
to copy from. Eliminate the indirection through struct emul for
sendsig(); we no longer have a SunOS4-compat version of sendsig()
ok deraadt@
|
|
curproc that does the locking or unlocking, so the proc parameter
is pointless and can be dropped.
OK mpi@, deraadt@
|
|
syscall) confirm the stack register points at MAP_STACK memory, otherwise
SIGSEGV is delivered. sigaltstack() and pthread_attr_setstack() are modified
to create a MAP_STACK sub-region which satisfies alignment requirements.
Observe that MAP_STACK can only be set/cleared by mmap(), which zeroes the
contents of the region -- there is no mprotect() equivalent operation, so
there is no MAP_STACK-adding gadget.
This opportunistic software-emulation of a stack protection bit makes
stack-pivot operations during ROPchain fragile (kind of like removing a
tool from the toolbox).
original discussion with tedu, uvm work by stefan, testing by mortimer
ok kettenis
|
|
This can lead to a deadlock where the parent waits infinitely for the
traced process.
Original problem reported by tb@ and worked around by visa@ for release
by not calling CURSIG() twice in userret().
ok tb@, visa@
|
|
to generate more than one ptrace(2) event. Do that by checking
pending signals first without altering any state. If there is
an unmasked signal ready for delivery, acquire the kernel lock
and redo the checks in issignal().
This prevents gdb from blocking on exit when it attempts to kill
an attached process, issue reported by tb@.
OK mpi@, deraadt@
|
|
The race is only triggerable if one of the threads of a multi-threaded
program is in the middle of a NOLOCK syscall when a signal is received.
The problem is that `ps_sigact' is shared between threads so its access
should be serialized. In the case of SA_RESETHAND, the handler is reset
when a signal is delivered, so delivering the signal twice would put the
process in an "impossible" state where some threads were stopped and some
were waiting for the others to die.
Serialize signal checking & processing with the KERNEL_LOCK() for now,
and introduce postsig_done() gypped from FreeBSD, to make sure the lock
is held when resetting the handler.
Bug report from espie@, ok visa@
|
|
The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.
No objection from millert@, ok tedu@, bluhm@
|
|
ok deraadt@ krw@
|
|
|
|
SIGILL, SIGBUS, SIGSEGV signals. Make such memory violations visible
in lastcomm(1). This also works if a programm tries to hide them
with a signal handler. Manual kill -SEGV does not generate false
positives.
OK deraadt@
|
|
Go-ahead from kettenis@, guenther@, deraadt@
|
|
OK jsg@
|
|
in struct mdproc. With that, all archs have those and the __HAVE_MD_TCB
macro can be unifdef'ed as always defined.
ok kettenis@ visa@ jsing@
|
|
While here document prfind(9.
with and ok guenther@
|
|
struct proc to struct process.
ok deraadt@ kettenis@
|
|
ok mpi@ mikeb@
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
ok deraadt@
|
|
ok kettenis@
|
|
ok tedu@
|
|
it's not enough to assign to an unsigned type because if the arithmetic
overflows the compiler may decide to do anything. so change all the
long long casts to uint64_t so that we start with the right type.
reported by Tim Newsham of NCC.
ok deraadt
|
|
kill(2) is supposed to find zombie processes, this probably got broken
when the process reaper was introduced. As a temporary(tm) workaround,
walk the list of zombie processes if we can't find the target pid in the
main process list.
Problem with zsh initially reported by Geoff Wozniak on misc@, analysis
done by naddy@. ok kettenis@ tedu@
|
|
By keeping both the new (sys_kill/sys_thrkill) and old (sys_o58_kill)
system calls for the OpenBSD 6.0 release, code that uses either of these
mechanisms will work on both of the supported OpenBSD releases. This
provides a clean transition for runtimes that make direct system calls
(namely the Go programming language).
This requires a minimal amount of non-intrusive code and does not block
development progress within OpenBSD.
ok deraadt@ guenther@
|
|
forever. noticed by Davin McCall.
while here, if the timeout actually is zero, return appropriate error.
ok guenther.
|
|
ok guenther sthen
|
|
Note that without locking a thread cannot claim that it is part
of a multi-threaded process using this macro.
Suggested by miod@, ok guenther@
|
|
ok deraadt@
|
|
torture tested on amd64, i386 and macppc
ok beck mpi stefan
"the change looks right" deraadt
|
|
|
|
The current code has already setted it by default since 1.74
any pledge failure tries to make a coredump (default rules for coredump still
applies: so setuid binaries don't create them locally).
ok deraadt@
|
|
|
|
thrkill(2), rolling the kill(2) syscall number with the ABI change to
avoid breaking binaries during during the transition. thrkill(2) includes
a 'tcb' argument that eliminates the need for locking in pthread_kill()
and simplifies pthread_cancel(). Switch __stack_smash_handler() to use
thrkill(2) and explicitly unblock SIGABRT.
Minor bump to both libc and libpthread: make sure you install a new kernel!
ok semarie@
|
|
pledgenote is used for annotate the policy for a namei context. So make it
tracking the nameidata.
It is expected for the caller to explicitly define the policy. It is a kernel
bug to not do so.
ok deraadt@
|
|
- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.
- makes pledge_fail call the responsability to the _check function. remove it
from caller.
- make proper use of (potential) returned error of _check() functions.
- adds pledge_kill() and pledge_protexec()
with and OK deraadt@
|
|
used less than "stdio" -- include all the "self" operations. Instead of
different defines, use regular PLEDGE_* in the "p_pledgenote" variable
(which indicates the operation subtype a system call is performing). Many
checks before easier to understand. p_pledgenote can often be passed
directly to ktrace, so that kdump says:
15565 test CALL pledge(0xa9a3f804c51,0)
15565 test STRU pledge request="stdio"
15565 test RET pledge 0
15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>)
15565 test NAMI "/tmp/testfile"
15565 test PLDG open, "wpath", errno 1 Operation not permitted
with help from semarie, ok guenther
|
|
a refactoring being done for the bc/dc relationship with otto.
|
