Page MenuHomeFreeBSD
Differential D12238

Implement random modulus with kern.randompid=1
ClosedPublic
Actions

Authored by marieheleneka_gmail.com on Sep 5 2017, 11:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 11, 4:18 AM
Unknown Object (File)
Tue, Apr 9, 9:55 AM
Unknown Object (File)
Wed, Mar 27, 5:31 AM
Unknown Object (File)
Feb 6 2024, 4:12 PM
Unknown Object (File)
Feb 2 2024, 4:00 AM
Unknown Object (File)
Dec 26 2023, 3:49 PM
Unknown Object (File)
Dec 24 2023, 1:14 PM
Unknown Object (File)
Dec 22 2023, 10:29 PM
View All 33 Files
Subscribers
imp

Details

Reviewers
allanjude
kp
des
Commits
rS323390: If the user tries to set kern.randompid to 1 (which is meaningless), set
Summary

Background

kern.randompid introduces some randomization in which PID is chosen for the next process, instead of just bumping by 1.
Values:
kern.randompid=(value less than 2) is currently no-op and sets kern.randompid to 0.
If set to a value of ( 2 <= kern.randompid < 100), it's set to 100.
If set to a value of (100 <= kern.randompid <= (PID_MAX - 100)), it will be used as modulus when kern_fork.c tries to allocate new PID. Formula is lastpid += arc4random() % kern.randompid;
If set to a value of (kern.randompid > PID_MAX-100), it's set to PID_MAX-100.

(Should this be documented somewhere else? I'll happily do so, just tell me where ;) )

This patch changes

When kern.randompid is set to 1, it will no longer be auto-corrected to 0 but to a random value between 100 and 999 (inclusive). This should help make this feature slightly more randomized, as admin doesn't have to pick a (hopefully) random number on their own.. which also tends to be a set-and-forget value.

SUGGESTED COMMIT MESSAGE

Setting the sysctl kern.randompid to 1 is no longer a no-op, but rather sets it to a random value between 100 and 1123 inclusive.

Submitted by: Marie Helene Kvello-Aune
relnotes: yes

Test Plan

1: Apply patch
2: Compile, install and boot kernel
3: run "sysctl kern.randompid=1" as root

Expected result: Value should be set to a random number between 100 and 1123 inclusive

Hopefully won't observe the implosion of the universe.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 11471
Build 11826: arc lint + arc unit

Event Timeline

marieheleneka_gmail.com created this revision.Sep 5 2017, 11:19 PM
Herald added a subscriber: imp. · View Herald TranscriptSep 5 2017, 11:19 PM
marieheleneka_gmail.com edited the summary of this revision. (Show Details)Sep 5 2017, 11:22 PM
marieheleneka_gmail.com edited the test plan for this revision. (Show Details)
marieheleneka_gmail.com added a comment.Sep 5 2017, 11:56 PM

Want feedback on: Is the number range 100-999 sane?

imp added a comment.Sep 6 2017, 2:13 AM

It would be better to use a less predictable method of getting the next PID if you want random PIDs...

marieheleneka_gmail.com added a comment.Sep 6 2017, 8:01 AM

This patch doesn't implement PID randomization; that's already in. This patch just makes the sysctl value "1" generate a random modulus, instead of leaving the feature disabled.

marieheleneka_gmail.com edited the summary of this revision. (Show Details)Sep 6 2017, 8:04 AM
des requested changes to this revision.Sep 6 2017, 2:58 PM
des added inline comments.
sys/kern/kern_fork.c
217–218

This is redundant.

This revision now requires changes to proceed.Sep 6 2017, 2:58 PM
des added a comment.Sep 6 2017, 3:00 PM

BTW, 100 is a reasonable lower bound, but perhaps pid_max - 100 would be a better upper bound than 999, since it is already the maximum for an explicitly selected value.

marieheleneka_gmail.com added a comment.Sep 6 2017, 3:04 PM
In D12238#254056, @des wrote:

BTW, 100 is a reasonable lower bound, but perhaps pid_max - 100 would be a better upper bound than 999, since it is already the maximum for an explicitly selected value.

I'm a bit concerned about the existing comment about the value:

Using a modulus that is too big causes a LOT more process table scans and slows down fork processing as the pidchecked caching is defeated.

Although 999 might be on the low end, I don't think we should risk triggering this by making the upper bound too high.

marieheleneka_gmail.com marked an inline comment as done.Sep 6 2017, 3:07 PM
marieheleneka_gmail.com added inline comments.
sys/kern/kern_fork.c
217–218

Good catch. Fixed, will update patch in a few.

marieheleneka_gmail.com updated this revision to Diff 32716.Sep 6 2017, 3:09 PM
marieheleneka_gmail.com marked an inline comment as done.
des added inline comments.Sep 6 2017, 3:20 PM
sys/kern/kern_fork.c
215

I'm not sure I understand this; arc4random() returns a uint32_t, so both the abs() and the cast are unnecessary.

BTW, it is generally better to use a cross-product than modulo, since the latter gives a small bias, but then you have to cast to a wider type so the multiplication won't overflow:

pid = (uint64_t)arc4random() * (999 - 100 + 1) / UINT32_MAX + 100;

des added a comment.Sep 6 2017, 3:22 PM

I think I was unclear. The abs() in your code is only required because the cast to int can result in a negative value. If you drop the cast, you can also drop the abs() and all will be fine. The stuff I wrote about a cross-product is optional :)

marieheleneka_gmail.com updated this revision to Diff 32799.Sep 8 2017, 2:30 PM

Implement random modulus with kern.randompid=1
Fixed some incorrect assumptions (casting+abs()) and using cross-cast instead of modulus for more randomized results.

Harbormaster completed remote builds in B11433: Diff 32799.Sep 8 2017, 2:30 PM
marieheleneka_gmail.com updated this revision to Diff 32878.Sep 10 2017, 2:32 PM

Fixed bug introduced in previous revision: setting kern.randompid=0 sets it to 100
Restructured if-then-else tree to make slightly more sense while here. (feedback from des@)

Harbormaster completed remote builds in B11470: Diff 32878.Sep 10 2017, 2:32 PM
marieheleneka_gmail.com updated this revision to Diff 32879.Sep 10 2017, 2:40 PM

Since the upper bound of modulus was picked somewhat randomly, change it so the math is simpler. (suggested by des@)

marieheleneka_gmail.com edited the test plan for this revision. (Show Details)Sep 10 2017, 2:50 PM
marieheleneka_gmail.com edited the summary of this revision. (Show Details)
des accepted this revision.Sep 10 2017, 2:55 PM
This revision is now accepted and ready to land.Sep 10 2017, 2:55 PM
des added a comment.EditedSep 10 2017, 3:07 PM

Committed in rS323390 which was tagged with the wrong differential number.

marieheleneka_gmail.com mentioned this in D12433: bsdinstall(8) hardening menu: Utilize new kern.randompid=1 behaviour.Sep 21 2017, 2:14 PM
marieheleneka_gmail.com added a commit: rS323390: If the user tries to set kern.randompid to 1 (which is meaningless), set.Sep 21 2017, 2:58 PM
marieheleneka_gmail.com closed this revision.Oct 4 2017, 9:45 AM

Was committed in rS323390. (This comment is only to close the revision)

Revision Contents
Changeset List

PathSize
sys/
kern/
22 lines

Diff 32879

View Options

sys/kern/kern_fork.c

Loading...