Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Mar 22, 2015, at 18:08, Mateusz Guzik mjgu...@gmail.com wrote:
 
 On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 Author: rpaulo
 Date: Mon Feb  9 23:13:50 2015
 New Revision: 278479
 URL: https://svnweb.freebsd.org/changeset/base/278479
 
 Log:
  Notify devd(8) when a process crashed.
 
  This change implements a notification (via devctl) to userland when
  the kernel produces coredumps after a process has crashed.
  devd can then run a specific command to produce a human readable crash
  report.  The command is most usually a helper that runs gdb/lldb
  commands on the file/coredump pair.  It's possible to use this
  functionality for implementing automatic generation of crash reports.
 
  devd(8) will be notified of the full path of the binary that crashed and
  the full path of the coredump file.
 
 
 The more I look at this the more I'm convinced this is quite insecure.
 
 At a minimum this should also grow a flag to decide whether notification
 about jailed process crashes are allowed. Off by default.
 
 As it is you pass a path leading to a jail, but that's inherently
 untrusted and will lead to trouble.

We got sidetracked by the devd-bloat discussion, but I can turn this off until 
a better approach is programmed. 

--
Rui Paulo



___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Mateusz Guzik]

On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 Author: rpaulo
 Date: Mon Feb  9 23:13:50 2015
 New Revision: 278479
 URL: https://svnweb.freebsd.org/changeset/base/278479
 
 Log:
   Notify devd(8) when a process crashed.
   
   This change implements a notification (via devctl) to userland when
   the kernel produces coredumps after a process has crashed.
   devd can then run a specific command to produce a human readable crash
   report.  The command is most usually a helper that runs gdb/lldb
   commands on the file/coredump pair.  It's possible to use this
   functionality for implementing automatic generation of crash reports.
   
   devd(8) will be notified of the full path of the binary that crashed and
   the full path of the coredump file.
 

The more I look at this the more I'm convinced this is quite insecure.

At a minimum this should also grow a flag to decide whether notification
about jailed process crashes are allowed. Off by default.

As it is you pass a path leading to a jail, but that's inherently
untrusted and will lead to trouble.

-- 
Mateusz Guzik mjguzik gmail.com
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Warner Losh]

[[ I know I’m a little behind… ]]

 On Feb 10, 2015, at 7:16 AM, John Baldwin j...@freebsd.org wrote:
 
 On Monday, February 09, 2015 11:13:51 PM Rui Paulo wrote:
 Author: rpaulo
 Date: Mon Feb  9 23:13:50 2015
 New Revision: 278479
 URL: https://svnweb.freebsd.org/changeset/base/278479
 
 Log:
  Notify devd(8) when a process crashed.
 
  This change implements a notification (via devctl) to userland when
  the kernel produces coredumps after a process has crashed.
  devd can then run a specific command to produce a human readable crash
  report.  The command is most usually a helper that runs gdb/lldb
  commands on the file/coredump pair.  It's possible to use this
  functionality for implementing automatic generation of crash reports.
 
  devd(8) will be notified of the full path of the binary that crashed and
  the full path of the coredump file.
 
 I think this is a very useful feature and I think this is fine to be in the
 tree as-is for now.  My only note is that this is a bit of feature creep for
 devd (this isn't a device notification, this is a system event notification).

devd was always envisioned as being a system event notification thing.
It just started out life doing newbus events. It’s been growing these sorts
of notifications for quite some time.

 As such, I think it might be worth thinking if we (collectively) want to think
 about having a separate framework at all for system event notification.  You
 could possibly publish other interesting events this way.  For example, Isilon
 currently has a patch to log(9) Witness LORs.  I personally think it's a bit
 hackish and potentially unreliable.  A much nicer interface if you want to
 capture such things would be to publish an event for each logged LOR instead.
 Machine checks are another example of something that might be nice to publish
 (though you could possibly make the case that those would not be inappropriate
 to publish via devd since actual hardware is involved).  Disk and PCI errors
 are another class of thing that it would be nice to publish in an easier to
 programmaticaly parse manner.

I’d love to see this.

Though it might mean we’d need to implement some kind of filtering
for the redistribution port that devd has.

Warner


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: svn commit: r278479 - in head: etc sys/kern

[John Baldwin]

On Tuesday, February 10, 2015 07:06:03 AM Adrian Chadd wrote:
 On 10 February 2015 at 06:16, John Baldwin j...@freebsd.org wrote:
  On Monday, February 09, 2015 11:13:51 PM Rui Paulo wrote:
  Author: rpaulo
  Date: Mon Feb  9 23:13:50 2015
  New Revision: 278479
  URL: https://svnweb.freebsd.org/changeset/base/278479
  
  Log:
Notify devd(8) when a process crashed.

This change implements a notification (via devctl) to userland when
the kernel produces coredumps after a process has crashed.
devd can then run a specific command to produce a human readable crash
report.  The command is most usually a helper that runs gdb/lldb
commands on the file/coredump pair.  It's possible to use this
functionality for implementing automatic generation of crash reports.

devd(8) will be notified of the full path of the binary that crashed
and
the full path of the coredump file.
  
  I think this is a very useful feature and I think this is fine to be in
  the
  tree as-is for now.  My only note is that this is a bit of feature creep
  for devd (this isn't a device notification, this is a system event
  notification). As such, I think it might be worth thinking if we
  (collectively) want to think about having a separate framework at all for
  system event notification.  You could possibly publish other interesting
  events this way.  For example, Isilon currently has a patch to log(9)
  Witness LORs.  I personally think it's a bit hackish and potentially
  unreliable.  A much nicer interface if you want to capture such things
  would be to publish an event for each logged LOR instead. Machine checks
  are another example of something that might be nice to publish (though
  you could possibly make the case that those would not be inappropriate to
  publish via devd since actual hardware is involved).  Disk and PCI errors
  are another class of thing that it would be nice to publish in an easier
  to programmaticaly parse manner.
 
 Cool, so someone's going to add multi-subscriber support to /dev/devctl ?

Eh, devd publishes /var/run/devd.pipe already which supports multiple 
subscribers.  I think that was one of the intentional design decisions was to 
handle multiple subscribers in userland rather than the kernel.

 I think devd grows these things because it's easier than teaching the
 devctl interface to support multiple listeners.

That wasn't really my question.  My question was if we want distinct streams 
or if we want want unified stream.  Having a unified stream might very well 
make sense (and if so we could rename devd to make that more obvious).

-- 
John Baldwin
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Slawa Olhovchenkov]

On Tue, Feb 10, 2015 at 07:06:03AM -0800, Adrian Chadd wrote:

 On 10 February 2015 at 06:16, John Baldwin j...@freebsd.org wrote:
  On Monday, February 09, 2015 11:13:51 PM Rui Paulo wrote:
  Author: rpaulo
  Date: Mon Feb  9 23:13:50 2015
  New Revision: 278479
  URL: https://svnweb.freebsd.org/changeset/base/278479
 
  Log:
Notify devd(8) when a process crashed.
 
This change implements a notification (via devctl) to userland when
the kernel produces coredumps after a process has crashed.
devd can then run a specific command to produce a human readable crash
report.  The command is most usually a helper that runs gdb/lldb
commands on the file/coredump pair.  It's possible to use this
functionality for implementing automatic generation of crash reports.
 
devd(8) will be notified of the full path of the binary that crashed and
the full path of the coredump file.
 
  I think this is a very useful feature and I think this is fine to be in the
  tree as-is for now.  My only note is that this is a bit of feature creep for
  devd (this isn't a device notification, this is a system event 
  notification).
  As such, I think it might be worth thinking if we (collectively) want to 
  think
  about having a separate framework at all for system event notification.  You
  could possibly publish other interesting events this way.  For example, 
  Isilon
  currently has a patch to log(9) Witness LORs.  I personally think it's a bit
  hackish and potentially unreliable.  A much nicer interface if you want to
  capture such things would be to publish an event for each logged LOR 
  instead.
  Machine checks are another example of something that might be nice to 
  publish
  (though you could possibly make the case that those would not be 
  inappropriate
  to publish via devd since actual hardware is involved).  Disk and PCI errors
  are another class of thing that it would be nice to publish in an easier to
  programmaticaly parse manner.
 
 Cool, so someone's going to add multi-subscriber support to /dev/devctl ?
 
 I think devd grows these things because it's easier than teaching the
 devctl interface to support multiple listeners.

/dev/eventctl and eventd? And, may be, rename /dev/devctl2 to
/dev/eventctl too.
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Ian Lepore]

On Tue, 2015-02-10 at 07:06 -0800, Adrian Chadd wrote:
 On 10 February 2015 at 06:16, John Baldwin j...@freebsd.org wrote:
  On Monday, February 09, 2015 11:13:51 PM Rui Paulo wrote:
  Author: rpaulo
  Date: Mon Feb  9 23:13:50 2015
  New Revision: 278479
  URL: https://svnweb.freebsd.org/changeset/base/278479
 
  Log:
Notify devd(8) when a process crashed.
 
This change implements a notification (via devctl) to userland when
the kernel produces coredumps after a process has crashed.
devd can then run a specific command to produce a human readable crash
report.  The command is most usually a helper that runs gdb/lldb
commands on the file/coredump pair.  It's possible to use this
functionality for implementing automatic generation of crash reports.
 
devd(8) will be notified of the full path of the binary that crashed and
the full path of the coredump file.
 
  I think this is a very useful feature and I think this is fine to be in the
  tree as-is for now.  My only note is that this is a bit of feature creep for
  devd (this isn't a device notification, this is a system event 
  notification).
  As such, I think it might be worth thinking if we (collectively) want to 
  think
  about having a separate framework at all for system event notification.  You
  could possibly publish other interesting events this way.  For example, 
  Isilon
  currently has a patch to log(9) Witness LORs.  I personally think it's a bit
  hackish and potentially unreliable.  A much nicer interface if you want to
  capture such things would be to publish an event for each logged LOR 
  instead.
  Machine checks are another example of something that might be nice to 
  publish
  (though you could possibly make the case that those would not be 
  inappropriate
  to publish via devd since actual hardware is involved).  Disk and PCI errors
  are another class of thing that it would be nice to publish in an easier to
  programmaticaly parse manner.
 
 Cool, so someone's going to add multi-subscriber support to /dev/devctl ?
 

I don't see how you get that from the foregoing at all.  Doing fan-out
in the kernel is hard, and doing it in userland is easier, so the
existing devd model could be an appropriate one to follow for a general
kernel events which are not hardware events system.

 I think devd grows these things because it's easier than teaching the
 devctl interface to support multiple listeners.

Until recently, devd only grew additional support for things which are
device-related, modulo the zfs stuff that I don't know much about.  I
was under the impression that that also was device-related in some way,
such as zfs reporting on device errors or attach/remove and things
related to that (like health of the pool(s) affected by the device
change).  Maybe the zfs stuff was the beginning of the mission creep and
still had enough of a device-related fig leaf to not look like creep.

But there's no disguising the fact that post-processing core dumps has
absolutely nothing to do with devices.

-- Ian


___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Konstantin Belousov]

On Mon, Feb 09, 2015 at 06:35:55PM -0800, Rui Paulo wrote:
 On Feb 9, 2015, at 15:28, Konstantin Belousov kostik...@gmail.com wrote:
  Arguably, there should be a knob, probably sysctl, to turn the
  functionality off. I definitely do not want this on crash boxes used for
  userspace debugging.  Even despite the example handler is inactive.
 
 OK, I can provide a sysctl knob.
Seen that, thanks.

 
  +  len = MAXPATHLEN * 2 + 5 /* comm= */ + 5 /* core= */ + 1;
  It is much cleaner to use static const char arrays for the names,
  and use sizeof() - 1 instead of hard-coding commented constants.
 
 OK.  I was trying to avoid allocating 2k on the stack.
Probably I was not clear enough.  I do not suggest to change data allocation
from malloc to automatic.  I mean
static const char comm_name[] = comm=;
and then use sizeof(comm_name) - 1 and comm_name instead of string literal.

 
  +  data = malloc(len, M_TEMP, M_NOWAIT);
  Why is this allocation M_NOWAIT ?
 
 That should be M_WAITOK.
 
  +  freepath = NULL;
  +  }
  +  if (vn_fullpath_global(td, vp, fullpath, freepath) != 0)
  +  goto out;
  +  snprintf(data, len, %s core=%s, data, fullpath);
  This is weird, and highly depends on the implementation details, supplying
  the same string as target and source.  IMO strcat(9) is enough there.
 
 OK, I'll change it to strcat.
 
 --
 Rui Paulo
 
 
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Mateusz Guzik]

On Mon, Feb 09, 2015 at 06:57:36PM -0800, Rui Paulo wrote:
 On Feb 9, 2015, at 18:43, Mateusz Guzik mjgu...@gmail.com wrote:
  
  On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
  +notify 10 {
  +  match system  kernel;
  +  match subsystem   signal;
  +  match typecoredump;
  +  action logger $comm $core;
  +};
  +
  */
  
  [..]
  +  if (vn_fullpath_global(td, p-p_textvp, fullpath, freepath) != 0)
  +  goto out;
  +  snprintf(data, len, comm=%s, fullpath);
  
  I cannot test it right now, but it looks like immediate privilege
  escalation.
  
  Path is not sanitized in any way and devd passes it to 'sh -c'.
  
  So a file named a.out; /bin/id; meh or so should result in execution
  of aforementioned /bin/id.
 
 Well, you can't have a file name with / but you're right.
 

I mean the whole path. You are resolving the name along with all dirs,
so it's just a matter of some mkdirs.

  Another note is that currently devctl is record oriented, but this may
  change at some point and free form userspace text could be used to forge
  new events.
  
  As such is trongly suggest we sanitize this somehow. Maybe a base64 or
  something.
 
 I was trying hard to avoid this issue in unpublished my crash helper, but I 
 forgot that devd runs execl(sh -c, );  :-(
 
 It might just be easier to inspect the path names and allow only 
 [a-z][A-Z][0-9] and '/' before sending the devctl message.
 

I'm pretty sure sooner or later people will want something with a space,
so I would prefer a reasonably complete solution.

A hack like the one yu mention should suffice fr now though (with the
addition of a dot).

-- 
Mateusz Guzik mjguzik gmail.com
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Slawa Olhovchenkov]

On Tue, Feb 10, 2015 at 06:30:27PM +, Rui Paulo wrote:

 On Feb 10, 2015, at 07:37 AM, John Baldwin j...@freebsd.org wrote:
 That wasn't really my question. My question was if we want distinct streams 
 or if we want want unified stream. Having a unified stream might very well 
 make sense (and if so we could rename devd to make that more obvious).
 
 I'm fine with renaming devd to eventd or something else, but Ian was
 saying that he's worried about the number of notifications that devd
 has to process.  I'm not sure that's a real problem at this point,
 though.  On freefall, devd used 0.07 seconds of CPU time and has
 been running for a 1 day and a half.  On my BeagleBone, devd used
 0.61 seconds of CPU time and it has been up for 5 days and a half.  
 On my VM that has been up for 5 days and a half, it used 4 seconds
 of CPU time.  Renaming sounds like a good idea and it looks like we
 could leave the optimisations to a later time.

For common case (I am not talk about current devd implementation -- I
am don't have any inforamtion/metrics/etc) routing and processing
events may be sensitive to delay and ordering: may be exist
requirement 'delay not more then 700ns', may be exist requirement
'next event process only after complete process previos event'. And
some event handling may be very CPU/disk/etc consumption. Need to good
think over and design API and architecure.

___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Feb 10, 2015, at 10:52 AM, Slawa Olhovchenkov s...@zxy.spb.ru wrote:
For common case (I am not talk about current devd implementation -- I
am don't have any inforamtion/metrics/etc) routing and processing
events may be sensitive to delay and ordering: may be exist
requirement 'delay not more then 700ns', may be exist requirement
'next event process only after complete process previos event'. And
some event handling may be very CPU/disk/etc consumption. Need to good
think over and design API and architecure.
 
routing events do not come over devd (or any other /dev device): there's a 
routing socket specifically tailored for that purpose.  For that type of 
latency, you probably don't want to be crossing the kernel/userland barrier too 
often (or never).
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Feb 10, 2015, at 07:37 AM, John Baldwin j...@freebsd.org wrote:
That wasn't really my question. My question was if we want distinct streams 
or if we want want unified stream. Having a unified stream might very well 
make sense (and if so we could rename devd to make that more obvious).


I'm fine with renaming devd to eventd or something else, but Ian was saying 
that he's worried about the number of notifications that devd has to process.  
I'm not sure that's a real problem at this point, though.  On freefall, devd 
used 0.07 seconds of CPU time and has been running for a 1 day and a half.  On 
my BeagleBone, devd used 0.61 seconds of CPU time and it has been up for 5 days 
and a half.   On my VM that has been up for 5 days and a half, it used 4 
seconds of CPU time.  Renaming sounds like a good idea and it looks like we 
could leave the optimisations to a later time.

Another thing I had in mind (which is more work) was to abstract the devctl 
kernel code in an API which could make it easy to fan out the notifications to 
multiple /dev devices.  However, that may be overkill.
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[David Chisnall]

On 10 Feb 2015, at 18:30, Rui Paulo rpa...@me.com wrote:
 
 Another thing I had in mind (which is more work) was to abstract the devctl 
 kernel code in an API which could make it easy to fan out the notifications 
 to multiple /dev devices.  However, that may be overkill.

This kind of notification is something that kdbus is increasingly being used 
for on Linux.  The primitive allows events to originate either in the kernel or 
in userspace and to be sent either point-to-point or to a bloom filter set of 
recipients (so you occasionally get some messages you're not expecting, but 
hopefully don't get too many spurious wakeups).

David

___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Slawa Olhovchenkov]

On Tue, Feb 10, 2015 at 06:55:28PM +, Rui Paulo wrote:

 On Feb 10, 2015, at 10:52 AM, Slawa Olhovchenkov s...@zxy.spb.ru wrote:
 For common case (I am not talk about current devd implementation -- I
 am don't have any inforamtion/metrics/etc) routing and processing
 events may be sensitive to delay and ordering: may be exist
 requirement 'delay not more then 700ns', may be exist requirement
 'next event process only after complete process previos event'. And
 some event handling may be very CPU/disk/etc consumption. Need to good
 think over and design API and architecure.
  
 routing events do not come over devd (or any other /dev device):
 there's a routing socket specifically tailored for that purpose.

I am talk abot this:

nomatch 32 {
match bus uhub[0-9]+;
match mode host;
match vendor 0x03eb;
match product 0x2109;
action kldload -n uftdi;
};

  For that type of latency, you probably don't want to be crossing
 the kernel/userland barrier too often (or never).

We have action for coredump. And have action for automount (when
inserting USB disk).

Must be coredump wait for complete mounting USB disk?
For flapping USB disk need to start multiple mount script?
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[John-Mark Gurney]

John Baldwin wrote this message on Tue, Feb 10, 2015 at 10:36 -0500:
  I think devd grows these things because it's easier than teaching the
  devctl interface to support multiple listeners.
 
 That wasn't really my question.  My question was if we want distinct streams 
 or if we want want unified stream.  Having a unified stream might very well 
 make sense (and if so we could rename devd to make that more obvious).

The biggested issue that I see w/ using devd as the gateway is that
as we add more events, devd will now have to be woken up for ALL events,
even when the even has no listeners for it...  If we keep adding events,
this will be very bad for laptop battery life...

This is becoming a standard pub/sub type problem, and there is plenty
of research/programs out there that already does this...

As someone mentioned earlier, it seems like using kqueue is starting
to make more sense for this type of thing where various programs can
select what they get woken up for...

-- 
  John-Mark Gurney  Voice: +1 415 225 5579

 All that I will do, has been done, All that I have, has not.
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Ian Lepore]

On Tue, 2015-02-10 at 12:15 -0800, John-Mark Gurney wrote:
 John Baldwin wrote this message on Tue, Feb 10, 2015 at 10:36 -0500:
   I think devd grows these things because it's easier than teaching the
   devctl interface to support multiple listeners.
  
  That wasn't really my question.  My question was if we want distinct 
  streams 
  or if we want want unified stream.  Having a unified stream might very well 
  make sense (and if so we could rename devd to make that more obvious).
 
 The biggested issue that I see w/ using devd as the gateway is that
 as we add more events, devd will now have to be woken up for ALL events,
 even when the even has no listeners for it...  If we keep adding events,
 this will be very bad for laptop battery life...
 

That's similar to my worry but for our apps at $work the problem extends
to them as well... the kernel will wake up devd for lots of events it
doesn't need to process, then it fans them out to our app which also
gets woken for events that it's not interested in.  Big iron in
datacenters isn't going to have any problems with this, but embedded
systems at the low end are still somewhat cycle-sensitive.

The worrisome part is the creep.  Right now it's just crashdumps, and
that isn't going to add any overhead for $work, because our apps never
crash (::grin::).  But the floodgates are open and in a couple years
it's going to be a lot of new kinds of events and a lot of new cycles
consumed processing them in userland.

 This is becoming a standard pub/sub type problem, and there is plenty
 of research/programs out there that already does this...
 
 As someone mentioned earlier, it seems like using kqueue is starting
 to make more sense for this type of thing where various programs can
 select what they get woken up for...
 

Filtering at the source (or nearer to it) does seem to be one way to get
everything that's good about a generic event notification daemon without
all of the bad that will accumulate if we just stumble into it without a
long term vision.  I'm not as familiar with kevent specifics as I'd like
to be, so I can't say it's a ready to use off the shelf solution, but it
may be part of one.

-- Ian


___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Adrian Chadd]

On 10 February 2015 at 06:16, John Baldwin j...@freebsd.org wrote:
 On Monday, February 09, 2015 11:13:51 PM Rui Paulo wrote:
 Author: rpaulo
 Date: Mon Feb  9 23:13:50 2015
 New Revision: 278479
 URL: https://svnweb.freebsd.org/changeset/base/278479

 Log:
   Notify devd(8) when a process crashed.

   This change implements a notification (via devctl) to userland when
   the kernel produces coredumps after a process has crashed.
   devd can then run a specific command to produce a human readable crash
   report.  The command is most usually a helper that runs gdb/lldb
   commands on the file/coredump pair.  It's possible to use this
   functionality for implementing automatic generation of crash reports.

   devd(8) will be notified of the full path of the binary that crashed and
   the full path of the coredump file.

 I think this is a very useful feature and I think this is fine to be in the
 tree as-is for now.  My only note is that this is a bit of feature creep for
 devd (this isn't a device notification, this is a system event notification).
 As such, I think it might be worth thinking if we (collectively) want to think
 about having a separate framework at all for system event notification.  You
 could possibly publish other interesting events this way.  For example, Isilon
 currently has a patch to log(9) Witness LORs.  I personally think it's a bit
 hackish and potentially unreliable.  A much nicer interface if you want to
 capture such things would be to publish an event for each logged LOR instead.
 Machine checks are another example of something that might be nice to publish
 (though you could possibly make the case that those would not be inappropriate
 to publish via devd since actual hardware is involved).  Disk and PCI errors
 are another class of thing that it would be nice to publish in an easier to
 programmaticaly parse manner.

Cool, so someone's going to add multi-subscriber support to /dev/devctl ?

I think devd grows these things because it's easier than teaching the
devctl interface to support multiple listeners.




-adrian
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[John Baldwin]

On Monday, February 09, 2015 11:13:51 PM Rui Paulo wrote:
 Author: rpaulo
 Date: Mon Feb  9 23:13:50 2015
 New Revision: 278479
 URL: https://svnweb.freebsd.org/changeset/base/278479
 
 Log:
   Notify devd(8) when a process crashed.
 
   This change implements a notification (via devctl) to userland when
   the kernel produces coredumps after a process has crashed.
   devd can then run a specific command to produce a human readable crash
   report.  The command is most usually a helper that runs gdb/lldb
   commands on the file/coredump pair.  It's possible to use this
   functionality for implementing automatic generation of crash reports.
 
   devd(8) will be notified of the full path of the binary that crashed and
   the full path of the coredump file.

I think this is a very useful feature and I think this is fine to be in the 
tree as-is for now.  My only note is that this is a bit of feature creep for 
devd (this isn't a device notification, this is a system event notification).  
As such, I think it might be worth thinking if we (collectively) want to think 
about having a separate framework at all for system event notification.  You 
could possibly publish other interesting events this way.  For example, Isilon 
currently has a patch to log(9) Witness LORs.  I personally think it's a bit 
hackish and potentially unreliable.  A much nicer interface if you want to 
capture such things would be to publish an event for each logged LOR instead.  
Machine checks are another example of something that might be nice to publish 
(though you could possibly make the case that those would not be inappropriate 
to publish via devd since actual hardware is involved).  Disk and PCI errors 
are another class of thing that it would be nice to publish in an easier to 
programmaticaly parse manner.

-- 
John Baldwin
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Feb 9, 2015, at 15:28, Konstantin Belousov kostik...@gmail.com wrote:
 Arguably, there should be a knob, probably sysctl, to turn the
 functionality off. I definitely do not want this on crash boxes used for
 userspace debugging.  Even despite the example handler is inactive.

OK, I can provide a sysctl knob.

 +len = MAXPATHLEN * 2 + 5 /* comm= */ + 5 /* core= */ + 1;
 It is much cleaner to use static const char arrays for the names,
 and use sizeof() - 1 instead of hard-coding commented constants.

OK.  I was trying to avoid allocating 2k on the stack.

 +data = malloc(len, M_TEMP, M_NOWAIT);
 Why is this allocation M_NOWAIT ?

That should be M_WAITOK.

 +freepath = NULL;
 +}
 +if (vn_fullpath_global(td, vp, fullpath, freepath) != 0)
 +goto out;
 +snprintf(data, len, %s core=%s, data, fullpath);
 This is weird, and highly depends on the implementation details, supplying
 the same string as target and source.  IMO strcat(9) is enough there.

OK, I'll change it to strcat.

--
Rui Paulo



___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Don Lewis]

On  9 Feb, Don Lewis wrote:
 On 10 Feb, Mateusz Guzik wrote:
 On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 +notify 10 {
 +   match system  kernel;
 +   match subsystem   signal;
 +   match typecoredump;
 +   action logger $comm $core;
 +};
 +
  */
 
 [..]
 +   if (vn_fullpath_global(td, p-p_textvp, fullpath, freepath) != 0)
 +   goto out;
 +   snprintf(data, len, comm=%s, fullpath);
 
 I cannot test it right now, but it looks like immediate privilege
 escalation.
 
 Path is not sanitized in any way and devd passes it to 'sh -c'.
 
 So a file named a.out; /bin/id; meh or so should result in execution
 of aforementioned /bin/id.
 
 Then there is the issue of a user-generated core file being fed into the
 crash analyzer, possibly exploiting bugs in the latter.

Or worse, the contents of the executable, in particular the debug info,
could also be an attack vector.

___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Feb 9, 2015, at 18:43, Mateusz Guzik mjgu...@gmail.com wrote:
 
 On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 +notify 10 {
 +match system  kernel;
 +match subsystem   signal;
 +match typecoredump;
 +action logger $comm $core;
 +};
 +
 */
 
 [..]
 +if (vn_fullpath_global(td, p-p_textvp, fullpath, freepath) != 0)
 +goto out;
 +snprintf(data, len, comm=%s, fullpath);
 
 I cannot test it right now, but it looks like immediate privilege
 escalation.
 
 Path is not sanitized in any way and devd passes it to 'sh -c'.
 
 So a file named a.out; /bin/id; meh or so should result in execution
 of aforementioned /bin/id.

Well, you can't have a file name with / but you're right.

 Another note is that currently devctl is record oriented, but this may
 change at some point and free form userspace text could be used to forge
 new events.
 
 As such is trongly suggest we sanitize this somehow. Maybe a base64 or
 something.

I was trying hard to avoid this issue in unpublished my crash helper, but I 
forgot that devd runs execl(sh -c, );  :-(

It might just be easier to inspect the path names and allow only 
[a-z][A-Z][0-9] and '/' before sending the devctl message.

--
Rui Paulo



___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Don Lewis]

On 10 Feb, Mateusz Guzik wrote:
 On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 +notify 10 {
 +match system  kernel;
 +match subsystem   signal;
 +match typecoredump;
 +action logger $comm $core;
 +};
 +
  */
 
 [..]
 +if (vn_fullpath_global(td, p-p_textvp, fullpath, freepath) != 0)
 +goto out;
 +snprintf(data, len, comm=%s, fullpath);
 
 I cannot test it right now, but it looks like immediate privilege
 escalation.
 
 Path is not sanitized in any way and devd passes it to 'sh -c'.
 
 So a file named a.out; /bin/id; meh or so should result in execution
 of aforementioned /bin/id.

Then there is the issue of a user-generated core file being fed into the
crash analyzer, possibly exploiting bugs in the latter.

___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Feb 9, 2015, at 15:29, Benjamin Kaduk bjkf...@gmail.com wrote:
 The question boils down to: is the time saved by implementing it this way 
 worth the tradeoff of architectural purity.

Yes, that was a tradeoff.

--
Rui Paulo



___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Ian Lepore]

On Mon, 2015-02-09 at 18:29 -0500, Benjamin Kaduk wrote:
 On Mon, Feb 9, 2015 at 6:22 PM, Rui Paulo rpa...@me.com wrote:
 
  On Feb 09, 2015, at 03:16 PM, Benjamin Kaduk bjkf...@gmail.com wrote:
 
 
  What advantage does putting this in devd have over a standalone daemon for
  crash reporting?  Is it just the ease of implementation to leverage the
  existing infrastructure?
 
 
  Well, I want to automatically inspect all the programs that crashed in a
  given system.  I don't see how you can do that with a standalone daemon.
  Or maybe I didn't understand what you meant.
 
 
 I think you have misunderstood what I was trying to ask.
 
 We could in principle write a new daemon, call it crash-reporterd for now,
 and have the kernel notify that daemon whenever any program on the system
 crashes.  But writing the infrastructure to support that would be a bunch
 of work, and we already have devd set up to get notifications from the
 kernel, so it is much faster to implement crash reporting in devd, even
 though crashes in software have nothing to do with device changes.
 
 The question boils down to: is the time saved by implementing it this way
 worth the tradeoff of architectural purity.
 
 I don't have an opinion myself, I just want to make sure the question is
 considered.
 
 -Ben

Truth be told, it kind of bugs me.  I think adding this to devctl and
devd is inappropriate without also renaming those components to reflect
their new role, and rewriting the manpages to reflect what they actually
do now.

If you ponder for a moment what the new role seems to be (generic
notification to userland of events happening in the kernel), you end up
with names like keventd and that makes you wonder whether a new type
of knote for kevent, listened for by a new crashd app, would be better.

-- Ian


___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Benjamin Kaduk]

On Mon, Feb 9, 2015 at 6:13 PM, Rui Paulo rpa...@freebsd.org wrote:

 Author: rpaulo
 Date: Mon Feb  9 23:13:50 2015
 New Revision: 278479
 URL: https://svnweb.freebsd.org/changeset/base/278479

 Log:
   Notify devd(8) when a process crashed.

   This change implements a notification (via devctl) to userland when
   the kernel produces coredumps after a process has crashed.
   devd can then run a specific command to produce a human readable crash
   report.  The command is most usually a helper that runs gdb/lldb
   commands on the file/coredump pair.  It's possible to use this
   functionality for implementing automatic generation of crash reports.

   devd(8) will be notified of the full path of the binary that crashed and
   the full path of the coredump file.


What advantage does putting this in devd have over a standalone daemon for
crash reporting?  Is it just the ease of implementation to leverage the
existing infrastructure?

-Ben
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Feb 09, 2015, at 03:16 PM, Benjamin Kaduk bjkf...@gmail.com wrote:

On Mon, Feb 9, 2015 at 6:13 PM, Rui Paulo rpa...@freebsd.org wrote:
Author: rpaulo
Date: Mon Feb  9 23:13:50 2015
New Revision: 278479
URL: https://svnweb.freebsd.org/changeset/base/278479

Log:
  Notify devd(8) when a process crashed.

  This change implements a notification (via devctl) to userland when
  the kernel produces coredumps after a process has crashed.
  devd can then run a specific command to produce a human readable crash
  report.  The command is most usually a helper that runs gdb/lldb
  commands on the file/coredump pair.  It's possible to use this
  functionality for implementing automatic generation of crash reports.

  devd(8) will be notified of the full path of the binary that crashed and
  the full path of the coredump file.

What advantage does putting this in devd have over a standalone daemon for 
crash reporting?  Is it just the ease of implementation to leverage the 
existing infrastructure?
 
Well, I want to automatically inspect all the programs that crashed in a given 
system.  I don't see how you can do that with a standalone daemon.  Or maybe I 
didn't understand what you meant.
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Konstantin Belousov]

On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 Author: rpaulo
 Date: Mon Feb  9 23:13:50 2015
 New Revision: 278479
 URL: https://svnweb.freebsd.org/changeset/base/278479
 
 Log:
   Notify devd(8) when a process crashed.
   
   This change implements a notification (via devctl) to userland when
   the kernel produces coredumps after a process has crashed.
   devd can then run a specific command to produce a human readable crash
   report.  The command is most usually a helper that runs gdb/lldb
   commands on the file/coredump pair.  It's possible to use this
   functionality for implementing automatic generation of crash reports.
   
   devd(8) will be notified of the full path of the binary that crashed and
   the full path of the coredump file.
Arguably, there should be a knob, probably sysctl, to turn the
functionality off. I definitely do not want this on crash boxes used for
userspace debugging.  Even despite the example handler is inactive.

 
 Modified:
   head/etc/devd.conf
   head/sys/kern/kern_sig.c
 
 Modified: head/etc/devd.conf
 ==
 --- head/etc/devd.confMon Feb  9 23:04:30 2015(r278478)
 +++ head/etc/devd.confMon Feb  9 23:13:50 2015(r278479)
 @@ -325,4 +325,16 @@ notify 100 {
   action /usr/sbin/automount -c;
  };
  
 +# Handle userland coredumps.
 +# This commented out handler makes it possible to run an
 +# automated debugging session after the core dump is generated.
 +# Replace action with a proper coredump handler, but be aware that
 +# it will run with elevated privileges.
 +notify 10 {
 + match system  kernel;
 + match subsystem   signal;
 + match typecoredump;
 + action logger $comm $core;
 +};
 +
  */
 
 Modified: head/sys/kern/kern_sig.c
 ==
 --- head/sys/kern/kern_sig.c  Mon Feb  9 23:04:30 2015(r278478)
 +++ head/sys/kern/kern_sig.c  Mon Feb  9 23:13:50 2015(r278479)
 @@ -46,6 +46,7 @@ __FBSDID($FreeBSD$);
  #include sys/signalvar.h
  #include sys/vnode.h
  #include sys/acct.h
 +#include sys/bus.h
  #include sys/capsicum.h
  #include sys/condvar.h
  #include sys/event.h
 @@ -3237,6 +3238,9 @@ coredump(struct thread *td)
   void *rl_cookie;
   off_t limit;
   int compress;
 + char *data = NULL;
 + size_t len;
 + char *fullpath, *freepath = NULL;
  
  #ifdef COMPRESS_USER_CORES
   compress = compress_user_cores;
 @@ -3322,9 +3326,36 @@ close:
   error1 = vn_close(vp, FWRITE, cred, td);
   if (error == 0)
   error = error1;
 + else
 + goto out;
 + /*
 +  * Notify the userland helper that a process triggered a core dump.
 +  * This allows the helper to run an automated debugging session.
 +  */
 + len = MAXPATHLEN * 2 + 5 /* comm= */ + 5 /* core= */ + 1;
It is much cleaner to use static const char arrays for the names,
and use sizeof() - 1 instead of hard-coding commented constants.

 + data = malloc(len, M_TEMP, M_NOWAIT);
Why is this allocation M_NOWAIT ?

 + if (data == NULL)
 + goto out;
 + if (vn_fullpath_global(td, p-p_textvp, fullpath, freepath) != 0)
 + goto out;
 + snprintf(data, len, comm=%s, fullpath);
 + if (freepath != NULL) {
 + free(freepath, M_TEMP);
Checks for NULL pointer before free(9) are redundant.

 + freepath = NULL;
 + }
 + if (vn_fullpath_global(td, vp, fullpath, freepath) != 0)
 + goto out;
 + snprintf(data, len, %s core=%s, data, fullpath);
This is weird, and highly depends on the implementation details, supplying
the same string as target and source.  IMO strcat(9) is enough there.

 + devctl_notify(kernel, signal, coredump, data);
 + free(name, M_TEMP);
 +out:
  #ifdef AUDIT
   audit_proc_coredump(td, name, error);
  #endif
 + if (freepath != NULL)
 + free(freepath, M_TEMP);
 + if (data != NULL)
 + free(data, M_TEMP);
   free(name, M_TEMP);
   return (error);
  }
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Benjamin Kaduk]

On Mon, Feb 9, 2015 at 6:22 PM, Rui Paulo rpa...@me.com wrote:

 On Feb 09, 2015, at 03:16 PM, Benjamin Kaduk bjkf...@gmail.com wrote:


 What advantage does putting this in devd have over a standalone daemon for
 crash reporting?  Is it just the ease of implementation to leverage the
 existing infrastructure?


 Well, I want to automatically inspect all the programs that crashed in a
 given system.  I don't see how you can do that with a standalone daemon.
 Or maybe I didn't understand what you meant.


I think you have misunderstood what I was trying to ask.

We could in principle write a new daemon, call it crash-reporterd for now,
and have the kernel notify that daemon whenever any program on the system
crashes.  But writing the infrastructure to support that would be a bunch
of work, and we already have devd set up to get notifications from the
kernel, so it is much faster to implement crash reporting in devd, even
though crashes in software have nothing to do with device changes.

The question boils down to: is the time saved by implementing it this way
worth the tradeoff of architectural purity.

I don't have an opinion myself, I just want to make sure the question is
considered.

-Ben
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Mateusz Guzik]

On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 +notify 10 {
 + match system  kernel;
 + match subsystem   signal;
 + match typecoredump;
 + action logger $comm $core;
 +};
 +
  */
 
[..]
 + if (vn_fullpath_global(td, p-p_textvp, fullpath, freepath) != 0)
 + goto out;
 + snprintf(data, len, comm=%s, fullpath);

I cannot test it right now, but it looks like immediate privilege
escalation.

Path is not sanitized in any way and devd passes it to 'sh -c'.

So a file named a.out; /bin/id; meh or so should result in execution
of aforementioned /bin/id.

Another note is that currently devctl is record oriented, but this may
change at some point and free form userspace text could be used to forge
new events.

As such is trongly suggest we sanitize this somehow. Maybe a base64 or
something.

-- 
Mateusz Guzik mjguzik gmail.com
___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org

Re: svn commit: r278479 - in head: etc sys/kern

[Rui Paulo]

On Feb 9, 2015, at 19:11, Don Lewis truck...@freebsd.org wrote:
 
 On 10 Feb, Mateusz Guzik wrote:
 On Mon, Feb 09, 2015 at 11:13:51PM +, Rui Paulo wrote:
 +notify 10 {
 +   match system  kernel;
 +   match subsystem   signal;
 +   match typecoredump;
 +   action logger $comm $core;
 +};
 +
 */
 
 [..]
 +   if (vn_fullpath_global(td, p-p_textvp, fullpath, freepath) != 0)
 +   goto out;
 +   snprintf(data, len, comm=%s, fullpath);
 
 I cannot test it right now, but it looks like immediate privilege
 escalation.
 
 Path is not sanitized in any way and devd passes it to 'sh -c'.
 
 So a file named a.out; /bin/id; meh or so should result in execution
 of aforementioned /bin/id.
 
 Then there is the issue of a user-generated core file being fed into the
 crash analyzer, possibly exploiting bugs in the latter.

That's why there's a warning in devd.conf: devd will run the helper as root, so 
a proper written helper has to drop the privileges very early or be invoked by 
devd with lower privileges.  My helper just drops privileges to match the 
UID/GID of the generated core file before doing anything else.

--
Rui Paulo



___
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org