Theo Buehler wrote: > While playing with Daniel Micay's malloc patches, I ran into a lot of > pledge aborts since pledge("stdio") disallows raise(3) and abort(3). > That's because raise sends the to 'pid + THREAD_PID_OFFSET' instead > of the pid itself. The first sentence of the comment and the logic is > taken from kern_sig.c.
I think this may be too tight. Intra-process signalling should be allowed, not just killing self. I think the test should be if (pid == 0 || pid == p->p_pid || pid > THREAD_PID_OFFSET) There are checks in kern_sig.c that any thread signal must be in the same process. > > Index: /sys/kern/kern_pledge.c > =================================================================== > RCS file: /var/cvs/src/sys/kern/kern_pledge.c,v > retrieving revision 1.97 > diff -u -p -r1.97 kern_pledge.c > --- /sys/kern/kern_pledge.c 1 Nov 2015 19:03:33 -0000 1.97 > +++ /sys/kern/kern_pledge.c 2 Nov 2015 10:24:35 -0000 > @@ -1355,7 +1355,13 @@ pledge_kill(struct proc *p, pid_t pid) > return 0; > if (p->p_p->ps_pledge & PLEDGE_PROC) > return 0; > - if (pid == 0 || pid == p->p_pid) > + /* > + * If the target pid is > THREAD_PID_OFFSET then this > + * must be a kill of another thread in the same process. > + * This allows raise(3) and abort(3). > + */ > + if (pid == 0 || p->p_pid == (pid > THREAD_PID_OFFSET ? > + pid - THREAD_PID_OFFSET : pid)) > return 0; > return pledge_fail(p, EPERM, PLEDGE_PROC); > } >