[libvirt] [PATCH 03/11] Include process start time when doing polkit checks

Eric Blake eblake at redhat.com
Fri May 3 19:34:40 UTC 2013 

On 05/02/2013 06:03 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> 
> Since PIDs can be reused, polkit prefers to be given
> a (PID,start time) pair. If given a PID on its own,
> it will attempt to lookup the start time in /proc/pid/stat,
> though this is subject to races.
> 
> It is safer if the client app resolves the PID start
> time itself, because as long as the app has the client
> socket open, the client PID won't be reused.
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  daemon/remote.c              |  12 +++--
>  src/libvirt_private.syms     |   1 +
>  src/locking/lock_daemon.c    |   4 +-
>  src/rpc/virnetserverclient.c |  28 +++++++++--
>  src/rpc/virnetserverclient.h |   3 +-
>  src/rpc/virnetsocket.c       |  23 ++++++---
>  src/rpc/virnetsocket.h       |   3 +-
>  src/util/viridentity.h       |   1 +
>  src/util/virprocess.c        | 117 +++++++++++++++++++++++++++++++++++++++++++
>  src/util/virprocess.h        |   3 ++
>  src/util/virstring.c         |  11 ++++
>  src/util/virstring.h         |   2 +
>  12 files changed, 191 insertions(+), 17 deletions(-)

> +int virProcessGetStartTime(pid_t pid,
> +                           unsigned long long *timestamp)
> +{
> +    char *filename = NULL;
> +    char *buf = NULL;
> +    char *tmp;
> +    int ret = -1;
> +    int len;
> +    char **tokens = NULL;
> +
> +    if (virAsprintf(&filename, "/proc/%llu/stat",
> +                    (unsigned long long)pid) < 0) {
> +        virReportOOMError();
> +        return -1;
> +    }
> +
> +    if ((len = virFileReadAll(filename, 1024, &buf)) < 0)
> +        goto cleanup;
> +
> +    /* start time is the token at index 19 after the '(process name)' entry - since only this
> +     * field can contain the ')' character, search backwards for this to avoid malicious
> +     * processes trying to fool us
> +     */

Talk about an arcane interface with the kernel.  But the code looks
correct; and more importantly, it picks the same number as polkit picks
(since you copied polkit's code), no matter whether that number is a
timestamp or something else.

ACK.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130503/09f4e5ce/attachment-0001.sig>

More information about the libvir-list mailing list