netbsd-bugs: kern/36385: systrace and non-existent files

Subject: kern/36385: systrace and non-existent files
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <mxp@dynalabs.de>
List: netbsd-bugs
Date: 05/24/2007 14:45:01

>Number:         36385
>Category:       kern
>Synopsis:       Matching non-existent files in policies no longer works
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 24 14:45:01 +0000 2007
>Originator:     Michael Piotrowski
>Release:        NetBSD 3.1
>Organization:
dynalabs
>Environment:
System: NetBSD aix 3.1 NetBSD 3.1 (GENERIC.MPACPI) #0: Tue Oct 31 04:47:22 UTC 2006 builds@b0.netbsd.org:/home/builds/ab/netbsd-3-1-RELEASE/i386/200610302053Z-obj/home/builds/ab/netbsd-3-1-RELEASE/src/sys/arch/i386/compile/GENERIC.MPACPI i386
Architecture: i386
Machine: i386
>Description:
After updating from NetBSD 3.0.1 to 3.1 I noticed that some programs
are now being killed by systrace and that for others lots of "deny"
messages are being logged--while it had worked fine before.  I noticed
that this was related to the handling of non-existent filenames.
While before rules like

  netbsd-fsread: filename match "/<non-existent filename>: *" then deny[enoent]

worked, they no longer match.

It seems that this is the same issue as described in PR 32360 ("recent
changes breaks systrace fswrite").  Browsing CVS, I found that this
problem was fixed in revision 1.36.2.2 of getcwd.c, but in revision
1.36.2.3, which is used in NetBSD 3.1, exactly this change was removed.

Being unable to handle non-existent filenames correctly severely limits
the usefulness of systrace for me.

>How-To-Repeat:
Example:

- Create a systrace policy:
  $ systrace -A ls .profile

- Add the following lines to the policy:

	netbsd-fsread: filename match "/<non-existent filename>: *" then deny[enoent]
	netbsd-fsread: filename match "/tmp/foo" then deny[enoent]

  Where /tmp/foo should not exist.

- Run (/tmp/foo and /tmp/bar must not exist):
  $ systrace -a ls /tmp/foo  
  ls: /tmp/foo: No such file or directory
  [mxp@aix:/home/mxp]
  $ systrace -a ls /tmp/bar
  ls: /tmp/bar: Operation not permitted

  This shows that the rule for non-existing filenames does not match.

>Fix: