Mailing List Archive

Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8)
Hi,

    With the commit below, OpenSSH portable 8.8 doesnt seem to work
with sftp on FreeBSD with RELENG_12 and RELENG_13.  sftp errors out with

sftp-server[89445]: fatal: unable to make the process untraceable

commit 2d678c5e3bdc2f5c99f7af5122e9d054925d560d
Author: David Carlier <devnexen@gmail.com>
Date:   Wed Sep 8 19:49:54 2021 +0100

    Disable tracing on FreeBSD using procctl.

    Placed at the start of platform_disable_tracing() to prevent
declaration
    after code errors from strict C89 compilers (in the unlikely event that
    more than one method is enabled).

I opened a PR with the port maintainer

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259174

    ---Mike

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 10:48, mike tancsa <mike@sentex.net> wrote:
> With the commit below, OpenSSH portable 8.8 doesnt seem to work
> with sftp on FreeBSD with RELENG_12 and RELENG_13. sftp errors out with
>
> sftp-server[89445]: fatal: unable to make the process untraceable

As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
test suite passes on them. I have confirmed that both set
HAVE_PROCCTL and that the code is being compiled in and just run a
manual test on 13 which worked.

FreeBSD fbsd12 12.2-RELEASE-p3 FreeBSD 12.2-RELEASE-p3 GENERIC amd64

FreeBSD fbsd13 13.0-RELEASE FreeBSD 13.0-RELEASE #0
releng/13.0-n244733-ea31abc261f: Fri Apr 9 04:24:09 UTC 2021
root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
amd64

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 11:44, Darren Tucker <dtucker@dtucker.net> wrote:
[...]
> As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
> test suite passes on them. I have confirmed that both set
> HAVE_PROCCTL and that the code is being compiled in and just run a
> manual test on 13 which worked.

I just patched the VM images (usually the VMs are ephemeral) and it
also passed on those:

FreeBSD fbsd12 12.2-RELEASE-p7 FreeBSD 12.2-RELEASE-p7 GENERIC amd64

FreeBSD fbsd13 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24
07:33:27 UTC 2021
root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
amd64

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 8:44 PM, Darren Tucker wrote:
> On Fri, 15 Oct 2021 at 10:48, mike tancsa <mike@sentex.net> wrote:
>> With the commit below, OpenSSH portable 8.8 doesnt seem to work
>> with sftp on FreeBSD with RELENG_12 and RELENG_13. sftp errors out with
>>
>> sftp-server[89445]: fatal: unable to make the process untraceable
> As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
> test suite passes on them. I have confirmed that both set
> HAVE_PROCCTL and that the code is being compiled in and just run a
> manual test on 13 which worked.
>
Thanks, I am not sure why its failing on these particular instances. I
tried just now on a separate box that has not had a previous version
installed and it doesnt show the same behaviour. I will keep looking to
see whats going on.

    ---Mike

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 12:37, mike tancsa <mike@sentex.net> wrote:
> Thanks, I am not sure why its failing on these particular instances. I
> tried just now on a separate box that has not had a previous version
> installed and it doesnt show the same behaviour. I will keep looking to
> see whats going on.

Did you start from a point where tracing is already disabled? I could
imagine the second attempt to disable it failing because it was
already disabled.

If nothing else we should at least include the errno in the message
when it fails:
https://github.com/openssh/openssh-portable/commit/fff13aaa262b7b3ec83ed21e29674cbf331780a7

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 9:45 PM, Darren Tucker wrote:
> Did you start from a point where tracing is already disabled? I could
> imagine the second attempt to disable it failing because it was
> already disabled.
>
> If nothing else we should at least include the errno in the message
> when it fails:
> https://github.com/openssh/openssh-portable/commit/fff13aaa262b7b3ec83ed21e29674cbf331780a7

Building now, but I need to include string.h no ?

On my RELENG_12 box (which is a jail)

Oct 14 22:03:04 internal-sftp[20149]: fatal: unable to make the process
untraceable: No such process


    ---Mike


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 13:04, mike tancsa <mike@sentex.net> wrote:
[...]
> Building now, but I need to include string.h no ?

that or stdio.h, depends on platform. I noticed the warning and just
added both.

> On my RELENG_12 box (which is a jail)
>
> Oct 14 22:03:04 internal-sftp[20149]: fatal: unable to make the process
> untraceable: No such process

I'm not sure how jails change the rules, the FreeBSD folks would need
to weigh in.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 10:04 PM, mike tancsa wrote:
> On 10/14/2021 9:45 PM, Darren Tucker wrote:
>> Did you start from a point where tracing is already disabled? I could
>> imagine the second attempt to disable it failing because it was
>> already disabled.
>>
>> If nothing else we should at least include the errno in the message
>> when it fails:
>> https://github.com/openssh/openssh-portable/commit/fff13aaa262b7b3ec83ed21e29674cbf331780a7
>>
>
> Building now, but I need to include string.h no ?
>
> On my RELENG_12 box (which is a jail)
>
> Oct 14 22:03:04 internal-sftp[20149]: fatal: unable to make the
> process untraceable: No such process
>
OK, I think its related to these settings. On my RELENG_13 box, if I set
these vals, the sftp fails

sftp-server[22121]: fatal: unable to make the process untraceable: No
such process

 sysctl -w security.bsd.see_other_uids=0
sysctl -w security.bsd.see_other_gids=0

    ---Mike

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 13:15, mike tancsa <mike@sentex.net> wrote:
[...]
> OK, I think its related to these settings. On my RELENG_13 box, if I set
> these vals, the sftp fails
>
> sftp-server[22121]: fatal: unable to make the process untraceable: No
> such process
>
> sysctl -w security.bsd.see_other_uids=0
> sysctl -w security.bsd.see_other_gids=0

The call is:
procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace)

The second argument is PID, presumably pid 0 is an alias for its own
pid although the man page does not mention this. Does it work if you
replace the 0 with getpid() ?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 10:32 PM, Darren Tucker wrote:
> On Fri, 15 Oct 2021 at 13:15, mike tancsa <mike@sentex.net> wrote:
> [...]
>> OK, I think its related to these settings. On my RELENG_13 box, if I set
>> these vals, the sftp fails
>>
>> sftp-server[22121]: fatal: unable to make the process untraceable: No
>> such process
>>
>> sysctl -w security.bsd.see_other_uids=0
>> sysctl -w security.bsd.see_other_gids=0
> The call is:
> procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace)
>
> The second argument is PID, presumably pid 0 is an alias for its own
> pid although the man page does not mention this. Does it work if you
> replace the 0 with getpid() ?

Thanks Darren! That seems to fix it both in my jailed instance on
RELENG_12 as well as on a couple of RELENG_13 boxes I tested on. I
tested with the attached diff against what was in the portable tarball.
I am not sure including the pid in the fatal error message is safe or
not, but I put it in there but it never got to that stage in my testing.

    ---Mike
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On 10/14/2021 5:44 PM, Darren Tucker wrote:
> On Fri, 15 Oct 2021 at 10:48, mike tancsa <mike@sentex.net> wrote:
>> With the commit below, OpenSSH portable 8.8 doesnt seem to work
>> with sftp on FreeBSD with RELENG_12 and RELENG_13. sftp errors out with
>>
>> sftp-server[89445]: fatal: unable to make the process untraceable
>
> As a data point,our github CI tests on FreeBSD 12 & 13 VMs and our
> test suite passes on them. I have confirmed that both set
> HAVE_PROCCTL and that the code is being compiled in and just run a
> manual test on 13 which worked.
>
> FreeBSD fbsd12 12.2-RELEASE-p3 FreeBSD 12.2-RELEASE-p3 GENERIC amd64
>
> FreeBSD fbsd13 13.0-RELEASE FreeBSD 13.0-RELEASE #0
> releng/13.0-n244733-ea31abc261f: Fri Apr 9 04:24:09 UTC 2021
> root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
> amd64
>

I think the tests may need to be improved as pid==0 represents a pseudo
kernel process.

> #include <sys/procctl.h>
> #include <err.h>
> #include <unistd.h>
>
> int
> main(void)
> {
> int disable_trace = PROC_TRACE_CTL_DISABLE;
>
> if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace))
> err(1, "procctl");
>
> return 0;
> }

With 0 it runs through truss fine. (Which I don't think it should but
I'll take that up with FreeBSD)

> procctl(P_PID,0,PROC_TRACE_CTL,0x7fffffffe478) = 0 (0x0)


With getpid() truss gives an error since the process is already traced.

> getpid() = 77976 (0x13098)
> procctl(P_PID,77976,PROC_TRACE_CTL,0x7fffffffe478) ERR#16 'Device busy'



--
Bryan Drewery
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Fri, 15 Oct 2021 at 13:07, Bryan Drewery <bdrewery@freebsd.org> wrote:
>
> I think the tests may need to be improved as pid==0 represents a pseudo
> kernel process.

This is being fixed, but for compatibility with existing versions
getpid() should indeed be used.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Tue, 19 Oct 2021 at 13:40, Ed Maste <emaste@freebsd.org> wrote:
>
> On Fri, 15 Oct 2021 at 13:07, Bryan Drewery <bdrewery@freebsd.org> wrote:
> >
> > I think the tests may need to be improved as pid==0 represents a pseudo
> > kernel process.
>
> This is being fixed, but for compatibility with existing versions
> getpid() should indeed be used.

This was fixed in FreeBSD by f833ab9dd187 but the procctl call should
be changed in openssh.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Tue, 19 Oct 2021 at 13:40, Ed Maste <emaste@freebsd.org> wrote:
>
> On Fri, 15 Oct 2021 at 13:07, Bryan Drewery <bdrewery@freebsd.org> wrote:
> >
> > I think the tests may need to be improved as pid==0 represents a pseudo
> > kernel process.
>
> This is being fixed, but for compatibility with existing versions
> getpid() should indeed be used.

This fix is still outstanding:

Fix tracing disable on FreeBSD

Some versions of FreeBSD do not support using id 0 to refer to the
current pid for procctl, so pass getpid() explicitly.

--- a/platform-tracing.c
+++ b/platform-tracing.c
@@ -32,6 +32,7 @@
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
+#include <unistd.h>

#include "log.h"

@@ -42,7 +43,7 @@ platform_disable_tracing(int strict)
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;

- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
fatal("unable to make the process untraceable: %s",
strerror(errno));
#endif
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Sat, 5 Nov 2022 at 20:41, Darren Tucker <dtucker@dtucker.net> wrote:
>
> Thanks for following up.
>
> On Sun, 6 Nov 2022 at 05:34, Ed Maste <emaste@freebsd.org> wrote:
> [...]
> > - if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
> > + if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)
>
> You seem to be making the exact opposite change in your stable branches?
> https://github.com/freebsd/freebsd-src/commit/b5b1a69
>
> Is the situation that "0" only works on fixed kernels, but "getpid()"
> works on all (albeit not optimally)?

That is correct. In the FreeBSD stable branches we know we're also
building a kernel which allows 0 instead of getpid(), but I imagine
that there are some people who will build a contemporary OpenSSH on
older FreeBSD versions.

We could add a test based on __FreeBSD_version or see if it could be
handled by autoconf, if you think it's worthwhile.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
Thanks for following up.

On Sun, 6 Nov 2022 at 05:34, Ed Maste <emaste@freebsd.org> wrote:
[...]
> - if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
> + if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) && strict)

You seem to be making the exact opposite change in your stable branches?
https://github.com/freebsd/freebsd-src/commit/b5b1a69

Is the situation that "0" only works on fixed kernels, but "getpid()"
works on all (albeit not optimally)?


--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Sun, 6 Nov 2022 at 11:54, Ed Maste <emaste@freebsd.org> wrote:
> On Sat, 5 Nov 2022 at 20:41, Darren Tucker <dtucker@dtucker.net> wrote:
[...]
> > Is the situation that "0" only works on fixed kernels, but "getpid()"
> > works on all (albeit not optimally)?
>
> That is correct. In the FreeBSD stable branches we know we're also
> building a kernel which allows 0 instead of getpid(), but I imagine
> that there are some people who will build a contemporary OpenSSH on
> older FreeBSD versions.
>
> We could add a test based on __FreeBSD_version or see if it could be
> handled by autoconf, if you think it's worthwhile.

It's runtime behaviour so autoconf or compile-time checks are not a
good fit (eg you could build it on a kernel with one behaviour then
upgrade the kernel to one with different behaviour). My concern is
about this part of the commit comment:

"""
At present if the security.bsd.unprivileged_proc_debug sysctl is 0 then
procctl(P_PID, getpid(), ... for a process to act on itself will fail,
but procctl(P_PID, 0, ... will succeed. This should likely be addressed
with a kernel change.
"""

which seems to say that the getpid() version will fail in
circumstances where the "0" version will succeed.

Maybe it should try the "0" version, then if that fails try the
getpid() version and only then fail if "strict" is set?

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Sat, 5 Nov 2022 at 21:02, Darren Tucker <dtucker@dtucker.net> wrote:
>
> Maybe it should try the "0" version, then if that fails try the
> getpid() version and only then fail if "strict" is set?

Ah, yes that sounds like the way to do it, and with no extra overhead
for the usual (recent kernel) case. Something like this?

diff --git a/platform-tracing.c b/platform-tracing.c
index c2810f2d0..1c2105363 100644
--- a/platform-tracing.c
+++ b/platform-tracing.c
@@ -32,6 +32,7 @@
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
+#include <unistd.h>

#include "log.h"

@@ -42,7 +43,12 @@ platform_disable_tracing(int strict)
/* On FreeBSD, we should make this process untraceable */
int disable_trace = PROC_TRACE_CTL_DISABLE;

- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
+ if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) == 0)
+ return;
+ /* Old FreeBSD versions do not accept 0 as current PID */
+ if (procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) == 0)
+ return;
+ if (strict)
fatal("unable to make the process untraceable: %s",
strerror(errno));
#endif
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Sun, Nov 06, 2022 at 09:34:05AM -0500, Ed Maste wrote:
> On Sat, 5 Nov 2022 at 21:02, Darren Tucker <dtucker@dtucker.net> wrote:
> >
> > Maybe it should try the "0" version, then if that fails try the
> > getpid() version and only then fail if "strict" is set?
>
> Ah, yes that sounds like the way to do it, and with no extra overhead
> for the usual (recent kernel) case. Something like this?

I had something similar but a bit more compact and commented. Does this
also work?

diff --git a/platform-tracing.c b/platform-tracing.c
index c2810f2d..a8ce078b 100644
--- a/platform-tracing.c
+++ b/platform-tracing.c
@@ -32,6 +32,7 @@
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
+#include <unistd.h>

#include "log.h"

@@ -39,10 +40,16 @@ void
platform_disable_tracing(int strict)
{
#if defined(HAVE_PROCCTL) && defined(PROC_TRACE_CTL)
- /* On FreeBSD, we should make this process untraceable */
+ /*
+ * On FreeBSD, we should make this process untraceable.
+ * pid=0 means "this process" and but some older kernels do not
+ * understand that, so retry with our own pid before failing.
+ */
int disable_trace = PROC_TRACE_CTL_DISABLE;

- if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
+ if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) == -1 &&
+ procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) == -1 &&
+ strict)
fatal("unable to make the process untraceable: %s",
strerror(errno));
#endif

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Sun, 6 Nov 2022 at 15:14, Darren Tucker <dtucker@dtucker.net> wrote:
>
> I had something similar but a bit more compact and commented. Does this
> also work?
>
> diff --git a/platform-tracing.c b/platform-tracing.c
> index c2810f2d..a8ce078b 100644
> --- a/platform-tracing.c
> +++ b/platform-tracing.c
> @@ -32,6 +32,7 @@
> #include <stdarg.h>
> #include <stdio.h>
> #include <string.h>
> +#include <unistd.h>
>
> #include "log.h"
>
> @@ -39,10 +40,16 @@ void
> platform_disable_tracing(int strict)
> {
> #if defined(HAVE_PROCCTL) && defined(PROC_TRACE_CTL)
> - /* On FreeBSD, we should make this process untraceable */
> + /*
> + * On FreeBSD, we should make this process untraceable.
> + * pid=0 means "this process" and but some older kernels do not
> + * understand that, so retry with our own pid before failing.
> + */
> int disable_trace = PROC_TRACE_CTL_DISABLE;
>
> - if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) && strict)
> + if (procctl(P_PID, 0, PROC_TRACE_CTL, &disable_trace) == -1 &&
> + procctl(P_PID, getpid(), PROC_TRACE_CTL, &disable_trace) == -1 &&
> + strict)
> fatal("unable to make the process untraceable: %s",
> strerror(errno));
> #endif

Looks good to me, even if I think the multi-stage short-circuit is a
little less clear.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Sun, Nov 06, 2022 at 04:25:43PM -0500, Ed Maste wrote:
[...]
> Looks good to me, even if I think the multi-stage short-circuit is a
> little less clear.

It reads ok to me but I don't feel strongly either way.

In your diff, you check for it returning 0, however I note that the
procctl(2) man page does not specify what is returned on success in
the RETURN VALUES section (nor in the PROC_TRACE_CTL section or any
other place I can see):

"""
RETURN VALUES
If an error occurs, a value of -1 is returned and errno is set to
indicate the error.
"""

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Mon, 7 Nov 2022 at 09:13, Darren Tucker <dtucker@dtucker.net> wrote:
[...]
> It reads ok to me but I don't feel strongly either way.

I applied your code with my comment. Thanks for the report, please
let me know if there's anything further to be done with this.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Sun, 6 Nov 2022 at 19:03, Darren Tucker <dtucker@dtucker.net> wrote:
>
> On Mon, 7 Nov 2022 at 09:13, Darren Tucker <dtucker@dtucker.net> wrote:
> [...]
> > It reads ok to me but I don't feel strongly either way.
>
> I applied your code with my comment. Thanks for the report, please
> let me know if there's anything further to be done with this.

Thanks, this is all done.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Mon, 7 Nov 2022 at 12:59, Ed Maste <emaste@freebsd.org> wrote:
>
> On Sun, 6 Nov 2022 at 19:03, Darren Tucker <dtucker@dtucker.net> wrote:
> >
> > On Mon, 7 Nov 2022 at 09:13, Darren Tucker <dtucker@dtucker.net> wrote:
> > [...]
> > > It reads ok to me but I don't feel strongly either way.
> >
> > I applied your code with my comment. Thanks for the report, please
> > let me know if there's anything further to be done with this.
>
> Thanks, this is all done.

Oh, almost all done. I merged this change into FreeBSD for diff
reduction, and got a reply with a little nit about the comment:
+ * pid=0 means "this process" and but some older kernels do not
"and" should be dropped.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Disable tracing on FreeBSD using procctl. (OpenSSH Portable 8.8) [ In reply to ]
On Wed, 9 Nov 2022 at 05:34, Ed Maste <emaste@freebsd.org> wrote:
[...]
> + * pid=0 means "this process" and but some older kernels do not
> "and" should be dropped.

Fixed, thanks.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev