NetBSD Problem Report #40002

From www@NetBSD.org  Sat Nov 22 08:34:14 2008
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 40C5763BD2D
	for <gnats-bugs@gnats.netbsd.org>; Sat, 22 Nov 2008 08:34:14 +0000 (UTC)
Message-Id: <20081122083413.E947363B11D@narn.NetBSD.org>
Date: Sat, 22 Nov 2008 08:34:13 +0000 (UTC)
From: shinden@linux.pl
Reply-To: shinden@linux.pl
To: gnats-bugs@NetBSD.org
Subject: sockstat doesn't work for user with sysctl security.curtain=1
X-Send-Pr-Version: www-1.0

>Number:         40002
>Category:       kern
>Synopsis:       sockstat doesn't work for user with sysctl security.curtain=1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Nov 22 08:35:00 +0000 2008
>Closed-Date:    Sun Dec 14 23:21:10 +0000 2008
>Last-Modified:  Sun Dec 14 23:21:10 +0000 2008
>Originator:     Daniel Horecki
>Release:        5.0BETA, CURRENT
>Organization:
>Environment:
NetBSD tatooine.stars 5.99.02 NetBSD 5.99.02 (TATOOINE) #2: Tue Nov 18 22:36:45 CET 2008  sh@tatooine.stars:/home/sh/src/obj/sys/arch/i386/compile/TATOOINE i386
>Description:
If security.curtain is enabled, sockstat won't display sockets belonging only to that user, but only an error.

sh@tatooine:~/ > sudo sysctl -w security.curtain=1
security.curtain: 0 -> 1
sh@tatooine:~/ > sockstat 
sockstat: sysctl: Operation not permitted
sh@tatooine:~/ > sudo sysctl -w security.curtain=0
security.curtain: 1 -> 0
sh@tatooine:~/ > sockstat                         
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
sh       dbus-launc 96     3 stream -                     /tmp/.X11-unix/X0
sh       dbus-launc 96     5 stream -                     /tmp/.X11-unix/X0
[...]


>How-To-Repeat:
sysctl -w security.curtain=1
as user:
sockstat

>Fix:

>Release-Note:

>Audit-Trail:
From: "Elad Efrat" <elad@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: re: kern/40002
Date: Fri, 28 Nov 2008 15:56:24 +0200

 ------=_Part_72918_27388076.1227880584108
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline

 Seems like we're continuing the loop, but not resetting the error
 value, so it "leaked" to userspace.

 The attached patch should fix it, let me know.

 Thanks,

 -e.

 ------=_Part_72918_27388076.1227880584108
 Content-Type: application/octet-stream; name=pr40002.diff
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_fo2wdzvl0
 Content-Disposition: attachment; filename=pr40002.diff

 SW5kZXg6IGluaXRfc3lzY3RsLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL3Vzci9jdnMvc3JjL3N5
 cy9rZXJuL2luaXRfc3lzY3RsLmMsdgpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMTUwCmRpZmYgLXUg
 LXAgLXIxLjE1MCBpbml0X3N5c2N0bC5jCi0tLSBpbml0X3N5c2N0bC5jCTEyIE5vdiAyMDA4IDE0
 OjMyOjM0IC0wMDAwCTEuMTUwCisrKyBpbml0X3N5c2N0bC5jCTI4IE5vdiAyMDA4IDA2OjA5OjAx
 IC0wMDAwCkBAIC0yMDU4LDYgKzIwNTgsMTEgQEAgc3lzY3RsX2tlcm5fZmlsZTIoU1lTQ1RMRk5f
 QVJHUykKIAkJCSAgICBOVUxMLCBOVUxMKTsKIAkJCW11dGV4X2V4aXQocC0+cF9sb2NrKTsKIAkJ
 CWlmIChlcnJvciAhPSAwKSB7CisJCQkJLyoKKwkJCQkgKiBEb24ndCBsZWFrIGthdXRoIHJldHZh
 bCBpZiB3ZSdyZSBzaWxlbnRseQorCQkJCSAqIHNraXBwaW5nIHRoaXMgZW50cnkuCisJCQkJICov
 CisJCQkJZXJyb3IgPSAwOwogCQkJCWNvbnRpbnVlOwogCQkJfQogCg==
 ------=_Part_72918_27388076.1227880584108--

From: Elad Efrat <elad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/40002 CVS commit: src/sys/kern
Date: Fri, 28 Nov 2008 18:58:59 +0000 (UTC)

 Module Name:	src
 Committed By:	elad
 Date:		Fri Nov 28 18:58:59 UTC 2008

 Modified Files:
 	src/sys/kern: init_sysctl.c

 Log Message:
 PR/40002: Daniel Horecki: sockstat doesn't work for user with sysctl
     security.curtain=1

 If the kauth call failed, we'd silently continue the loop, but the error
 code would remain and eventually "leak" to userspace. Reset the error to
 zero when continuing.

 Tested by snj@ and myself. Okay snj@.


 To generate a diff of this commit:
 cvs rdiff -r1.150 -r1.151 src/sys/kern/init_sysctl.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/40002 CVS commit: [netbsd-5] src/sys/kern
Date: Sat, 29 Nov 2008 20:51:06 +0000 (UTC)

 Module Name:	src
 Committed By:	bouyer
 Date:		Sat Nov 29 20:51:06 UTC 2008

 Modified Files:
 	src/sys/kern [netbsd-5]: init_sysctl.c

 Log Message:
 Pull up following revision(s) (requested by elad in ticket #140):
 	sys/kern/init_sysctl.c: revision 1.151
 PR/40002: Daniel Horecki: sockstat doesn't work for user with sysctl
     security.curtain=1
 If the kauth call failed, we'd silently continue the loop, but the error
 code would remain and eventually "leak" to userspace. Reset the error to
 zero when continuing.
 Tested by snj@ and myself. Okay snj@.


 To generate a diff of this commit:
 cvs rdiff -r1.149 -r1.149.4.1 src/sys/kern/init_sysctl.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Daniel Horecki <shinden@linux.pl>
To: gnats-bugs@NetBSD.org
Cc: elad@netbsd.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
 netbsd-bugs@netbsd.org
Subject: Re: kern/40002
Date: Sun, 14 Dec 2008 10:13:29 +0100

 Je Fri, 28 Nov 2008 14:00:07 +0000 (UTC) "Elad Efrat" <elad@netbsd.org>
 scribis:

 > The following reply was made to PR kern/40002; it has been noted by
 > GNATS.
 > 
 > From: "Elad Efrat" <elad@netbsd.org>
 > To: gnats-bugs@netbsd.org
 > Cc: 
 > Subject: re: kern/40002
 > Date: Fri, 28 Nov 2008 15:56:24 +0200
 > 
 > ------=_Part_72918_27388076.1227880584108
 > Content-Type: text/plain; charset=ISO-8859-1
 > Content-Transfer-Encoding: 7bit
 > Content-Disposition: inline
 >  
 > Seems like we're continuing the loop, but not resetting the error
 > value, so it "leaked" to userspace.
 >  
 > The attached patch should fix it, let me know.
 > 
 > Thanks,
 > 

 It works now with current and 5.0. Thanks!

 Daniel

 -- 
 Daniel Horecki
 http://morr.pl http://linux.pl http://netbsd.pl
 HAIL ERIS!

State-Changed-From-To: open->closed
State-Changed-By: elad@NetBSD.org
State-Changed-When: Sun, 14 Dec 2008 23:21:10 +0000
State-Changed-Why:
Fixed and pulled up to netbsd-5. Thanks for the report!



>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.