Re: "Abort trap" when pledge()d and compiled with -pg

2016-02-13 Thread Sebastien Marie 
On Sat, Feb 13, 2016 at 09:10:30PM -0800, Philip Guenther wrote:
> On Sat, Feb 13, 2016 at 12:31 PM, Michal Mazurek  wrote:
> > When compiling a program that calls pledge(2) with "-pg" the resulting
> > binary will execute seemingly fine, but at the very end die with:
> > Abort trap (core dumped)
> > I think the problem lies in a call to profil(2).
> >
> > Is this a bug or a feature?
> 
> Seems like a bug.  _mcleanup() is invoked via the atexit() in gcrt0.o
> (c.f. lib/csu/crt0.c)
 
I would said "feature" instead of bug :)

In fact, I don't think a pledged program should not be profiled...
Profiling is for developpment code, and pledge is more for
production-code.

If profiling is needed, pledge(2) should be disabled:

1. by commenting the pledge(2) call

2. by adding `#define pledge(pr,pa) 0' after unistd.h include

3. by passing -D'pledge(pr,pa)=_nopledge' as compiler option (but I
am unsure if it makes a use of uninitialized variable or if compiler
initialize it to 0 alone).


Eventually is it acceptable to provide an unistd.h that mask pledge(2)
(and issue a #warning) when compiling with -pg ?


> Fixing things so this works will require at least two things:
>  1) pledge will need to always permit profil(NULL,0,0,0) for the
> moncontrol(0) performed by _mcleanup()
>  2) pledge will need to permit opening and writing to "gmon.out"
> (ignore the $PROFDIR stuff) if and only if profil() had been used.
> 
> (The fallback code to use setitimer() if sysctl() fails seems
> pointless: when would that fail and setitimer() succeed?)

For a having a profiled program pledged it would need parts of:
  - "stdio" : issetugid(), getpid(), write(), close(), munmap()
  - "cpath" : open(O_CREAT)
and profil(2)

It is doable if we require at least "stdio" for profiling to work. else
it is too intrusive (require all previous syscall to be declared
PLEDGE_ALWAYS in `pledge_syscalls' array, and having a `pledge_profil'
call in each of them).


Additionnally, the fact to ignore $PROFDIR stuff would be more complex:
userland has no way to know the running program is pledged or not.


-- 
Sebastien Marie

Re: "Abort trap" when pledge()d and compiled with -pg

2016-02-13 Thread Philip Guenther 
On Sat, Feb 13, 2016 at 12:31 PM, Michal Mazurek  wrote:
> When compiling a program that calls pledge(2) with "-pg" the resulting
> binary will execute seemingly fine, but at the very end die with:
> Abort trap (core dumped)
> I think the problem lies in a call to profil(2).
>
> Is this a bug or a feature?

Seems like a bug.  _mcleanup() is invoked via the atexit() in gcrt0.o
(c.f. lib/csu/crt0.c)

Fixing things so this works will require at least two things:
 1) pledge will need to always permit profil(NULL,0,0,0) for the
moncontrol(0) performed by _mcleanup()
 2) pledge will need to permit opening and writing to "gmon.out"
(ignore the $PROFDIR stuff) if and only if profil() had been used.

(The fallback code to use setitimer() if sysctl() fails seems
pointless: when would that fail and setitimer() succeed?)


Philip Guenther

"Abort trap" when pledge()d and compiled with -pg

2016-02-13 Thread Michal Mazurek 
(I was told to resend this to tech@)

When compiling a program that calls pledge(2) with "-pg" the resulting
binary will execute seemingly fine, but at the very end die with:
Abort trap (core dumped)
I think the problem lies in a call to profil(2).

Is this a bug or a feature?

-- 
Michal Mazurek