Subject: Re: systrace problems
To: None <current-users@netbsd.org>
From: Jeff <jeff@delnoch.net>
List: current-users
Date: 12/23/2005 09:15:27
On Thu, Dec 22, 2005 at 01:03:17PM -0500, Jeff wrote:
> I recently upgraded a number of systems from ~3.99.5 to 3.99.14, one
> of the side effects was that my systrace policies no longer worked.
>
> I am getting errors such as:
>
> systrace: deny user: ntpd, prog: /usr/sbin/ntpd, pid: 442(0)[791],
> policy: /usr/sbin/ntpd, filters: 98, syscall: netbsd-fswrite(5),
> filename: /<non-existent filename>: /var/db/ntp.drift.TEMP
>
> my policy permits fswrite of the aforementioned file, however to be
> certain I tried:
>
> > systrace -A touch bah
> touch: bah: Permission denied
>
> ktrace shows
> 9742 touch CALL __stat30(0xbfbfe976,0xbfbfe7a4)
> 9742 touch NAMI "bah"
> 9742 touch RET __stat30 -1 errno 2 No such file or directory
> 9742 touch CALL open(0xbfbfe976,0x201,0x1b6)
> 9742 touch NAMI "/<non-existent filename>: bah"
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> this seems clearly wrong
>
> Unfortunately I cannot point to the exact change(s) that caused this,
> but I am willing to provide any information/run tests as needed.
>
> This is also filed as PR bin/32360
>
This have been fixed by the following commit:
Module Name: src
Committed By: elad
Date: Thu Dec 22 23:29:23 UTC 2005
Modified Files:
src/lib/libc/gen: getcwd.c
Log Message:
Allow last component to be non-existing again. I broke this behavior
for no apparent good reason in revision 1.39.
This is what broke systrace's filename normalization.
Go back to original behavior as in revision 1.35: return resolved
name, but also set errno to ENOENT.
To generate a diff of this commit:
cvs rdiff -r1.40 -r1.41 src/lib/libc/gen/getcwd.c