Page MenuHomeFreeBSD

Make it possible for init to execute any executable
ClosedPublic

Authored by trasz on Aug 2 2018, 10:48 AM.
Tags
None
Referenced Files
F105789928: D16565.diff
Fri, Dec 20, 5:49 PM
Unknown Object (File)
Nov 1 2024, 4:56 PM
Unknown Object (File)
Nov 1 2024, 4:56 PM
Unknown Object (File)
Nov 1 2024, 4:56 PM
Unknown Object (File)
Nov 1 2024, 4:56 PM
Unknown Object (File)
Nov 1 2024, 4:55 PM
Unknown Object (File)
Nov 1 2024, 4:38 PM
Unknown Object (File)
Oct 2 2024, 1:26 AM
Subscribers

Details

Summary

Make it possible for init to execute any executable, not just
sh(1) scripts. This means you can now eg rewrite your /etc/rc
in Python.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 18518
Build 18223: arc lint + arc unit

Event Timeline

Remove pointless variable.

sbin/init/init.c
1096

This is too rude. Check for exec permissions on the script before trying execv.

This should nicely work with /etc/rc which does not have +x.

sbin/init/init.c
1096

But it works just fine with /etc/rc without -x (which seems to be the default). Why check for +x if the execv() will to that anyways?

sbin/init/init.c
1096

What I want is that for normal /etc/rc it was not even tried to pass to execv(e) at all. In other words, I want that the change does not change anything for the current configuration, except for an additional innocent access(2) syscall.

sbin/init/init.c
1096

Okay, but why? What's the scenario where it would improve things?

sbin/init/init.c
1096

execve(2) is complicated syscall which is also hooked by mac modules. You simply do not want to knowingly aggravate all that stack when you can avoid this.

sbin/init/init.c
1096

Sorry, I just don't get it. I can't see a scenario where execve(2) would do "something weird" instead of returning EACCES, apart from having a seriously hosed kernel. Adding an additional pointless check only complicates the (notoriously hard to debug) code. Also, checking for a permission before calling something is an antipattern.

sbin/init/init.c
1096

Execve has pluggable image activators, and pluggable mac framework modules. What they do, and should what they do considered to be 'hosed' highly depends on the circumstances. E.g. if some image activator wrongly claims the binary as its own, while a mac module tries to find a signature and panic kernel when it can etc., should be considered hosed, or we should try to minimally start the system to allow recovery ?

The check for 'x' there is a simple matter to detect the executable format (shell script running from the interpreter vs directly activating it).

Let me reformulate: I want that there be no change in the syscalls issued by init for the default setup with our /etc/rc. I can tolerate additional access(2), but I do not want execve(2) which could do a lot of strange things which is impossible to diagnose at this early stage.

Add the extra access(2) checks, as suggested by kib@, and also
apply the same change to the code that runs /etc/rc.shutdown.

sbin/init/init.c
1096

Makes sense, thanks. Okay, I've added the access(2) checks (with extra cautious error reporting, just in case), and extended this to also handle rc.shutdown. This isn't fully tested yet, I'll do that before committing. What do you think?

Btw, there's some code duplication. I'll address this in a followup review.

This revision is now accepted and ready to land.Aug 4 2018, 1:00 PM
This revision was automatically updated to reflect the committed changes.