netpgp_unsetvar
netpgp_list_keys_json
netpgp_match_keys
netpgp_match_keys_json
netpgp_match_pubkeys
netpgp_validate_sigs
netpgp_format_json
Remove netpgp_match_list_keys() as function does not exist
Add missing output file to netpgp_verify_file() argument list
Sprinkle const to arguments
Added:
- traceme_pid1_parent
Assert that a process cannot mark its parent a debugger twice
- traceme_twice
Verify that PT_TRACE_ME is not allowed when our parent is PID1
All tests pass.
Sponsored by <The NetBSD Foundation>
You can't say to the parent of a process to start tracing if:
(1) the parent is initproc,
(2) the child is already traced.
Rationale:
(1) - It has a side effect of being an anti-debugger functionality,
as we cannot kill initproc (PID1) and reset the traced flag.
- initproc is not a debugger, raising debugging events from a child
to initproc can result in at least a stopped/hanging process
in the system.
(2) - It does not make sense to be simultanously traced by two debuggers.
- It does not make sense to be traced twice by the same debugger.
Permit enable tracing for a parent that has been chroot(8)ed, as this is
harmless and the parent is already monitoring for child signals.
The same semantics exist in FreeBSD.
If you are looking for an antidebugging trick for old NetBSD (pre 8.0)
or other popular kernels, here is an example:
$ cat antidebug.c
#include <sys/types.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
int
main(int argc, char **argv)
{
pid_t child;
int rv;
int n = 0;
child = fork();
if (child == 0) {
while (getppid() != 1)
continue;
rv = ptrace(PT_TRACE_ME, 0, 0, 0);
if (rv != 0)
abort();
printf("Try to detach to me with a debugger!! ");
printf("haha My PID is %d\n", getpid());
while (1) {
printf("%d\n", n++);
sleep(1);
}
}
exit(0);
}
A developer is no longer able to attach GDB, strace or LLDB to this program
without killing the initproc (your favourite system daemon).. this action
would be fatal for the operation of the whole Operating System stability.
Examples from a current non-NetBSD popular kernel:
$ ps -o ppid= -p 17904
1
$ strace -p 17904
strace: attach: ptrace(PTRACE_SEIZE, 17904): Operation not permitted
$ gdb -p 17904
[...]
Attaching to process 17904
warning: process 17904 is already traced by process 1
ptrace: Operation not permitted.
(gdb)
$ lldb-3.9 -p 17904
(lldb) process attach --pid 17904
error: attach failed: unable to attach
On NetBSD 8.0 and newer it is now guaranteed to have an option to kill
a malevolent (fake?) debugger and attach with a new tracer to the process.
Sponsored by <The NetBSD Foundation>
This test checks raise(SIGKILL). If we enter the kernel with this signal
we report a signaled child in a debugger, not stopped with an option to
make an action.
FreeBSD behaves differently and allows intercepting this event in a tracer.
Follow the Linux behavior.
If we really want to prevent raise(SIGKILL) from signaling the tracee, we
still can breakpoint raise(3) and alter the syscall arguments (or use
the PT_SYSCALL mode). If we are already in the kernel, SIGKILL always means
killing the process, whether or not traced and the source of SIGKILL.
This tests passes on NetBSD without kernel changes.
Sponsored by <The NetBSD Foundation>
armgic_cpu_update_priorities().
Previously only the first 32 lines were covered, which is significantly
less than the 1000-some interrupt lines possible.
Only relevant to MULTIPROCESSOR configurations.
Replace traceme3 with new ATF tests using diverse signals:
- traceme_signal_nohandler1 SIGKILL
- traceme_signal_nohandler2 SIGSTOP (temporarily disabled)
- traceme_signal_nohandler3 SIGABRT (emits core dump)
- traceme_signal_nohandler4 SIGHUP
- traceme_signal_nohandler5 SIGCONT
These SIGSTOP test does not work properly right now as it unstops the
traccee.
Sponsored by <The NetBSD Foundation>
here use the given 'flags' argument, and not M_DONTWAIT.
We have a problem with several drivers: they poll an mbuf chain from their
queues and call m_defrag on them, but m_defrag could update the mbuf
pointer, so the mbuf in the queue is no longer valid. It is not easy to
fix each driver, because doing pop+push will reorder the queue, and we
don't really want that to happen.
This problem was independently spotted by me, Kengo, Masanobu, and other
people too it seems (perhaps PR/53218).
Now m_defrag leaves the first mbuf in place, and compresses the chain
only starting from the second mbuf in the chain.
It is important not to compress the first mbuf with hacks, because the
storage of this first mbuf may be shared with other mbufs.
Replace traceme2 with 3 tests:
- traceme_sighandler_catch1
- traceme_sighandler_catch2
- traceme_sighandler_catch3
These tests are verified with PT_TRACE_ME for: SIGHUP, SIGCONT and SIGABRT.
We don't want tests all signals (this is a domain for a fuzzer), but we want
to cover tests with signals from different groups.
All tests pass.
Sponsored by <The NetBSD Foundation>
Use common bode for these tests and a macro 1-liner to define a new test.
Test the same scenarios for 5 signals:
- SIGKILL (temporarily disabled)
- SIGSTOP
- SIGABRT
- SIGHUP
- SIGCONT
These tests call: raise(sig). It's actually important to assert their
behavior for tests that are from different kinds.
The SIGKILL test is work in progress. It can be caught by a debugger on the
FreeBSD kernel, but it's causing a signaled event in a debugger on Linux.
NetBSD is right now in one of the camps, but research whether this is a bug
or feature is in progress.
Sponsored by <The NetBSD Foundation>
