Re: I386 jail on amd64 CURRENT core dump in libc?

From: Jilles Tjoelker <jilles_at_stack.nl>
Date: Wed, 4 Sep 2013 23:46:44 +0200
On Wed, Sep 04, 2013 at 12:14:03AM +0300, Konstantin Belousov wrote:
> On Tue, Sep 03, 2013 at 08:25:29PM +0300, Vitalij Satanivskij wrote:
> > KB> 
> > KB> Your installed libraries do not have proper debugging symbols.
> > KB> Since the issue seems to be in the compat32 layer, you may try to start
> > KB> with taking the ktrace of the failing program and see what syscall failed,
> > KB> if any.

> > For me problem gone after disabling 

> > options         CAPABILITY_MODE         # Capsicum capability mode
> > options         CAPABILITIES            # Capsicum capabilities

> > in kernel conf 

> > I'm found it when roll backing system to previos revisions. 

> > On r254268 uniq inside i386 jail say that  = "unable to limit rights for "

> > So I decide to check without Capsicum features...

> Then the ktrace output would be esp. useful.  Anyway, this is probably
> cap_rights_limit(2) compat32 issue.  Pawel may know more.

cap_rights_limit(2) should have been fixed in r254491, so options
CAPABILITIES should be OK (I have not tested such a kernel though).

However, capability mode does not work with compat32. There is no
sys/compat32/capabilities.conf (also, such a file would be poorly
maintainable), and therefore capability mode does not permit any
compat32 system calls. As a result, a compat32 capability mode process
crashes after failing to invoke sys_exit.

The below patch ('make sysent' should be run in sys/compat/freebsd32
after patching) makes the kernel admit that it does not support
capability mode for compat32. This does not help if a 64-bit binary
enters capability mode and then executes a 32-bit binary using
fexecve(2) but otherwise it helps. It makes compat32 dhclient and uniq
work again, albeit without Capsicum security enhancements.

Making capability mode work for compat32 binaries would be better but if
it is not possible for 10.0 then something like this patch should be
committed.

Index: sys/compat/freebsd32/freebsd32_capability.c
===================================================================
--- sys/compat/freebsd32/freebsd32_capability.c	(revision 255093)
+++ sys/compat/freebsd32/freebsd32_capability.c	(working copy)
_at__at_ -50,6 +50,18 _at__at_
 MALLOC_DECLARE(M_FILECAPS);
 
 int
+freebsd32_cap_enter(struct thread *td,
+    struct freebsd32_cap_enter_args *uap)
+{
+
+	/*
+	 * We do not have an equivalent of capabilities.conf for freebsd32
+	 * compatibility, so do not allow capability mode for now.
+	 */
+	return (ENOSYS);
+}
+
+int
 freebsd32_cap_rights_limit(struct thread *td,
     struct freebsd32_cap_rights_limit_args *uap)
 {
_at__at_ -148,6 +160,14 _at__at_
 #else /* !CAPABILITIES */
 
 int
+freebsd32_cap_enter(struct thread *td,
+    struct freebsd32_cap_enter_args *uap)
+{
+
+	return (ENOSYS);
+}
+
+int
 freebsd32_cap_rights_limit(struct thread *td,
     struct freebsd32_cap_rights_limit_args *uap)
 {
Index: sys/compat/freebsd32/syscalls.master
===================================================================
--- sys/compat/freebsd32/syscalls.master	(revision 255093)
+++ sys/compat/freebsd32/syscalls.master	(working copy)
_at__at_ -973,7 +973,7 _at__at_
 514	AUE_CAP_NEW	NOPROTO	{ int cap_new(int fd, uint64_t rights); }
 515	AUE_CAP_RIGHTS_GET	NOPROTO	{ int cap_rights_get(int fd, \
 				    uint64_t *rightsp); }
-516	AUE_CAP_ENTER	NOPROTO	{ int cap_enter(void); }
+516	AUE_CAP_ENTER	STD	{ int freebsd32_cap_enter(void); }
 517	AUE_CAP_GETMODE	NOPROTO	{ int cap_getmode(u_int *modep); }
 518	AUE_PDFORK	NOPROTO	{ int pdfork(int *fdp, int flags); }
 519	AUE_PDKILL	NOPROTO	{ int pdkill(int fd, int signum); }

-- 
Jilles Tjoelker
Received on Wed Sep 04 2013 - 19:47:02 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:41 UTC