Page MenuHomeFreeBSD
Differential D25552

kern_cpuset: allow using the explicit form of own pid/tid in capability mode
ClosedPublic
Actions

Authored by val_packett.cool on Jul 2 2020, 8:12 PM.
Tags
Referenced Files
Unknown Object (File)
Fri, Nov 22, 5:55 PM
Unknown Object (File)
Oct 4 2024, 8:59 PM
Unknown Object (File)
Sep 27 2024, 10:24 PM
Unknown Object (File)
Sep 20 2024, 10:15 AM
Unknown Object (File)
Sep 1 2024, 7:28 PM
Unknown Object (File)
Aug 31 2024, 7:16 AM
Unknown Object (File)
Aug 31 2024, 6:52 AM
Unknown Object (File)
Aug 18 2024, 11:52 PM
View All 31 Files
Subscribers
imp

Details

Reviewers
emaste
markj
Group Reviewers
capsicum
Contributor Reviews (src)
Commits
rS362968: Allow accesses of the caller's CPU and domain sets in capability mode.
Summary

Firefox (Spidermonkey) does this to get the stack base (well, on FreeBSD and NetBSD — OpenBSD conveniently has a pthread_stackseg_np thing):

pthread_t thread = pthread_self();
pthread_attr_get_np(thread, &sattr);
rc = pthread_attr_getstack(&sattr, &stackBase, &stackSize);

And pthread_attr_get_np (_thr_attr_get_np) does:

	ret = cpuset_getaffinity(CPU_LEVEL_WHICH, CPU_WHICH_TID, TID(pthread),
		dst->cpusetsize, dst->cpuset);

Whoops, that's not allowed in capability mode, even though we are getting the current thread's attributes, which should be allowed!

(Firefox does work with failing pthread_attr_get_np anyway, but it's better not to have the error :D)

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

val_packett.cool created this revision.Jul 2 2020, 8:12 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 2 2020, 8:12 PM
val_packett.cool requested review of this revision.Jul 2 2020, 8:12 PM
val_packett.cool added a reviewer: markj.Jul 4 2020, 11:12 AM
markj accepted this revision.Jul 6 2020, 2:27 PM

This looks ok to me. I'm happy to commit the patch as-is, but:

  • these checks should really be lifted into a subroutine,
  • cpuset_(get|set)domain() are not listed in capabilities.conf and so aren't available in capability mode at all, though clearly they should be.

Please let me know if you'd like to write patches for this, otherwise I will work on it.

sys/kern/kern_cpuset.c
1750

It seems odd that CPU_WHICH_TID doesn't allow one to select a different thread from the same process. I'm not sure if it's intentional.

This revision is now accepted and ready to land.Jul 6 2020, 2:27 PM
val_packett.cool added a comment.Jul 6 2020, 2:36 PM
In D25552#565508, @markj wrote:
  • these checks should really be lifted into a subroutine,

Yeah I thought about that..

Please let me know if you'd like to write patches for this, otherwise I will work on it.

Feel free to make the better version of the patch yourself, the patch review process would just be a slowdown :)

markj added a comment.Jul 6 2020, 4:19 PM
In D25552#565512, @greg_unrelenting.technology wrote:
In D25552#565508, @markj wrote:
  • these checks should really be lifted into a subroutine,

Yeah I thought about that..

Please let me know if you'd like to write patches for this, otherwise I will work on it.

Feel free to make the better version of the patch yourself, the patch review process would just be a slowdown :)

Ok.

sys/kern/kern_cpuset.c
1750

It's a bit tricky to handle this case without introducing TOCTTOU races. We'd have to modify cpuset_which() to restrict the tdfind() call to the current process, so the capsicum checking wouldn't be done in a single centralized place anymore.

Closed by commit rS362968: Allow accesses of the caller's CPU and domain sets in capability mode. (authored by markj). · Explain WhyJul 6 2020, 4:34 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS362968: Allow accesses of the caller's CPU and domain sets in capability mode..

Revision Contents
Changeset List

PathSize
sys/
kern/
16 lines

Diff 74030

View Options

sys/kern/kern_cpuset.c

Loading...