Page MenuHomeFreeBSD

GSoC StudentsOrganization
ActivePublic

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Jan 21 2021

shivank added a comment to D20967: new MAC policy module - mac_ipacl.
In D20967#632260, @dch wrote:

This appears to have been accepted but not merged - it would be great to have it get into 13.0 if there's still time

Jan 21 2021, 11:31 AM · GSoC Students, GSoC Admins
dch added a comment to D20967: new MAC policy module - mac_ipacl.

This appears to have been accepted but not merged - it would be great to have it get into 13.0 if there's still time

Jan 21 2021, 10:05 AM · GSoC Students, GSoC Admins

Sep 12 2020

shivank added a comment to D26243: Add audit(4) support to NFS(v3).

Isn't audit_nfsarg_vnode1 the problem? You already know the path when you call AUDIT_ARG_UPATH1_VP, right?

Sep 12 2020, 7:43 AM · security, GSoC Students, Audit

Sep 11 2020

asomers added a comment to D26243: Add audit(4) support to NFS(v3).
In D26243#587132, @mjg wrote:

Audit support for regular lookup starts with AUDIT_ARG_UPATH1_VP/AUDIT_ARG_UPATH2_VP without any vnodes locked. Later on visited vnodes get added with AUDIT_ARG_VNODE1/AUDIT_ARG_VNODE2 which only performs VOP_GETATTR (i.e. does *NOT* resolve any paths). Your code should follow the same scheme.

As you can see path resolving routines can take vnode locks on their own (modulo the smr case). This means they can't be called with locked vnodes to begin with, as otherwise you risk violating global lock ordering and consequently deadlocking the kernel.

The VOP_ISLOCKED routine is not entirely legal to call if you don't hold the lock. The name is perhaps misleading, but it can only reliably tell you that you have an exclusive lock or that *SOMEONE* has a shared lock (and it may be you). Or to put it differently, if you don't have the vnode locked but someone else has it shared locked, you will get non-0 and that's how you get the panic. Regardless of this problem, adding the call reduces performance and most notably suggests a bug on its own.

So the question is why are you calling here with any vnodes locked.

I wish to audit the canonical path of the file requested by the NFS clients. The requested path from the client is extracted in the NFS server using nfsrv_parsename, but the vnode is locked in some NFS services. I thought of unlocking/relocking of vnode for path audit but Rick advised not to. That's why I had to call this locked vnode.

Thanks for your question which made me rethink the problem from scratch and I got a new idea for auditing path.

Hi @rmacklem and @asomers, if I use nfsvno_namei to get the canonical path for the client, I will not the need the AUDIT_ARG_UPATH1_VP.which will save me from all the trouble of passing locked vnode to vn_fullpath_global. Please provide your opinion on the same.

Sep 11 2020, 11:11 PM · security, GSoC Students, Audit
shivank added a comment to D26243: Add audit(4) support to NFS(v3).
In D26243#587132, @mjg wrote:

Audit support for regular lookup starts with AUDIT_ARG_UPATH1_VP/AUDIT_ARG_UPATH2_VP without any vnodes locked. Later on visited vnodes get added with AUDIT_ARG_VNODE1/AUDIT_ARG_VNODE2 which only performs VOP_GETATTR (i.e. does *NOT* resolve any paths). Your code should follow the same scheme.

As you can see path resolving routines can take vnode locks on their own (modulo the smr case). This means they can't be called with locked vnodes to begin with, as otherwise you risk violating global lock ordering and consequently deadlocking the kernel.

The VOP_ISLOCKED routine is not entirely legal to call if you don't hold the lock. The name is perhaps misleading, but it can only reliably tell you that you have an exclusive lock or that *SOMEONE* has a shared lock (and it may be you). Or to put it differently, if you don't have the vnode locked but someone else has it shared locked, you will get non-0 and that's how you get the panic. Regardless of this problem, adding the call reduces performance and most notably suggests a bug on its own.

So the question is why are you calling here with any vnodes locked.

Sep 11 2020, 11:10 AM · security, GSoC Students, Audit
shivank added a reviewer for D26243: Add audit(4) support to NFS(v3): mjg.
Sep 11 2020, 4:45 AM · security, GSoC Students, Audit
mjg added a comment to D26243: Add audit(4) support to NFS(v3).

Audit support for regular lookup starts with AUDIT_ARG_UPATH1_VP/AUDIT_ARG_UPATH2_VP without any vnodes locked. Later on visited vnodes get added with AUDIT_ARG_VNODE1/AUDIT_ARG_VNODE2 which only performs VOP_GETATTR (i.e. does *NOT* resolve any paths). Your code should follow the same scheme.

Sep 11 2020, 12:40 AM · security, GSoC Students, Audit

Sep 10 2020

shivank updated subscribers of D26243: Add audit(4) support to NFS(v3).

I feel vfs_cache.c changes for making vn_fullpath_global work for optionally locked vnode are causing the trouble. Though I'm not sure what's the problem. I request Mateusz Guzik, @mjg to have a look at my vfs_cache.c changes. I would be grateful for your time.

Sep 10 2020, 3:05 PM · security, GSoC Students, Audit

Sep 7 2020

asomers requested changes to D26243: Add audit(4) support to NFS(v3).

The new code looks better. But grrr, there are two big problems:

  1. It doesn't compile due to some recent changes on head. I suggest the following:
    • Remove the <rpc/rpc.h>, <sys/mount.h>, and <fs/nfs/*> includes from audit.h. In addition to fixing the compile failure, it's generally not recommended to include headers from other headers. Sometimes it's necessary, but it also causes header pollution, and slow build times. Instead of including those files, just forward declare struct nfsrv_descript; and struct kaudit_record;.
    • Add `<netinet/in.h>, <rpc/rpc.h>, <fs/nfs/nfsdport.h>, <fs/nfs/nfsproto.h>, and <fs/nfs/nfs.h> to audit_bsm_db.c
    • Add <rpc/rpc.h>, <fs/nfs/nfsport.h>, <fs/nfs/nfsproto.h>, and <fs/nfs/nfs.h> to audit.c
Sep 7 2020, 5:30 PM · security, GSoC Students, Audit
shivank updated the diff for D26243: Add audit(4) support to NFS(v3).
  • merge vn_fullpath_any and vn_vptocnp with their locked counterpart to work for optionally locked vnodes.
Sep 7 2020, 10:52 AM · security, GSoC Students, Audit

Sep 6 2020

asomers added inline comments to D26243: Add audit(4) support to NFS(v3).
Sep 6 2020, 9:05 PM · security, GSoC Students, Audit

Aug 31 2020

shivank abandoned D25869: Add audit(4) support to NFS(v3).

I created a new review - D26243. Sorry for the trouble.

Aug 31 2020, 5:06 AM · security, GSoC Students, Audit
shivank added a comment to D26243: Add audit(4) support to NFS(v3).

It was earlier being reviewed on D25869. But due to change of base revision, It was showing changes which were not mine. So, I created a new review here.

Aug 31 2020, 5:03 AM · security, GSoC Students, Audit
shivank requested review of D26243: Add audit(4) support to NFS(v3).
Aug 31 2020, 4:57 AM · security, GSoC Students, Audit

Aug 30 2020

asomers added a comment to D25869: Add audit(4) support to NFS(v3).

It looks like your most recent change rebased the base revision. That makes it very hard to see which changes are from you and which aren't. Could you please either un-rebase it or, if that's not possible, open a new review?

Ohh, Sorry! I didn't thought pulling HEAD changes will create this side-effect in revision
I think I would open a new review as going back will have conflicting changes again. Should I abandon this while creating a new one??

Aug 30 2020, 8:58 PM · security, GSoC Students, Audit
shivank added a comment to D25869: Add audit(4) support to NFS(v3).

It looks like your most recent change rebased the base revision. That makes it very hard to see which changes are from you and which aren't. Could you please either un-rebase it or, if that's not possible, open a new review?

Aug 30 2020, 5:42 PM · security, GSoC Students, Audit
asomers added a comment to D25869: Add audit(4) support to NFS(v3).

Using two completely separate functions reduces the scope of error. Also prevent any mutation to the current code path for not locked vnodes, while allowing it to work for locked vnodes.

Aug 30 2020, 2:54 PM · security, GSoC Students, Audit

Aug 28 2020

shivank added a comment to D25869: Add audit(4) support to NFS(v3).
  • updated sys/kern/vfs_cache.c to reduce code duplication with vn_fullpath_dir
  • some trivial changes
Aug 28 2020, 4:18 PM · security, GSoC Students, Audit
shivank updated the diff for D25869: Add audit(4) support to NFS(v3).
Aug 28 2020, 4:04 PM · security, GSoC Students, Audit

Aug 20 2020

shivank added a comment to D25869: Add audit(4) support to NFS(v3).

Regarding code duplication in vn_fullpath_dir_locked:
I modified vn_fullpath_dir(and removed vn_fullpath_dir_locked) for optionally locked vnode here in git commit: https://github.com/shivankgarg98/freebsd/commit/418c1c2a6de9989fe7a541f6111ee2c3f2786c7b
It works fine NFSv4=3 case but somehow breaks nfsrvd_open to result in an error.{and hence can't open/create a regular file from client}.
Using two completely separate functions reduces the scope of error. Also prevent any mutation to the current code path for not locked vnodes, while allowing it to work for locked vnodes.

Aug 20 2020, 8:34 PM · security, GSoC Students, Audit
shivank updated the diff for D25869: Add audit(4) support to NFS(v3).

follow-up on suggested changes.

Aug 20 2020, 7:21 PM · security, GSoC Students, Audit

Aug 19 2020

asomers added a comment to D25869: Add audit(4) support to NFS(v3).

This is a much better locking strategy. However, there's a lot of duplicated code. Could you maybe combine the _locked with the original functions, so there wouldn't be so much duplication?

Aug 19 2020, 2:43 AM · security, GSoC Students, Audit

Aug 4 2020

shivank updated the diff for D25869: Add audit(4) support to NFS(v3).

removing unlocking/relocking implementation for vnode for auditing path, instead, define separate functions in vfs_cache.c for locked vnode as argument.

Aug 4 2020, 6:09 PM · security, GSoC Students, Audit

Jul 30 2020

shivank updated the diff for D25869: Add audit(4) support to NFS(v3).
Jul 30 2020, 7:17 PM · security, GSoC Students, Audit
shivank added a comment to D25869: Add audit(4) support to NFS(v3).

Thanks for all suggestions. I have incorporated them into my code. There is just a directory vnode unlocking/relocking issue not done yet.

Jul 30 2020, 7:08 PM · security, GSoC Students, Audit
rmacklem added a comment to D25869: Add audit(4) support to NFS(v3).

In summary, locking and unlocking vnodes in this code is dangerous
and I am not in a position to make sure what you do is safe.

Jul 30 2020, 1:05 AM · security, GSoC Students, Audit

Jul 29 2020

asomers added inline comments to D25869: Add audit(4) support to NFS(v3).
Jul 29 2020, 7:19 PM · security, GSoC Students, Audit
shivank added inline comments to D25869: Add audit(4) support to NFS(v3).
Jul 29 2020, 6:38 PM · security, GSoC Students, Audit
shivank updated the diff for D25869: Add audit(4) support to NFS(v3).

follow up on changes suggested by asomers@

Jul 29 2020, 6:35 PM · security, GSoC Students, Audit
asomers added inline comments to D25869: Add audit(4) support to NFS(v3).
Jul 29 2020, 12:10 AM · security, GSoC Students, Audit

Jul 28 2020

shivank requested review of D25869: Add audit(4) support to NFS(v3).
Jul 28 2020, 8:25 PM · security, GSoC Students, Audit

Aug 19 2019

D20967: new MAC policy module - mac_ipacl is now accepted and ready to land.
Aug 19 2019, 1:22 PM · GSoC Students, GSoC Admins

Aug 9 2019

shivank updated the diff for D20967: new MAC policy module - mac_ipacl.
Aug 9 2019, 6:54 PM · GSoC Students, GSoC Admins
shivank added a comment to D20967: new MAC policy module - mac_ipacl.
  • correct the IP addresses which were not in the documentation range
Aug 9 2019, 5:42 PM · GSoC Students, GSoC Admins
bz added a comment to D20967: new MAC policy module - mac_ipacl.

There's a couple of public IP(v6) addresses in the test scripts. We'd prefer not to have accidents with people. Can you please change them?

Aug 9 2019, 8:53 AM · GSoC Students, GSoC Admins

Aug 6 2019

shivank added a comment to D20967: new MAC policy module - mac_ipacl.
  • add ipacl entry in tests Makefile
  • fix minor issues in mac_ipacl.4
Aug 6 2019, 4:26 PM · GSoC Students, GSoC Admins

Aug 5 2019

thj closed D21065: Pass/Block test for three firewalls (pf, ipfw, ipf).
Aug 5 2019, 11:47 AM · GSoC Students

Aug 4 2019

D21065: Pass/Block test for three firewalls (pf, ipfw, ipf) is now accepted and ready to land.

All the tests seem to work on r350568

Aug 4 2019, 8:33 PM · GSoC Students

Aug 3 2019

shivank updated the diff for D20967: new MAC policy module - mac_ipacl.
Aug 3 2019, 9:43 AM · GSoC Students, GSoC Admins
shivank added a comment to D20967: new MAC policy module - mac_ipacl.
  • make tests more structured with atf
  • update man page mac_ipacl.4
Aug 3 2019, 9:29 AM · GSoC Students, GSoC Admins
ahsanb added a comment to D21065: Pass/Block test for three firewalls (pf, ipfw, ipf).

check if ipf module is loaded using "kldstat -q -m ipfilter " because "kldstat -q -m ipl" doesn't work.

Aug 3 2019, 7:01 AM · GSoC Students

Jul 31 2019

shivank added a comment to D20967: new MAC policy module - mac_ipacl.

fix errors shown by mandoc -Tlint for mac_ipacl.4
fix the license and copyrights

Jul 31 2019, 7:17 PM · GSoC Students, GSoC Admins
shivank added a comment to D20967: new MAC policy module - mac_ipacl.

Hi, @0mp thanks for the suggestion :).

Jul 31 2019, 6:54 PM · GSoC Students, GSoC Admins
0mp added a comment to D20967: new MAC policy module - mac_ipacl.

You may also want to run mandoc -Tlint apart from igor. :)

Jul 31 2019, 3:42 PM · GSoC Students, GSoC Admins
kp added inline comments to D21065: Pass/Block test for three firewalls (pf, ipfw, ipf).
Jul 31 2019, 8:37 AM · GSoC Students

Jul 30 2019

bz added inline comments to D20967: new MAC policy module - mac_ipacl.
Jul 30 2019, 10:59 PM · GSoC Students, GSoC Admins
D21065: Pass/Block test for three firewalls (pf, ipfw, ipf) now requires review to proceed.
  • Fix ipf check (using type ipf &> /dev/null)
Jul 30 2019, 3:37 PM · GSoC Students

Jul 29 2019

D21065: Pass/Block test for three firewalls (pf, ipfw, ipf) is now accepted and ready to land.

I think I'm happy with this.
I'll give Tom a bit of time to add any more remarks he might have, but I think we can commit this soon.

Jul 29 2019, 8:39 PM · GSoC Students
ahsanb added a comment to D21065: Pass/Block test for three firewalls (pf, ipfw, ipf).
  • Used ULA for v6 addresses
  • Changed license according to preferred license
  • For no_dad, I am taking kp's words regarding speed of the tests.
Jul 29 2019, 6:04 PM · GSoC Students

Jul 28 2019

shivank added a comment to D20967: new MAC policy module - mac_ipacl.
  • move man page to its right place
Jul 28 2019, 7:01 PM · GSoC Students, GSoC Admins