On Thu, Apr 20, 2017 at 03:34:57AM -0600, Theo de Raadt wrote: > This proposal doesn't make any sense. > > What will you do. Add it to every program? Or add it to none of them?
hep. it is a part of the problem I spotted :) > The underlying problem is that the syscall creates a file in some > random place. You haven't handled that. if the syscall profil(2) itself would create the file, it would be less painfull (from pledge point of vue). the problem is the added code (that create the file) when profiled is executed in userland with atexit(3). the current proposed code solves it by allowing open(2) call to "gmon.out" (relative path, so could by anywhere) with write/create. I think it is a bad behaviour. a controlled symlink would allow the program to escape (pledge_namei() will see "gmon.out" and allow it but the real path is somewhere else). It also somehow break the assumption of no-write when "wpath" or "cpath" isn't here. It is why I asked to alternate way. A part of previous discussion is on this thread: http://marc.info/?l=openbsd-tech&m=145539555307730&w=2 It could be changing the way of gmon.out information is extracted from program. maybe using utrace(2) (allowed with "stdio"). It would be similar that what ltrace(1) does from ld.so. But it would mean adding some stuff in ktrace/kdump to extract information from ktrace.out files, or a new tool like ltrace(1) but for profiling. profil(2) syscall itself could be allowed in "stdio" with specifics arguments: profil(NULL, 0, 0, 0) (but some code inspection should be done before: extending "stdio" is not neutral - think to programs like ssh or tcpdump that relies on "stdio" for sandboxing). Only this particular call of profil(2) is ran under pledge(2): the first call is done before calling main() so before any pledge(2) call setted by user code. -- Sebastien Marie
