| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
anticipation of further changes to closef(). No binary change.
ok krw@ miod@ deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
- move the P_TRACED and P_INEXEC flags, and p_oppid, p_ptmask, and
p_ptstat member from struct proc to struct process
- sort the PT_* requests into those that take a PID vs those that
can also take a TID
- stub in PT_GET_THREAD_FIRST and PT_GET_THREAD_NEXT
ok kettenis@
|
| |
|
|
|
|
|
|
| |
or fd_{lo,hi}maps members, or when doing a read for a write. Fixes hangs
when an rthreaded processes sleeps while copying the fd table for fork()
and catches another thread with the lock.
ok jsing@ tedu@
|
| |
|
|
| |
ok deraadt@, sthen@, jasper@
|
| |
|
|
|
|
| |
as it causes hangs in some ports, including libsigsegv's configure script
confirmed by krw@, landry@
|
| |
|
|
|
|
|
|
|
|
|
| |
hold the kernel lock, but still need call one function that needs it.
Instead of grabbing the lock all over the place, move the locks into
the affected functions: trapsignal, scdebug*, ktrsyscall, ktrsysret,
systrace_redirect and ADDUPROF. In the cases we already hold the biglock
we'll just recurse.
kettenis@, beck@ ok
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
the traced process when the syscall is attempted. This is more useful and
safer for unsupervised sandboxing than returning EPERM (which is the
behaviour of SYSTR_POLICY_NEVER), as this could cause dangerous misbehaviour
in applications that don't expect it.
"I like it" deraadt@ markus@
|
| |
|
|
|
|
| |
that you can't evade the checks by doing the dirty work in an rthread
ok blambert@, deraadt@
|
| |
|
|
|
| |
things things do
ok nicm
|
| |
|
|
|
|
|
|
|
|
| |
supported it doesn't do any harm), so put the KNOTE() in selwakeup() itself and
remove it from any occurences where both are used, except one for kqueue itself
and one in sys_pipe.c (where the selwakeup is under a PIPE_SEL flag).
Based on a diff from tedu.
ok deraadt
|
| |
|
|
|
|
|
| |
calls can go directly into selwakeup() safely
long discussion with nicm, murmers of consent from tedu and miod, noone
else seems to care of kqueue is busted as long as it makes their sockets
move data fast... pretty sad.
|
| |
|
|
|
|
|
|
|
|
|
| |
which is exactly what the macro does.
Macro's that are nothing more then:
#define FUNCTION(arg) function(arg)
are almost always pointless and should go away.
OK blambert@
Agreed by many.
|
| |
|
|
|
|
|
| |
fork(), i worry about it a lot but cannot prove yet that sleeping there
is bad. Anyways, this change makes us never sleep in that area -- the
memory needed is allocated ealier like the ptrace state. tested by many
developers.
|
| |
|
|
|
|
| |
flag to the pool_get call.
ok art@, krw@
|
| |
|
|
| |
ok krw@ deraadt@ dlg@
|
| |
|
|
| |
prompted and "much better" by marco@, ok pyr@
|
| |
|
|
| |
ok pyr@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
it's a good idea to use atomic.h operations on it. This mechanic
change updates all bit operations on p_flag to atomic_{set,clear}bits_int.
Only exception is that P_OWEUPC is set by MI code before calling
need_proftick and it's automatically cleared by ADDUPC. There's
no reason for MD handling of that flag since everyone handles it the
same way.
kettenis@ ok
|
| |
|
|
| |
Security; ok deraadt
|
| |
|
|
|
|
|
|
|
|
| |
their *stat() calls, for example, and get ENOENT, which is expected for
"", instead of a forced EINVAL.
Fixes the spurious 'rm: : Invalid argument' warnings when building with
option USE_SYSTRACE, reported on ports@.
Okay provos@ sturm@ deraadt@
|
| | |
|
| |
|
|
|
|
|
| |
out of procfs and gets a ptrace request PT_{READ,WRITE}_{I,D} as argument;
also procfs_checkioperm() becomes process_checkioperm().
From art@ some time ago; ok kettenis@ pedro@
|
| |
|
|
|
|
| |
of panics and bugfixes. Access curproc directly, do not expect a process
pointer as an argument. Should fix many "process context required" bugs.
Incentive and okay millert@, okay marc@. Various testing, thanks.
|
| |
|
|
|
| |
since otherwise a very high kernel address would be stored as a negative
offset. From NetBSD (christos).
|
| |
|
|
|
|
|
| |
the stackgap. this in turn allows for argument replacement with indirection.
for example replacing an entire envp or struct pollfd.
ok provos@ millert@
|
| |
|
|
|
|
|
|
|
| |
the argv[0] would be normalized, and hence break scripts
that depend on how they were called.
this fixes an issue in the ports builds.
ok provos@ deraadt@; lots of testing during hackathon sturm@ naddy@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- add an exec message so that whenever a set-uid/gid process
exec's a new image which we may control, the exec does not
go by unnoticed.
- take special care to check for P_SUGIDEXEC as well as
P_SUGID, corresponding to the same changes that were made in
the ptrace code a while ago
ok niels@, sturm@; thanks to naddy for testing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
itojun@ ok
fix a race condition between path resolution in userland
and the subsequent namei(): inform the kernel portion of
valid filenames and then disallow symlink lookups for
those filenames by means of a hook in namei().
with suggestions from provos@
also, add (currently unused) seqnr field to struct
systrace_replace, from provos@
|
| |
|
|
|
|
|
| |
now call the poll backend. With this change we implement greater
poll(2) functionality instead of emulating it via the select backend.
Adapted from NetBSD and including some changes from FreeBSD.
Tested by many, deraadt@ OK
|
| |
|
|
|
|
|
|
|
| |
argument. old cred only calls user suser_ucred. this will allow future
work to more flexibly implement the idea of a root process. looks like
something i saw in freebsd, but a little different.
use of suser_ucred vs suser in file system code should be looked at again,
for the moment semantics remain unchanged.
review and input from art@ testing and further review miod@
|
| |
|
|
|
| |
- escape fixes for special characters
markus, sturm ok. from provos
|
| |
|
|
|
|
| |
STRIOCCLONE and SYSTR_CLONE have the same value now
ok mickey@
|
| |
|
|
|
|
|
| |
One is a kernel fix that changes the lockin and one is a userland fix that
prevents dereferencing a freed pointer.
From provos
deraadt@ ok
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
with privilege elevation no suid or sgid binaries are necessary any
longer. Applications can be executed completely
unprivileged. Systrace raises the privileges for a single system call
depending on the configured policy.
Idea from discussions with Perry Metzger, Dug Song and Marcus Watts.
from provos
|
| |
|
|
| |
from provos
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
avoids problems where tsleep has been interrupted by a signal.
|
| | |
|
guenther
matthew
art
djm
tedu
deraadt
nicm
thib
blambert
brad
gilles
pedro
alek
miod
millert
marius
jmc
sturm
itojun
henning
mickey
fgsch
provos