Re: Correct way of calling prctl(2) (was: Sashimi of prctl(2))

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[Adding linux-api@]

On Tue, May 28, 2024 at 11:24:13AM GMT, Alejandro Colomar wrote:
> [Adding libc-alpha@ for some doubts]
> 
> Hi!
> 
> On Sun, May 26, 2024 at 01:27:43PM GMT, Alejandro Colomar wrote:
> > On Sun, May 26, 2024 at 01:07:24PM GMT, Alejandro Colomar wrote:
> > > I'm considering making sashimi of prctl(2), similar to what I did
> > > recently to proc(5).  Another precedent is in ioctl(2).
> 
> I'll call the pages with names such as PR_CAP_AMBIENT(2const) and
> PR_CAP_AMBIENT_RAISE(2const).
> 
> While doing that, I changed the prototypes in the SYNOPSIS to things
> like
> 
>      int prctl(PR_CAP_AMBIENT, unsigned long op, ...);
> 
> and
> 
>      int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0, 0);
> 
> Which makes me wonder.  glibc implements prctl(2) as a variadic
> function, so those 0s are actually of type (and more importantly of
> width) 'int'.  This means a user passing 0 is leaving some parameters
> uninitialized.
> 
> From what I can see, glibc does no magic to set unspecified parameters
> to 0, so this means passing '0' results in Undefined Behavior.
> 
> I guess I should document these as 0L in the SYNOPSIS.
> 
>      int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0L, 0L);
> 
> All of the software I've seen out there using prctl(2) either pass 0 (as
> the manual page had been suggesting), such as in shadow:
> <https://github.com/shadow-maint/shadow/blob/71e28359d12491727b2e94c71d2e1e1682d45a02/lib/idmapping.c#L161>
> 
> 	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
> 
> or don't pass anything at all (coreutils does this):
> <https://git.savannah.gnu.org/cgit/coreutils.git/tree/src/timeout.c#n449>
> 
> 	if (prctl (PR_SET_DUMPABLE, 0) == 0)
> 
> Am I missing something or are all of those calls buggy?
> 
> Some prctl(2) calls report EINVAL when the unused arguments are nonzero,
> while others simply ignore it, so maybe I can document the ones ignoring
> the unused arguments as shorter calls:
> 
>      int prctl(PR_SET_DUMPABLE, unsigned long dumpable);
> 
> And document the ones that report errors as using 0L:
> 
>      int prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, unsigned long cap, 0, 0);
> 
> (BTW, util-linux seems to have this one wrong:)
> 
> <https://sources.debian.org/src/util-linux/2.40.1-2/lib/caputils.c/?hl=123#L123>
> 
> 	&& prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0)

And another problem is the definition of PR_CAP_AMBIENT_RAISE (and
similar macros), which are defined as ints:

$ grepc PR_CAP_AMBIENT_RAISE /usr/include/
/usr/include/linux/prctl.h:# define PR_CAP_AMBIENT_RAISE		2

but they should be defined as unsigned longs.  (This is a Linux UAPI
problem.)

> 
> What do you think about this?
> 
> Have a lovely day!
> Alex

-- 
<https://www.alejandro-colomar.es/>

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux