Theo Buehler wrote:
> While playing with Daniel Micay's malloc patches, I ran into a lot of
> pledge aborts since pledge("stdio") disallows raise(3) and abort(3).
> That's because raise sends the to 'pid + THREAD_PID_OFFSET' instead
> of the pid itself. The first sentence of the comment and the logic is
> taken from kern_sig.c.
I think this may be too tight. Intra-process signalling should be allowed, not
just killing self. I think the test should be
if (pid == 0 || pid == p->p_pid || pid > THREAD_PID_OFFSET)
There are checks in kern_sig.c that any thread signal must be in the same
process.
>
> Index: /sys/kern/kern_pledge.c
> ===================================================================
> RCS file: /var/cvs/src/sys/kern/kern_pledge.c,v
> retrieving revision 1.97
> diff -u -p -r1.97 kern_pledge.c
> --- /sys/kern/kern_pledge.c 1 Nov 2015 19:03:33 -0000 1.97
> +++ /sys/kern/kern_pledge.c 2 Nov 2015 10:24:35 -0000
> @@ -1355,7 +1355,13 @@ pledge_kill(struct proc *p, pid_t pid)
> return 0;
> if (p->p_p->ps_pledge & PLEDGE_PROC)
> return 0;
> - if (pid == 0 || pid == p->p_pid)
> + /*
> + * If the target pid is > THREAD_PID_OFFSET then this
> + * must be a kill of another thread in the same process.
> + * This allows raise(3) and abort(3).
> + */
> + if (pid == 0 || p->p_pid == (pid > THREAD_PID_OFFSET ?
> + pid - THREAD_PID_OFFSET : pid))
> return 0;
> return pledge_fail(p, EPERM, PLEDGE_PROC);
> }
>
