Page MenuHomeFreeBSD

markj (Mark Johnston)
User

Projects (9)

User Details

User Since
Mar 12 2014, 1:00 AM (643 w, 4 d)

Recent Activity

Fri, Jul 10

markj added inline comments to D58164: init(8): extract reroot transient code into reroot_seed.
Fri, Jul 10, 9:31 PM
markj committed rG9bb576da3f60: git-mfc: Update exception lists (authored by markj).
git-mfc: Update exception lists
Fri, Jul 10, 9:23 PM
markj committed rG8ae306a1c8eb: git-mfc: Add an ignore-list feature (authored by markj).
git-mfc: Add an ignore-list feature
Fri, Jul 10, 9:23 PM
markj committed rG24816abb8740: syslogd: Limit rights on procdescs (authored by markj).
syslogd: Limit rights on procdescs
Fri, Jul 10, 9:23 PM
markj closed D58162: git-mfc: Update exception lists.
Fri, Jul 10, 9:23 PM
markj closed D58161: git-mfc: Add an ignore-list feature.
Fri, Jul 10, 9:23 PM
markj closed D58160: syslogd: Limit rights on procdescs.
Fri, Jul 10, 9:23 PM
markj added a comment to D58164: init(8): extract reroot transient code into reroot_seed.
In D58164#1333865, @kib wrote:

This is not finished, I need some help with the build system.

First, the reroot_seed binary should not be installed. I do not see how to specify this with the bsd.prog.mk.

Fri, Jul 10, 8:46 PM
markj requested review of D58162: git-mfc: Update exception lists.
Fri, Jul 10, 6:44 PM
markj requested review of D58161: git-mfc: Add an ignore-list feature.
Fri, Jul 10, 6:44 PM
markj requested review of D58160: syslogd: Limit rights on procdescs.
Fri, Jul 10, 6:10 PM
markj accepted D57067: vmm: Fully adopt the getrlimit(2) machinery for limiting the number of VMM instances.
Fri, Jul 10, 4:23 PM
markj added inline comments to D57067: vmm: Fully adopt the getrlimit(2) machinery for limiting the number of VMM instances.
Fri, Jul 10, 4:14 PM
markj added a comment to D58034: usr.bin/pkgconf: import the test suite.

Are the tests all passing now?

Fri, Jul 10, 2:49 PM
markj committed rG59a4b6c2a065: git-mfc: Cherry-pick all commits in one git command (authored by markj).
git-mfc: Cherry-pick all commits in one git command
Fri, Jul 10, 2:47 PM
markj committed rG1f091ad283e9: git-mfc: Filter pending and dangling commits by committer (authored by markj).
git-mfc: Filter pending and dangling commits by committer
Fri, Jul 10, 2:47 PM
markj closed D58129: git-mfc: Cherry-pick all commits in one git command.
Fri, Jul 10, 2:46 PM
markj closed D58126: git-mfc: Filter pending and dangling commits by committer.
Fri, Jul 10, 2:46 PM
markj accepted D58130: fusefs: fix gcc build error with shadowed variable in tests.
Fri, Jul 10, 2:43 PM
markj added inline comments to D58117: kern: add fget_procdesc().
Fri, Jul 10, 2:40 PM
markj added inline comments to D58123: procdesc: add NOTE_PDSIGCHLD.
Fri, Jul 10, 2:27 PM
markj updated subscribers of D58123: procdesc: add NOTE_PDSIGCHLD.
Fri, Jul 10, 2:23 PM
markj accepted D58147: kern_execve.c: simplify execve_block_wait().
Fri, Jul 10, 2:13 PM

Thu, Jul 9

markj added inline comments to D58093: dwatch: add nine diagnostic modules; grow errno, io, proc, sched.
Thu, Jul 9, 6:05 PM
markj added inline comments to D58123: procdesc: add NOTE_PDSIGCHLD.
Thu, Jul 9, 5:54 PM
markj added inline comments to D58117: kern: add fget_procdesc().
Thu, Jul 9, 5:45 PM
markj requested review of D58129: git-mfc: Cherry-pick all commits in one git command.
Thu, Jul 9, 5:39 PM
markj committed rG1ad156fc1439: inotify: Ensure that "allocfail" is initialized in inotify_log_one() (authored by markj).
inotify: Ensure that "allocfail" is initialized in inotify_log_one()
Thu, Jul 9, 4:00 PM
markj committed rG242c9c86c8ca: inotify: Unconditionally generate IN_IGNORED events for files/dirs (authored by markj).
inotify: Unconditionally generate IN_IGNORED events for files/dirs
Thu, Jul 9, 3:59 PM
markj requested review of D58126: git-mfc: Filter pending and dangling commits by committer.
Thu, Jul 9, 3:06 PM
markj added inline comments to D58123: procdesc: add NOTE_PDSIGCHLD.
Thu, Jul 9, 2:48 PM
markj added inline comments to D57375: routing: Subscribe nhops to ifnet link events.
Thu, Jul 9, 2:43 PM
markj added inline comments to D55363: if_gre: Add a regression test.
Thu, Jul 9, 2:28 PM
markj accepted D57669: if_gre(4): Fix races by changing initialization order and locks.
Thu, Jul 9, 2:21 PM
markj added inline comments to D58117: kern: add fget_procdesc().
Thu, Jul 9, 2:02 PM
markj committed rGf370bf9fafce: inotify: Ensure that "allocfail" is initialized in inotify_log_one() (authored by markj).
inotify: Ensure that "allocfail" is initialized in inotify_log_one()
Thu, Jul 9, 1:42 PM
markj committed rG3e123be2305a: inotify: Fix comment typos (authored by markj).
inotify: Fix comment typos
Thu, Jul 9, 1:42 PM
markj committed rG7bf11a2f0c9a: epoch: Fix epoch_drain_callbacks() (authored by markj).
epoch: Fix epoch_drain_callbacks()
Thu, Jul 9, 1:42 PM
markj committed rG836a76ad95be: tests/inotify: Make an error message more useful (authored by markj).
tests/inotify: Make an error message more useful
Thu, Jul 9, 1:42 PM
markj committed rGa58590631ccc: taskqueue: Avoid unbounded epoch read sections (authored by markj).
taskqueue: Avoid unbounded epoch read sections
Thu, Jul 9, 1:42 PM
markj committed rGe1ab35148dd4: netmap: Don't assume that user-provided strings are nul-terminated (authored by markj).
netmap: Don't assume that user-provided strings are nul-terminated
Thu, Jul 9, 1:42 PM
markj committed rGde6193cf7d2c: timefd: Correct the required rights for timerfd_gettime() (authored by markj).
timefd: Correct the required rights for timerfd_gettime()
Thu, Jul 9, 1:42 PM
markj closed D58030: epoch: Fix epoch_drain_callbacks().
Thu, Jul 9, 1:42 PM
markj closed D58031: taskqueue: Avoid unbounded epoch read sections.
Thu, Jul 9, 1:42 PM
markj closed D58084: timefd: Correct the required rights for timerfd_gettime().
Thu, Jul 9, 1:42 PM

Wed, Jul 8

markj added a comment to D58094: ptrace(PT_ATTACH_PD).

I don't think this patch is a good idea. It adds a bunch of complexity and state to a security layer in order to support a debugging feature, as I understand it.

Wed, Jul 8, 7:51 PM
markj committed rGc8cc44270404: unix: Fix a socket refcount leak in uipc_sendfile_wait() (authored by markj).
unix: Fix a socket refcount leak in uipc_sendfile_wait()
Wed, Jul 8, 6:11 PM
markj committed rGc0dc283b1a58: tests: Add pjdfstest integration (authored by markj).
tests: Add pjdfstest integration
Wed, Jul 8, 6:11 PM
markj committed rG1a715cbba276: virtio/p9fs: Define the channel list mutex as static (authored by markj).
virtio/p9fs: Define the channel list mutex as static
Wed, Jul 8, 6:11 PM
markj committed rGfae2b85dfee6: librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name() (authored by thebugfixers_pm.me).
librpcsec_gss: Fix an off-by-one in rpc_gss_get_principal_name()
Wed, Jul 8, 6:11 PM
markj committed rG2e1226c3b2aa: libnetbsd: Avoid bringing in all of sys/param.h in sys/types.h (authored by markj).
libnetbsd: Avoid bringing in all of sys/param.h in sys/types.h
Wed, Jul 8, 6:11 PM
markj committed rGbfcac89d989a: p9fs: Remove the "cancel" transport method (authored by markj).
p9fs: Remove the "cancel" transport method
Wed, Jul 8, 6:11 PM
markj committed rGb365fc1ad2cc: makefs/zfs: Explicitly include sys/param.h for nitems() (authored by markj).
makefs/zfs: Explicitly include sys/param.h for nitems()
Wed, Jul 8, 6:10 PM
markj committed rGe19e2017f7aa: install: Explicitly include sys/param.h for MAXPATHLEN (authored by markj).
install: Explicitly include sys/param.h for MAXPATHLEN
Wed, Jul 8, 6:10 PM
markj committed rG8a641f97130f: if_ovpn: Fix a lock leak in an error path (authored by markj).
if_ovpn: Fix a lock leak in an error path
Wed, Jul 8, 6:10 PM
markj committed rG29264fa5f750: udp: Wrap a long line in udp_send() (authored by markj).
udp: Wrap a long line in udp_send()
Wed, Jul 8, 6:10 PM
markj added a comment to D58094: ptrace(PT_ATTACH_PD).
In D58094#1332534, @kib wrote:

Even if the debugee is also in capability mode, the debugger would still potentially be able to obtain capabilities it doesn't already have, violating the sandbox rules.

For this, the debugger needs to get the procdesc to the target with enough cap allowed. If something provided it, then it was the decision.

Wed, Jul 8, 3:30 PM
markj added a comment to D58094: ptrace(PT_ATTACH_PD).

Re: obtaining pdfd, in an lsan context we don't really have any choice- we're effectively running in a hostile environment, and we may not get the chance to execute anything privileged (because our image may infact even be exec'd that way). We allow getpid() in capability mode, though, so I didn't really see a problem with allowing pdopenpid for the process itself.

Sorry, what does LSAN have to do with capability mode?

There is no relation, except that LSAN cannot work if a program is in capability mode because it needs to momentarily freeze the program and collect current state about it to detect leaks. Right now, only ptrace(2) has the right facilities for this (it uses just the set that I enumerated above). Given your other point about even the target being in capability mode may be unsafe, it may be the case that we need something like PT_TRACE_ME to bless the relationship or declare it safe or something? I don't think you necessarily want to set the precedence that a child is able to trace its parent in the normal case, since the parent may have dropped resources after forking.

Wed, Jul 8, 3:04 PM
markj added a comment to D58094: ptrace(PT_ATTACH_PD).
In D58094#1332294, @kib wrote:

Why not just use ptrace(PT_ATTACH, pdgetpid(), ...)? I can see some argument for PT_ATTACH_PD if you are planning to make ptrace() available in capability mode.

Exactly what Kyle said above.

Nice, this seems reasonable to me. I have a proposal that I'm gonig to send to a list, but effectively, I'd like to do a few things in this area:

  • Add a convenience pdopenpid(0, ...) -> similar to what we do with setpgrp/setpggid, special-case 0 to allow self-pdopenpid without a getpid() call
  • Mark pdopenpid(2) CAPENABLED, allow it in capability mode only for self-requests
  • Mark ptrace(2) CAPENABLED, only allow: PT_ATTACH_PD, PT_DETACH, PT_GETNUMLWPS, PT_GETLWPLIST, PT_GETREGS

PT_VM_TIMESTAMP, TP_VM_ENTRY, PT_GETREGSET, PT_GET_SC_ARGS, PT_GET_SC_RET, and MD options.

But I really thought that if you have the pfd with the capability, then you can debug the target as you want. pdopenpid() should be not allowed lightly for capsicum, but you could get the pfd by other means, e.g. by passing it from some fully privileged wrapper.

I think my concern is that you can easily exfiltrate or manage resources from the global namespace if you can get ahold of a pdfd for a process that isn't also in capability mode. Even without remote syscall capability directly, you can still drive arbitrary execution with proper stepping and reg swapping. We probably want to be pretty conservative in what we allow to limit the possible shenanigans.

Wed, Jul 8, 1:10 PM
markj added inline comments to D58062: lagg: re-check port caps after bringing up a port.
Wed, Jul 8, 12:48 PM
markj added a comment to D58094: ptrace(PT_ATTACH_PD).

Why not just use ptrace(PT_ATTACH, pdgetpid(), ...)? I can see some argument for PT_ATTACH_PD if you are planning to make ptrace() available in capability mode.

Wed, Jul 8, 1:43 AM

Tue, Jul 7

markj committed rG407c7c339adb: linux/futex: Don't load a timeout when try-locking a mutex (authored by markj).
linux/futex: Don't load a timeout when try-locking a mutex
Tue, Jul 7, 11:32 PM
markj closed D58061: linux/futex: Don't load a timeout when try-locking a mutex.
Tue, Jul 7, 11:32 PM
markj accepted D57163: pddupfd(2).
Tue, Jul 7, 3:54 PM
markj requested review of D58084: timefd: Correct the required rights for timerfd_gettime().
Tue, Jul 7, 3:45 PM
markj accepted D58062: lagg: re-check port caps after bringing up a port.
Tue, Jul 7, 2:22 PM
markj committed rG0083a4d6224f: tests/procdesc: Add some test cases for pdopenpid() (authored by markj).
tests/procdesc: Add some test cases for pdopenpid()
Tue, Jul 7, 2:16 PM
markj closed D58023: tests/procdesc: Add some test cases for pdopenpid().
Tue, Jul 7, 2:16 PM
markj updated the diff for D58061: linux/futex: Don't load a timeout when try-locking a mutex.

Apply kib's suggestion

Tue, Jul 7, 2:11 PM

Mon, Jul 6

markj requested review of D58061: linux/futex: Don't load a timeout when try-locking a mutex.
Mon, Jul 6, 5:20 PM
markj committed rG58c73727d6e4: vfs: Fix resource leaks in kern_symlinkat() (authored by markj).
vfs: Fix resource leaks in kern_symlinkat()
Mon, Jul 6, 3:49 PM
markj closed D58053: vfs: Fix resource leaks in kern_symlinkat().
Mon, Jul 6, 3:49 PM
markj added a comment to D58034: usr.bin/pkgconf: import the test suite.

I have run the tests manually, I'm still not quite sure how to run them through FreeBSD's build system.

Mon, Jul 6, 3:11 PM
markj added inline comments to D57375: routing: Subscribe nhops to ifnet link events.
Mon, Jul 6, 3:00 PM
markj accepted D54175: if_ovpn: fix memory leak in VNET.

The division of responsibilities between prison remove methods, VNET SYSUNINITs and MOD_UNLOAD handlers is super hard to understand...

Mon, Jul 6, 2:42 PM
markj accepted D57124: sys: add pdopenpid(2).
Mon, Jul 6, 2:36 PM
markj added inline comments to D57666: if_gif: Add netlink support with tests.
Mon, Jul 6, 2:35 PM
markj added inline comments to D55363: if_gre: Add a regression test.
Mon, Jul 6, 2:32 PM
markj added inline comments to D57669: if_gre(4): Fix races by changing initialization order and locks.
Mon, Jul 6, 2:30 PM
markj updated the diff for D58023: tests/procdesc: Add some test cases for pdopenpid().

Re-check that the child is sleeping.

Mon, Jul 6, 2:17 PM
markj added a comment to D58023: tests/procdesc: Add some test cases for pdopenpid().
In D58023#1331065, @kib wrote:

Do we want some test to ensure that pdopenpid() has no effect on the target? I mean, ptrace(PT_ATTACH) might cause spurious wakeups (partially mitigated now).

Mon, Jul 6, 1:59 PM
markj updated the diff for D58023: tests/procdesc: Add some test cases for pdopenpid().

Address review feedback, add procdesc_no_wakeup

Mon, Jul 6, 1:59 PM
markj requested review of D58053: vfs: Fix resource leaks in kern_symlinkat().
Mon, Jul 6, 1:38 PM
markj added inline comments to D57931: Add sbintime.9 manual page.
Mon, Jul 6, 1:33 PM
markj committed rG7f5fa76367d7: dtrace: Fix DOF section-specific validation (authored by markj).
dtrace: Fix DOF section-specific validation
Mon, Jul 6, 1:29 PM
markj committed rGb56b601c5ba6: dtrace: Improve DOF string table validation (authored by markj).
dtrace: Improve DOF string table validation
Mon, Jul 6, 1:29 PM
markj closed D57977: dtrace: Improve DOF string table validation.
Mon, Jul 6, 1:29 PM
markj committed rG8dc98f4d25a3: dtrace: Fix DOF section bounds validation (authored by markj).
dtrace: Fix DOF section bounds validation
Mon, Jul 6, 1:29 PM
markj closed D57979: dtrace: Fix DOF section-specific validation.
Mon, Jul 6, 1:28 PM
markj closed D57976: dtrace: Fix DOF section bounds validation.
Mon, Jul 6, 1:28 PM
markj committed rGc1b6ebc2b758: dtrace: Improve DOF section size validation (authored by markj).
dtrace: Improve DOF section size validation
Mon, Jul 6, 1:28 PM
markj closed D57975: dtrace: Improve DOF section size validation.
Mon, Jul 6, 1:28 PM
markj committed rGa8f5e24070a2: ee: Handle EINTR when waiting for a character (authored by markj).
ee: Handle EINTR when waiting for a character
Mon, Jul 6, 1:19 PM
markj committed rG705a88a71727: ee: Improve handling of malformed UTF-8 characters (authored by markj).
ee: Improve handling of malformed UTF-8 characters
Mon, Jul 6, 1:19 PM
markj closed D57997: ee: Handle EINTR when waiting for a character.
Mon, Jul 6, 1:19 PM
markj closed D57996: ee: Improve handling of malformed UTF-8 characters.
Mon, Jul 6, 1:19 PM
markj committed rG38dd686b9336: jaildesc: Publish the new fd only after the jaildesc is initialized (authored by markj).
jaildesc: Publish the new fd only after the jaildesc is initialized
Mon, Jul 6, 12:56 PM
markj committed rG92dfe30ba254: inotify.2: Fix formatting and lint (authored by markj).
inotify.2: Fix formatting and lint
Mon, Jul 6, 12:56 PM
markj committed rGb70997c8c75a: inotify: Unconditionally generate IN_IGNORED events for files/dirs (authored by markj).
inotify: Unconditionally generate IN_IGNORED events for files/dirs
Mon, Jul 6, 12:56 PM
markj closed D58049: jaildesc: Publish the new fd only after the jaildesc is initialized.
Mon, Jul 6, 12:55 PM