Details

Reviewers

kib
oshogbo
allanjude
markj
alc
olce

Commits

rG56a8aca83ab5: Stop treating size 0 as unknown size in vnode_create_vobject().

Summary

Whenever file is created, the vnode_create_vobject() function will
try to determine its size by calling vn_getsize_locked() as size 0
is ambigious: it means either the file size is 0 or the file size
is unknown.

Introduce special value for the size argument: VNODE_NO_SIZE.
Only when it is given, the vnode_create_vobject() will try to obtain
file's size on its own.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 57831
Build 54719: arc lint + arc unit

Event Timeline

pjd created this revision.May 19 2024, 1:21 AM

Herald added subscribers: asomers, imp. · View Herald TranscriptMay 19 2024, 1:21 AM

pjd requested review of this revision.May 19 2024, 1:21 AM

Harbormaster completed remote builds in B57753: Diff 138722.May 19 2024, 1:21 AM

pjd added reviewers: kib, oshogbo, allanjude.May 19 2024, 1:22 AM

kib added inline comments.May 19 2024, 1:30 AM

sys/vm/vnode_pager.c
168 ↗	(On Diff #138722)	I do not understand this. The new code calls vn_getsize_locked() both for size == 0 and size == VNODE_NO_SIZE, while the stated goal is to avoid vn_getsize_locked() call for size == 0.

kib added reviewers: markj, alc.May 19 2024, 1:30 AM

Don't call vn_getsize_locked() in case of VNODE_NO_SIZE.
Assume we can have a disk for both cases (size == 0 and size == VNODE_NO_SIZE).

Harbormaster completed remote builds in B57754: Diff 138723.May 19 2024, 1:39 AM

pjd marked an inline comment as done.May 19 2024, 1:39 AM

Style.

Harbormaster completed remote builds in B57755: Diff 138724.May 19 2024, 1:41 AM

kib added inline comments.May 19 2024, 2:18 AM

sys/vm/vnode_pager.c

156 ↗

(On Diff #138724)

You can reuse the vn_isdisk() check from there. E.g. this place might become

if (vn_isdisk(vp)) {
  if (size == 0 || isize == VNODE_NO_SIZE)
     size = IDX_TO_OFF(INT_MAX);
} else if (!vn_canvmio(vp)) {
    return (0);
}
and then vn_isdisk check below can be eliminated. vn_isdisk takes the devmtx.

BTW, can size == 0 for disks happen?  As I understand, this is to handle zero mediasize in g_vfs_open().  Is this possible?

pjd added inline comments.May 20 2024, 5:53 AM

sys/vm/vnode_pager.c
156 ↗	(On Diff #138724)	You can reuse the vn_isdisk() check from there. E.g. this place might become if (vn_isdisk(vp)) { if (size == 0 \|\| isize == VNODE_NO_SIZE) size = IDX_TO_OFF(INT_MAX); } else if (!vn_canvmio(vp)) { return (0); } and then vn_isdisk check below can be eliminated. vn_isdisk takes the devmtx. Maybe it would be possible to set some flag on the vnode and avoid devmtx altogether? BTW, can size == 0 for disks happen? As I understand, this is to handle zero mediasize in g_vfs_open(). Is this possible? From what I remember, you can have mediasize equals zero when there is no media, eg. you have a cd-rom without CD inside.

pjd added inline comments.May 20 2024, 6:12 AM

sys/vm/vnode_pager.c
156 ↗	(On Diff #138724)	BTW, can size == 0 for disks happen? As I understand, this is to handle zero mediasize in g_vfs_open(). Is this possible? This is what happens when we try to open an empty cd0: g_vfs_open:295: vp=0xfffff80006f52700 mediasize=0 vnode_create_vobject:160: vp=0xfffff80006f52700 size=0 g_vfs_done():cd0[READ(offset=65536, length=8192)]error = 6 supressing further ENXIO I think we could just move the check for mediasize == 0 to g_vfs_open and return ENXIO there.

Introduce dedicated vnode_disk_create_vobject() for use by g_vfs_open(), so we don't have to do vn_isdisk() checks for regular files.

Handle the case of mediasize==0 in g_vfs_open().

Harbormaster completed remote builds in B57770: Diff 138753.May 20 2024, 7:04 AM

markj added inline comments.May 20 2024, 2:41 PM

sys/geom/geom_vfs.c
295 ↗	(On Diff #138753)	Why do we call g_access() before this check? Is read access required in order to keep `pp->mediasize` stable?
sys/sys/vnode.h
1091 ↗	(On Diff #138753)	IMO, the name `vnode_create_disk_vobject()` keeps the namespace more consistent.
sys/vm/vnode_pager.c
189 ↗	(On Diff #138753)	`KASSERT(isize == VNODE_NO_SIZE \|\| isize >= 0)`?

Rename vnode_disk_create_vobject() to vnode_create_disk_vobject().
Improve assertions.

Harbormaster completed remote builds in B57801: Diff 138810.May 20 2024, 6:01 PM

kib added inline comments.May 20 2024, 6:46 PM

sys/vm/vnode_pager.c
189 ↗	(On Diff #138810)	Better use VNASSERT() there and in the next line. That said, this assertion is too strong. Due to the devfs vnode lifecycle, the vnode lock is not enough to guarantee that vn_isdisk() returns true for disk.

pjd added inline comments.May 20 2024, 8:35 PM

sys/geom/geom_vfs.c
295 ↗	(On Diff #138753)	Why do we call g_access() before this check? Is read access required in order to keep `pp->mediasize` stable? The mediasize property can be set on first access. See g_disk_access().
sys/vm/vnode_pager.c
189 ↗	(On Diff #138810)	That said, this assertion is too strong. Due to the devfs vnode lifecycle, the vnode lock is not enough to guarantee that vn_isdisk() returns true for disk. Not sure if I understand this one. devfs doesn't create vm objects for vnodes. File systems goes to GEOM directly through g_vfs_* KPI.

Use VNASSERT() instead of KASSERT().

Harbormaster completed remote builds in B57805: Diff 138817.May 20 2024, 8:38 PM

Add a missing argument to VNASSERT().

Harbormaster completed remote builds in B57806: Diff 138820.May 20 2024, 8:44 PM

kib added inline comments.May 20 2024, 8:54 PM

sys/vm/vnode_pager.c
189 ↗	(On Diff #138810)	devfs (destroy_dev(9)) might cause the assert to become false at any time. I misplaced the comment though: the issue is that vn_isdisk() for disk might become false, not this one.

Remove too aggressive assert.

Harbormaster completed remote builds in B57807: Diff 138821.May 20 2024, 9:09 PM

pjd marked 4 inline comments as done.May 20 2024, 9:10 PM

pjd added inline comments.

sys/vm/vnode_pager.c
189 ↗	(On Diff #138810)	So basically when a process is trying to mount a file system while devfs entry is being destroyed? Makes sense. Thanks.

pjd marked an inline comment as done.May 20 2024, 10:59 PM

pjd marked 2 inline comments as done.

kib accepted this revision.May 21 2024, 3:40 AM

This revision is now accepted and ready to land.May 21 2024, 3:40 AM

markj accepted this revision.May 21 2024, 2:48 PM

Better indeed to return ENXIO early in g_vfs_open() and remove the special case for 0 in vnode_create_vobject(). Thanks.

Compilation fix.

This revision now requires review to proceed.May 22 2024, 2:57 AM

Herald added a subscriber: emaste. · View Herald TranscriptMay 22 2024, 2:57 AM

Harbormaster completed remote builds in B57831: Diff 138877.May 22 2024, 2:57 AM

Updated wrong review. Bring back the proper patch.

Harbormaster completed remote builds in B57833: Diff 138879.May 22 2024, 2:59 AM

Add a comment explaining why we check mediasize this late.

Harbormaster completed remote builds in B57835: Diff 138882.May 22 2024, 5:05 AM

alc accepted this revision.May 22 2024, 5:11 AM

alc added inline comments.

sys/vm/vnode_pager.c
188 ↗	(On Diff #138882)	This blank line can be deleted.
202 ↗	(On Diff #138882)	This blank line can be deleted.

This revision is now accepted and ready to land.May 22 2024, 5:11 AM

Remove blank lines at the begining of functions with no local variables.

I see that style(9) has changed in this regard.

Requested by: alc

This revision now requires review to proceed.May 22 2024, 7:43 AM

Harbormaster completed remote builds in B57837: Diff 138885.May 22 2024, 7:43 AM

pjd marked 2 inline comments as done.May 22 2024, 7:44 AM

oshogbo accepted this revision.May 22 2024, 8:18 AM

This revision is now accepted and ready to land.May 22 2024, 8:18 AM

approved by: allanjude (mentor)

Closed by commit rG56a8aca83ab5: Stop treating size 0 as unknown size in vnode_create_vobject(). (authored by pjd). · Explain WhyMay 23 2024, 6:09 AM

This revision was automatically updated to reflect the committed changes.

pjd added a commit: rG56a8aca83ab5: Stop treating size 0 as unknown size in vnode_create_vobject()..

Diff 138877

View Options

Makefile.inc1

Show First 20 Lines • Show All 471 Lines • ▼ Show 20 Lines
{		{
struct filedesc *fdp;		struct filedesc *fdp;
struct flock *flp;		struct flock *flp;
struct file fp, fp2;		struct file fp, fp2;
struct filedescent *fde;		struct filedescent *fde;
struct proc *p;		struct proc *p;
struct vnode *vp;		struct vnode *vp;
struct mount *mp;		struct mount *mp;
int error, flg, seals, tmp;		struct kinfo_file *kif;
		int error, flg, kif_sz, seals, tmp;
uint64_t bsize;		uint64_t bsize;
off_t foffset;		off_t foffset;

error = 0;		error = 0;
flg = F_POSIX;		flg = F_POSIX;
p = td->td_proc;		p = td->td_proc;
fdp = p->p_fd;		fdp = p->p_fd;

▲ Show 20 Lines • Show All 356 Lines • ▼ Show 20 Lines	if (__predict_false(mp == NULL)) {
error = EBADF;		error = EBADF;
break;		break;
}		}
td->td_retval[0] = 0;		td->td_retval[0] = 0;
if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|		if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|
mp->mnt_flag & MNT_UNION)		mp->mnt_flag & MNT_UNION)
td->td_retval[0] = 1;		td->td_retval[0] = 1;
fdrop(fp, td);		fdrop(fp, td);
		break;

		case F_KINFO:
		#ifdef CAPABILITY_MODE
		if (IN_CAPABILITY_MODE(td)) {
		markjUnsubmitted Done Inline Actions I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in capability mode at all, it seems dubious to allow a capmode process to look up the path corresponding to an fd. markj: I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in…
		kibAuthorUnsubmitted Done Inline Actions So I added this, but an after-thought is that I do not see anything wrong with resolving full path even in capability mode. What additional privilege does this resolution grant? kib: So I added this, but an after-thought is that I do not see anything wrong with resolving full…
		markjUnsubmitted Not Done Inline Actions It doesn't grant any new privileges, but it leaks information about a namespace. KERN_PROC_FILEDESC is not permitted in capability mode, for example, and the fd may have been opened by a process with more privileges than the current (sandboxed) process. As another example, we have CAP_GETPEERNAME for a socket, but this operation returns a superset of the information provided by getpeername(2), so the right can be bypassed. Hmm, I forgot that we have cap_fcntls_limit(2) and fget_fcntl(). So with a bit more work it could be possible to strip the right to call F_KINFO for a particular fd. If that is implemented, then I think it is ok to remove the IN_CAPABILITY_MODE() check. The code should also check for CAP_GETPEERNAME for a socket, though. markj: It doesn't grant any new privileges, but it leaks information about a namespace.
		error = ECAPMODE;
		kibAuthorUnsubmitted Done Inline Actions Should this be ECAPMODE or ENOTCAPABLE? kib: Should this be ECAPMODE or ENOTCAPABLE?
		markjUnsubmitted Done Inline Actions ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means "this fd has insufficient rights to perform the operation," so ECAPMODE is correct. If we added a fine-grained right(4) for this operation, like CAP_FCNTL_KINFO, and it was missing, then the error would be ENOTCAPABLE. markj: ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means…
		break;
		}
		#endif
		error = copyin((void *)arg, &kif_sz, sizeof(kif_sz));
		markjUnsubmitted Done Inline Actions This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out uninitialized pad bytes. markj: This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out…
		if (error != 0)
		break;
		if (kif_sz != sizeof(*kif)) {
		error = EINVAL;
		break;
		}
		kif = malloc(sizeof(*kif), M_TEMP, M_WAITOK \| M_ZERO);
		error = fget_unlocked(fdp, fd, &cap_fcntl_rights, &fp);
		if (error == 0) {
		error = fo_fill_kinfo(fp, kif, fdp);
		markjUnsubmitted Done Inline Actions Should this be using export_file_to_kinfo() instead of calling the file method directly? It fills out some generic fields. markj: Should this be using export_file_to_kinfo() instead of calling the file method directly? It…
		if (error == 0) {
		error = copyout(kif, (void *)arg,
		sizeof(*kif));
		}
		fdrop(fp, td);
		}
		free(kif, M_TEMP);
break;		break;

default:		default:
error = EINVAL;		error = EINVAL;
break;		break;
}		}
return (error);		return (error);
}		}
▲ Show 20 Lines • Show All 4,224 Lines • Show Last 20 Lines

View Options

bin/cat/Makefile

Show First 20 Lines • Show All 471 Lines • ▼ Show 20 Lines
{		{
struct filedesc *fdp;		struct filedesc *fdp;
struct flock *flp;		struct flock *flp;
struct file fp, fp2;		struct file fp, fp2;
struct filedescent *fde;		struct filedescent *fde;
struct proc *p;		struct proc *p;
struct vnode *vp;		struct vnode *vp;
struct mount *mp;		struct mount *mp;
int error, flg, seals, tmp;		struct kinfo_file *kif;
		int error, flg, kif_sz, seals, tmp;
uint64_t bsize;		uint64_t bsize;
off_t foffset;		off_t foffset;

error = 0;		error = 0;
flg = F_POSIX;		flg = F_POSIX;
p = td->td_proc;		p = td->td_proc;
fdp = p->p_fd;		fdp = p->p_fd;

▲ Show 20 Lines • Show All 356 Lines • ▼ Show 20 Lines	if (__predict_false(mp == NULL)) {
error = EBADF;		error = EBADF;
break;		break;
}		}
td->td_retval[0] = 0;		td->td_retval[0] = 0;
if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|		if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|
mp->mnt_flag & MNT_UNION)		mp->mnt_flag & MNT_UNION)
td->td_retval[0] = 1;		td->td_retval[0] = 1;
fdrop(fp, td);		fdrop(fp, td);
		break;

		case F_KINFO:
		#ifdef CAPABILITY_MODE
		if (IN_CAPABILITY_MODE(td)) {
		markjUnsubmitted Done Inline Actions I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in capability mode at all, it seems dubious to allow a capmode process to look up the path corresponding to an fd. markj: I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in…
		kibAuthorUnsubmitted Done Inline Actions So I added this, but an after-thought is that I do not see anything wrong with resolving full path even in capability mode. What additional privilege does this resolution grant? kib: So I added this, but an after-thought is that I do not see anything wrong with resolving full…
		markjUnsubmitted Not Done Inline Actions It doesn't grant any new privileges, but it leaks information about a namespace. KERN_PROC_FILEDESC is not permitted in capability mode, for example, and the fd may have been opened by a process with more privileges than the current (sandboxed) process. As another example, we have CAP_GETPEERNAME for a socket, but this operation returns a superset of the information provided by getpeername(2), so the right can be bypassed. Hmm, I forgot that we have cap_fcntls_limit(2) and fget_fcntl(). So with a bit more work it could be possible to strip the right to call F_KINFO for a particular fd. If that is implemented, then I think it is ok to remove the IN_CAPABILITY_MODE() check. The code should also check for CAP_GETPEERNAME for a socket, though. markj: It doesn't grant any new privileges, but it leaks information about a namespace.
		error = ECAPMODE;
		kibAuthorUnsubmitted Done Inline Actions Should this be ECAPMODE or ENOTCAPABLE? kib: Should this be ECAPMODE or ENOTCAPABLE?
		markjUnsubmitted Done Inline Actions ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means "this fd has insufficient rights to perform the operation," so ECAPMODE is correct. If we added a fine-grained right(4) for this operation, like CAP_FCNTL_KINFO, and it was missing, then the error would be ENOTCAPABLE. markj: ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means…
		break;
		}
		#endif
		error = copyin((void *)arg, &kif_sz, sizeof(kif_sz));
		markjUnsubmitted Done Inline Actions This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out uninitialized pad bytes. markj: This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out…
		if (error != 0)
		break;
		if (kif_sz != sizeof(*kif)) {
		error = EINVAL;
		break;
		}
		kif = malloc(sizeof(*kif), M_TEMP, M_WAITOK \| M_ZERO);
		error = fget_unlocked(fdp, fd, &cap_fcntl_rights, &fp);
		if (error == 0) {
		error = fo_fill_kinfo(fp, kif, fdp);
		markjUnsubmitted Done Inline Actions Should this be using export_file_to_kinfo() instead of calling the file method directly? It fills out some generic fields. markj: Should this be using export_file_to_kinfo() instead of calling the file method directly? It…
		if (error == 0) {
		error = copyout(kif, (void *)arg,
		sizeof(*kif));
		}
		fdrop(fp, td);
		}
		free(kif, M_TEMP);
break;		break;

default:		default:
error = EINVAL;		error = EINVAL;
break;		break;
}		}
return (error);		return (error);
}		}
▲ Show 20 Lines • Show All 4,224 Lines • Show Last 20 Lines

View Options

bin/cat/cat.c

Show First 20 Lines • Show All 471 Lines • ▼ Show 20 Lines
{		{
struct filedesc *fdp;		struct filedesc *fdp;
struct flock *flp;		struct flock *flp;
struct file fp, fp2;		struct file fp, fp2;
struct filedescent *fde;		struct filedescent *fde;
struct proc *p;		struct proc *p;
struct vnode *vp;		struct vnode *vp;
struct mount *mp;		struct mount *mp;
int error, flg, seals, tmp;		struct kinfo_file *kif;
		int error, flg, kif_sz, seals, tmp;
uint64_t bsize;		uint64_t bsize;
off_t foffset;		off_t foffset;

error = 0;		error = 0;
flg = F_POSIX;		flg = F_POSIX;
p = td->td_proc;		p = td->td_proc;
fdp = p->p_fd;		fdp = p->p_fd;

▲ Show 20 Lines • Show All 356 Lines • ▼ Show 20 Lines	if (__predict_false(mp == NULL)) {
error = EBADF;		error = EBADF;
break;		break;
}		}
td->td_retval[0] = 0;		td->td_retval[0] = 0;
if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|		if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|
mp->mnt_flag & MNT_UNION)		mp->mnt_flag & MNT_UNION)
td->td_retval[0] = 1;		td->td_retval[0] = 1;
fdrop(fp, td);		fdrop(fp, td);
		break;

		case F_KINFO:
		#ifdef CAPABILITY_MODE
		if (IN_CAPABILITY_MODE(td)) {
		markjUnsubmitted Done Inline Actions I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in capability mode at all, it seems dubious to allow a capmode process to look up the path corresponding to an fd. markj: I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in…
		kibAuthorUnsubmitted Done Inline Actions So I added this, but an after-thought is that I do not see anything wrong with resolving full path even in capability mode. What additional privilege does this resolution grant? kib: So I added this, but an after-thought is that I do not see anything wrong with resolving full…
		markjUnsubmitted Not Done Inline Actions It doesn't grant any new privileges, but it leaks information about a namespace. KERN_PROC_FILEDESC is not permitted in capability mode, for example, and the fd may have been opened by a process with more privileges than the current (sandboxed) process. As another example, we have CAP_GETPEERNAME for a socket, but this operation returns a superset of the information provided by getpeername(2), so the right can be bypassed. Hmm, I forgot that we have cap_fcntls_limit(2) and fget_fcntl(). So with a bit more work it could be possible to strip the right to call F_KINFO for a particular fd. If that is implemented, then I think it is ok to remove the IN_CAPABILITY_MODE() check. The code should also check for CAP_GETPEERNAME for a socket, though. markj: It doesn't grant any new privileges, but it leaks information about a namespace.
		error = ECAPMODE;
		kibAuthorUnsubmitted Done Inline Actions Should this be ECAPMODE or ENOTCAPABLE? kib: Should this be ECAPMODE or ENOTCAPABLE?
		markjUnsubmitted Done Inline Actions ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means "this fd has insufficient rights to perform the operation," so ECAPMODE is correct. If we added a fine-grained right(4) for this operation, like CAP_FCNTL_KINFO, and it was missing, then the error would be ENOTCAPABLE. markj: ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means…
		break;
		}
		#endif
		error = copyin((void *)arg, &kif_sz, sizeof(kif_sz));
		markjUnsubmitted Done Inline Actions This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out uninitialized pad bytes. markj: This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out…
		if (error != 0)
		break;
		if (kif_sz != sizeof(*kif)) {
		error = EINVAL;
		break;
		}
		kif = malloc(sizeof(*kif), M_TEMP, M_WAITOK \| M_ZERO);
		error = fget_unlocked(fdp, fd, &cap_fcntl_rights, &fp);
		if (error == 0) {
		error = fo_fill_kinfo(fp, kif, fdp);
		markjUnsubmitted Done Inline Actions Should this be using export_file_to_kinfo() instead of calling the file method directly? It fills out some generic fields. markj: Should this be using export_file_to_kinfo() instead of calling the file method directly? It…
		if (error == 0) {
		error = copyout(kif, (void *)arg,
		sizeof(*kif));
		}
		fdrop(fp, td);
		}
		free(kif, M_TEMP);
break;		break;

default:		default:
error = EINVAL;		error = EINVAL;
break;		break;
}		}
return (error);		return (error);
}		}
▲ Show 20 Lines • Show All 4,224 Lines • Show Last 20 Lines

View Options

bin/cp/Makefile

Show First 20 Lines • Show All 471 Lines • ▼ Show 20 Lines
{		{
struct filedesc *fdp;		struct filedesc *fdp;
struct flock *flp;		struct flock *flp;
struct file fp, fp2;		struct file fp, fp2;
struct filedescent *fde;		struct filedescent *fde;
struct proc *p;		struct proc *p;
struct vnode *vp;		struct vnode *vp;
struct mount *mp;		struct mount *mp;
int error, flg, seals, tmp;		struct kinfo_file *kif;
		int error, flg, kif_sz, seals, tmp;
uint64_t bsize;		uint64_t bsize;
off_t foffset;		off_t foffset;

error = 0;		error = 0;
flg = F_POSIX;		flg = F_POSIX;
p = td->td_proc;		p = td->td_proc;
fdp = p->p_fd;		fdp = p->p_fd;

▲ Show 20 Lines • Show All 356 Lines • ▼ Show 20 Lines	if (__predict_false(mp == NULL)) {
error = EBADF;		error = EBADF;
break;		break;
}		}
td->td_retval[0] = 0;		td->td_retval[0] = 0;
if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|		if (mp->mnt_kern_flag & MNTK_UNIONFS \|\|
mp->mnt_flag & MNT_UNION)		mp->mnt_flag & MNT_UNION)
td->td_retval[0] = 1;		td->td_retval[0] = 1;
fdrop(fp, td);		fdrop(fp, td);
		break;

		case F_KINFO:
		#ifdef CAPABILITY_MODE
		if (IN_CAPABILITY_MODE(td)) {
		markjUnsubmitted Done Inline Actions I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in capability mode at all, it seems dubious to allow a capmode process to look up the path corresponding to an fd. markj: I suspect it should be at least cap_fcntl_rights. Maybe this should not be permitted in…
		kibAuthorUnsubmitted Done Inline Actions So I added this, but an after-thought is that I do not see anything wrong with resolving full path even in capability mode. What additional privilege does this resolution grant? kib: So I added this, but an after-thought is that I do not see anything wrong with resolving full…
		markjUnsubmitted Not Done Inline Actions It doesn't grant any new privileges, but it leaks information about a namespace. KERN_PROC_FILEDESC is not permitted in capability mode, for example, and the fd may have been opened by a process with more privileges than the current (sandboxed) process. As another example, we have CAP_GETPEERNAME for a socket, but this operation returns a superset of the information provided by getpeername(2), so the right can be bypassed. Hmm, I forgot that we have cap_fcntls_limit(2) and fget_fcntl(). So with a bit more work it could be possible to strip the right to call F_KINFO for a particular fd. If that is implemented, then I think it is ok to remove the IN_CAPABILITY_MODE() check. The code should also check for CAP_GETPEERNAME for a socket, though. markj: It doesn't grant any new privileges, but it leaks information about a namespace.
		error = ECAPMODE;
		kibAuthorUnsubmitted Done Inline Actions Should this be ECAPMODE or ENOTCAPABLE? kib: Should this be ECAPMODE or ENOTCAPABLE?
		markjUnsubmitted Done Inline Actions ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means "this fd has insufficient rights to perform the operation," so ECAPMODE is correct. If we added a fine-grained right(4) for this operation, like CAP_FCNTL_KINFO, and it was missing, then the error would be ENOTCAPABLE. markj: ECAPMODE means, "this operation is not permitted in capability mode," whereas ENOTCAPABLE means…
		break;
		}
		#endif
		error = copyin((void *)arg, &kif_sz, sizeof(kif_sz));
		markjUnsubmitted Done Inline Actions This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out uninitialized pad bytes. markj: This should be zeroed, the fo_fill_kinfo() implementations do not handle it and we'll copy out…
		if (error != 0)
		break;
		if (kif_sz != sizeof(*kif)) {
		error = EINVAL;
		break;
		}
		kif = malloc(sizeof(*kif), M_TEMP, M_WAITOK \| M_ZERO);
		error = fget_unlocked(fdp, fd, &cap_fcntl_rights, &fp);
		if (error == 0) {
		error = fo_fill_kinfo(fp, kif, fdp);
		markjUnsubmitted Done Inline Actions Should this be using export_file_to_kinfo() instead of calling the file method directly? It fills out some generic fields. markj: Should this be using export_file_to_kinfo() instead of calling the file method directly? It…
		if (error == 0) {
		error = copyout(kif, (void *)arg,
		sizeof(*kif));
		}
		fdrop(fp, td);
		}
		free(kif, M_TEMP);
break;		break;

default:		default:
error = EINVAL;		error = EINVAL;
break;		break;
}		}
return (error);		return (error);
}		}
▲ Show 20 Lines • Show All 4,224 Lines • Show Last 20 Lines

View Options

bin/cp/utils.c

View Options

bin/mv/Makefile

View Options

bin/mv/mv.c

View Options

lib/libutil/Makefile

View Options

lib/libutil/fcopydata.c

View Options

lib/libutil/libutil.h

View Options

usr.bin/xinstall/Makefile

View Options

usr.bin/xinstall/xinstall.c

Stop treating size 0 as unknown size in vnode_create_vobject().
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 138877

Makefile.inc1

bin/cat/Makefile

bin/cat/cat.c

bin/cp/Makefile

bin/cp/utils.c

bin/mv/Makefile

bin/mv/mv.c

lib/libutil/Makefile

lib/libutil/fcopydata.c

lib/libutil/libutil.h

usr.bin/xinstall/Makefile

usr.bin/xinstall/xinstall.c

Stop treating size 0 as unknown size in vnode_create_vobject().ClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 138877

Makefile.inc1

bin/cat/Makefile

bin/cat/cat.c

bin/cp/Makefile

bin/cp/utils.c

bin/mv/Makefile

bin/mv/mv.c

lib/libutil/Makefile

lib/libutil/fcopydata.c

lib/libutil/libutil.h

usr.bin/xinstall/Makefile

usr.bin/xinstall/xinstall.c

Stop treating size 0 as unknown size in vnode_create_vobject().
ClosedPublic
Actions

Revision Contents
Changeset List