Re: remove kevent perm check
That seems a bit excessive to crash the program when all you may want to do is track the exit of a child. Does the pledge proc flag dictate that you can't do wait() as well?
Re: remove kevent perm check
Theo de Raadt wrote:
> > > > I think we should remove the check. It doesn't make sense, and it's
> > > > different
> > > > from other systems using kqueue. (I also had to work around it in
> > > > rebound,
> > > > where some code could be organized better if it weren't for the need to
> > > > call
> > > > kevent before switching IDs.)
> > >
> > > FreeBSD has process visibility controls and checks them in this
> > > location. We don't have any such controls, so removing that chunk
> > > should be fine. OK millert@
> >
> > Unless we have someone who wants to go down that road...
>
> Or, should this specific bit be disallowed if pledge'd, but lacking "proc"?
That is consistent.
Index: kern_event.c
===
RCS file: /cvs/src/sys/kern/kern_event.c,v
retrieving revision 1.71
diff -u -p -r1.71 kern_event.c
--- kern_event.c6 Jan 2016 17:58:46 - 1.71
+++ kern_event.c12 May 2016 17:32:05 -
@@ -32,6 +32,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -211,6 +212,10 @@ filt_procattach(struct knote *kn)
{
struct process *pr;
+ if ((curproc->p_p->ps_flags & PS_PLEDGE) &&
+ (curproc->p_p->ps_pledge & PLEDGE_PROC) == 0)
+ return pledge_fail(curproc, EPERM, PLEDGE_PROC);
+
pr = prfind(kn->kn_id);
if (pr == NULL)
return (ESRCH);
@@ -218,15 +223,6 @@ filt_procattach(struct knote *kn)
/* exiting processes can't be specified */
if (pr->ps_flags & PS_EXITING)
return (ESRCH);
-
- /*
-* Fail if it's not owned by you, or the last exec gave us
-* setuid/setgid privs (unless you're root).
-*/
- if (pr != curproc->p_p &&
- (pr->ps_ucred->cr_ruid != curproc->p_ucred->cr_ruid ||
- (pr->ps_flags & PS_SUGID)) && suser(curproc, 0) != 0)
- return (EACCES);
kn->kn_ptr.p_process = pr;
kn->kn_flags |= EV_CLEAR; /* automatically set */
Re: remove kevent perm check
> > > I think we should remove the check. It doesn't make sense, and it's > > > different > > > from other systems using kqueue. (I also had to work around it in rebound, > > > where some code could be organized better if it weren't for the need to > > > call > > > kevent before switching IDs.) > > > > FreeBSD has process visibility controls and checks them in this > > location. We don't have any such controls, so removing that chunk > > should be fine. OK millert@ > > Unless we have someone who wants to go down that road... Or, should this specific bit be disallowed if pledge'd, but lacking "proc"?
Re: remove kevent perm check
> > I think we should remove the check. It doesn't make sense, and it's > > different > > from other systems using kqueue. (I also had to work around it in rebound, > > where some code could be organized better if it weren't for the need to call > > kevent before switching IDs.) > > FreeBSD has process visibility controls and checks them in this > location. We don't have any such controls, so removing that chunk > should be fine. OK millert@ Unless we have someone who wants to go down that road...
Re: remove kevent perm check
On Thu, 12 May 2016 12:07:43 -0400, "Ted Unangst" wrote: > I think we should remove the check. It doesn't make sense, and it's different > from other systems using kqueue. (I also had to work around it in rebound, > where some code could be organized better if it weren't for the need to call > kevent before switching IDs.) FreeBSD has process visibility controls and checks them in this location. We don't have any such controls, so removing that chunk should be fine. OK millert@ - todd
