From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/3115
Path: news.gmane.org!not-for-mail
From: Justin Cormack <justin@specialbusservice.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: unexpected syscall failures
Date: Tue, 16 Apr 2013 09:02:31 +0100
Message-ID: <CAK4o1WyB+mfLTLvnyroQd6qtppSU9m98=aWVDs8+6FHqfA4ncg@mail.gmail.com>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=047d7b15ab3194f7ac04da75ca0a
X-Trace: ger.gmane.org 1366099364 28427 80.91.229.3 (16 Apr 2013 08:02:44 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 16 Apr 2013 08:02:44 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-3119-gllmg-musl=m.gmane.org@lists.openwall.com Tue Apr 16 10:02:48 2013
Return-path: <musl-return-3119-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-3119-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1US0ql-0001iM-6G
	for gllmg-musl@plane.gmane.org; Tue, 16 Apr 2013 10:02:47 +0200
Original-Received: (qmail 8133 invoked by uid 550); 16 Apr 2013 08:02:45 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 8121 invoked from network); 16 Apr 2013 08:02:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=specialbusservice.com; s=google;
        h=mime-version:x-received:date:message-id:subject:from:to
         :content-type;
        bh=9/dFT0dVEcB4WpWyusR1LXA82n7u5fmvLvq0ELOaufU=;
        b=b4s3w8XcI9KEQmWwEWP6Qb/sj9uNHj5cJj7POnzQjiZBCTzarh19W28CmlYegqnM2R
         4nbuUopkzamrWsd5cdvHB0i0/J5xG/ZzYWolDsX2F6DkiCwuaLKnkOLzpK0u4upH6nSZ
         9xwwKSf8GwdKmoegoc6ZhsLqQH677IgiQfkV4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:date:message-id:subject:from:to
         :content-type:x-gm-message-state;
        bh=9/dFT0dVEcB4WpWyusR1LXA82n7u5fmvLvq0ELOaufU=;
        b=Z2qYvPRs/MWnRToW6Z25n9RwPRKtzp8qVuBbEQIbb9AbAW2EnZEMo39mPZtl6Ufcom
         51dselYGo44ogvcQjzQCWtVuB+eohnn2ykzPExlGMsnWP3jpSkaI4yY6RT7/4A1srcQg
         Cf+/c6xsNFImxufFF0CfCgpx9K+3RPv0NagS4OsO6cqWrR8Q36e6aOc+N/rZqDQArhqD
         YWAz2EgO47WUa0D0pMo2Ce0pFzMsQaM3F3DPXuj1dfsEB4tYN5t7JWLnYZPhkHEttFwV
         EQjlVtqVp5GMXolzXq6qrXB+GOeOZnguEEZyY0VZ/b8h7Es7lHPj5Hm3wB4NcJFEBbCc
         3KRg==
X-Received: by 10.67.5.132 with SMTP id cm4mr2177328pad.80.1366099351611; Tue,
 16 Apr 2013 01:02:31 -0700 (PDT)
X-Gm-Message-State: ALoCoQkjNetuX63aM5vuzmyP18ReESdw2APaY6uKnahOVmzTPihTXqkM/D7Q83uQIIj7kt61fbmx
Xref: news.gmane.org gmane.linux.lib.musl.general:3115
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/3115>

--047d7b15ab3194f7ac04da75ca0a
Content-Type: text/plain; charset=UTF-8

I noticed that in some places we assume some system calls will not fail,
one example being in nice that I was looking at the other day, but there
are others:

return setpriority(PRIO_PROCESS, 0, getpriority(PRIO_PROCESS, 0)+inc);

Now in Linux you can use security frameworks (eg type 2 seccomp) to make
any system call fail. Do we want to program defensively around these cases?
(In the case of seccomp I think most people use it to abort the program not
error, but you can).

I am inclined to think that if someone makes getpid fail they deserve
anything they get. I can't see any security issues, just some potentially
confusing behaviour, eg here nice might succeed (but set errno) if
getpriority fails. But testing does have downsides.

Justin

--047d7b15ab3194f7ac04da75ca0a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I noticed that in some places we assume some system calls =
will not fail, one example being in nice that I was looking at the other da=
y, but there are others:<div><br></div><div><div style=3D"font-family:arial=
,sans-serif;font-size:13px">
return setpriority(PRIO_PROCESS, 0, getpriority(PRIO_PROCESS, 0)+inc);</div=
></div><div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div=
><div style=3D"font-family:arial,sans-serif;font-size:13px">Now in Linux yo=
u can use security frameworks (eg type 2 seccomp) to make any system call f=
ail. Do we want to program defensively around these cases? (In the case of =
seccomp I think most people use it to abort the program not error, but you =
can).</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">I am inclined to think=
 that if someone makes getpid fail they deserve anything they get. I can&#3=
9;t see any security issues, just some potentially confusing behaviour, eg =
here nice might succeed (but set errno) if getpriority fails. But testing d=
oes have downsides.</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">Justin</div><div style=
=3D"font-family:arial,sans-serif;font-size:13px"><br></div></div>

--047d7b15ab3194f7ac04da75ca0a--