Context Navigation

Back to Ticket #3910

Ticket #3910: 0002-Change-what-RTS-options-are-available-by-default.patch

File 0002-Change-what-RTS-options-are-available-by-default.patch, 16.2 KB (added by duncan, 19 months ago)
Patch: Change what +RTS options are available by default

rts/RtsFlags.c

From 3784bb76447e5353d467c9adf465c3bcc0f0534f Mon Sep 17 00:00:00 2001
From: Duncan Coutts <duncan@well-typed.com>
Date: Thu, 27 Oct 2011 13:26:15 +0100
Subject: [PATCH 2/2] Change what +RTS options are available by default

Ticket #3910 originally pointed out that the RTS options are a potential
security problem. For example the -t -s or -S flags can be used to
overwrite files. This would be bad in the context of CGI scripts or
setuid binaries. So we introduced a system where +RTS processing is more
or less disabled unless you pass the -rtsopts flag at link time.

This scheme is safe enough but it also really annoies users. They have
to use -rtsopts in many circumstances: with -threaded to use -N, with
-eventlog to use -l, with -prof to use any of the profiling flags. Many
users just set -rtsopts globally or in project .cabal files. Apart from
annoying users it reduces security because it means that deployed
binaries will have all RTS options enabled rather than just profiling
ones.

This patch relaxes the set of RTS options that are available in the
default -rtsopts=some case. For "deployment" ways like vanilla and
-threaded we remain quite conservative. Only --info -? --help are
allowed for vanilla. For -threaded, -N and -N<x> are allowed with a
check that x <= num cpus.

For "developer" ways like -debug, -eventlog, -prof, we allow all the
options that are special to that way. Some of these allow writing files,
but the file written is not directly under the control of the attacker.
For the setuid case (where the attacker would have control over binary
name, current dir, local symlinks etc) we check if the process is
running setuid/setgid and refuse all RTS option processing. Users would
need to use -rtsopts=all in this case.

We are making the assumption that developers will not deploy binaries
built in the -debug, -eventlog, -prof ways. And even if they do, the
damage should be limited to DOS, information disclosure and writing
files like <progname>.eventlog, not arbitrary files.
---
 rts/RtsFlags.c |  124 ++++++++++++++++++++++++++++++++++++++++++++++---------
 1 files changed, 103 insertions(+), 21 deletions(-)

diff --git a/rts/RtsFlags.c b/rts/RtsFlags.c
index d6da873..d2b4cfc 100644

a	b
21	21
22	22	#include <string.h>
23	23
	24	#ifdef HAVE_UNISTD_H
	25	#include <unistd.h>
	26	#endif
	27
	28	#ifdef HAVE_SYS_TYPES_H
	29	#include <sys/types.h>
	30	#endif
	31
24	32	// Flag Structure
25	33	RTS_FLAGS RtsFlags;
26	34
…	…
526	534	* procRtsOpts: Process rts_argv between rts_argc0 and rts_argc.
527	535	* -------------------------------------------------------------------------- */
528	536
	537	static void checkUnsafe(RtsOptsEnabledEnum enabled)
	538	{
	539	if (enabled == RtsOptsSafeOnly) {
	540	errorBelch("Most RTS options are disabled. Link with -rtsopts to enable them.");
	541	stg_exit(EXIT_FAILURE);
	542	}
	543	}
	544
529	545	static void procRtsOpts (int rts_argc0, RtsOptsEnabledEnum enabled)
530	546	{
531	547	rtsBool error = rtsFalse;
532	548	int arg;
533	549
	550	if (enabled == RtsOptsNone) {
	551	errorBelch("RTS options are disabled. Link with -rtsopts to enable them.");
	552	stg_exit(EXIT_FAILURE);
	553	}
	554
	555	#if defined(HAVE_UNISTD_H) && defined(HAVE_SYS_TYPES_H)
	556	if (enabled == RtsOptsSafeOnly) {
	557	/* This doesn't cover linux/posix capabilities like CAP_DAC_OVERRIDE,
	558	we'd have to link with -lcap for that. */
	559	if ((getuid() != geteuid()) \|\| (getgid() != getegid())) {
	560	errorBelch("RTS options are disabled for setuid binaries. Link with -rtsopts to enable them.");
	561	stg_exit(EXIT_FAILURE);
	562	}
	563	}
	564	#endif
	565
534	566	// Process RTS (rts_argv) part: mainly to determine statsfile
535	567	for (arg = rts_argc0; arg < rts_argc; arg++) {
	568
	569	/* We handle RtsOptsSafeOnly mode by declaring each option as
	570	either OPTION_SAFE or OPTION_UNSAFE. To make sure we cover
	571	every branch we use an option_checked flag which is reset
	572	at the start each iteration and checked at the end. */
	573	rtsBool option_checked = rtsFalse;
	574
	575	#define OPTION_SAFE option_checked = rtsTrue;
	576	#define OPTION_UNSAFE checkUnsafe(enabled); option_checked = rtsTrue;
	577
536	578	if (rts_argv[arg][0] != '-') {
537	579	fflush(stdout);
538	580	errorBelch("unexpected RTS argument: %s", rts_argv[arg]);
…	…
540	582
541	583	} else {
542	584
543		~~if (enabled == RtsOptsNone) {~~
544		~~errorBelch("RTS options are disabled. Link with -rtsopts to enable them.");~~
545		~~stg_exit(EXIT_FAILURE);~~
546		}
547
548		~~switch(rts_argv[arg][1]) {~~
549		~~case '-':~~
550		~~if (strequal("info", &rts_argv[arg][2])) {~~
551		~~printRtsInfo();~~
552		~~stg_exit(0);~~
553		}
554		~~break;~~
555		~~default:~~
556		~~break;~~
557		}
558
559		~~if (enabled == RtsOptsSafeOnly) {~~
560		~~errorBelch("Most RTS options are disabled. Link with -rtsopts to enable them.");~~
561		~~stg_exit(EXIT_FAILURE);~~
562		}
563
564	585	switch(rts_argv[arg][1]) {
565	586
566	587	/* process: general args, then PROFILING-only ones, then
…	…
612	633
613	634	/* =========== GENERAL ========================== */
614	635	case '?':
	636	OPTION_SAFE;
615	637	error = rtsTrue;
616	638	break;
617	639
…	…
621	643	case '-':
622	644	if (strequal("install-signal-handlers=yes",
623	645	&rts_argv[arg][2])) {
	646	OPTION_UNSAFE;
624	647	RtsFlags.MiscFlags.install_signal_handlers = rtsTrue;
625	648	}
626	649	else if (strequal("install-signal-handlers=no",
627	650	&rts_argv[arg][2])) {
	651	OPTION_UNSAFE;
628	652	RtsFlags.MiscFlags.install_signal_handlers = rtsFalse;
629	653	}
630	654	else if (strequal("machine-readable",
631	655	&rts_argv[arg][2])) {
	656	OPTION_UNSAFE;
632	657	RtsFlags.MiscFlags.machineReadable = rtsTrue;
633	658	}
634	659	else if (strequal("info",
635	660	&rts_argv[arg][2])) {
	661	OPTION_SAFE;
636	662	printRtsInfo();
637	663	stg_exit(0);
638	664	}
639	665	else {
	666	OPTION_SAFE;
640	667	errorBelch("unknown RTS option: %s",rts_argv[arg]);
641	668	error = rtsTrue;
642	669	}
643	670	break;
644	671	case 'A':
	672	OPTION_UNSAFE;
645	673	RtsFlags.GcFlags.minAllocAreaSize
646	674	= decodeSize(rts_argv[arg], 2, BLOCK_SIZE, HS_INT_MAX)
647	675	/ BLOCK_SIZE;
…	…
649	677
650	678	#ifdef USE_PAPI
651	679	case 'a':
	680	OPTION_UNSAFE;
652	681	switch(rts_argv[arg][2]) {
653	682	case '1':
654	683	RtsFlags.PapiFlags.eventType = PAPI_FLAG_CACHE_L1;
…	…
686	715	#endif
687	716
688	717	case 'B':
	718	OPTION_UNSAFE;
689	719	RtsFlags.GcFlags.ringBell = rtsTrue;
690	720	break;
691	721
692	722	case 'c':
	723	OPTION_UNSAFE;
693	724	if (rts_argv[arg][2] != '\0') {
694	725	RtsFlags.GcFlags.compactThreshold =
695	726	atof(rts_argv[arg]+2);
…	…
699	730	break;
700	731
701	732	case 'w':
	733	OPTION_UNSAFE;
702	734	RtsFlags.GcFlags.sweep = rtsTrue;
703	735	break;
704	736
705	737	case 'F':
	738	OPTION_UNSAFE;
706	739	RtsFlags.GcFlags.oldGenFactor = atof(rts_argv[arg]+2);
707	740
708	741	if (RtsFlags.GcFlags.oldGenFactor < 0)
…	…
710	743	break;
711	744
712	745	case 'D':
	746	OPTION_SAFE;
713	747	DEBUG_BUILD_ONLY(
714	748	{
715	749	char *c;
…	…
772	806	break;
773	807
774	808	case 'K':
	809	OPTION_UNSAFE;
775	810	RtsFlags.GcFlags.maxStkSize =
776	811	decodeSize(rts_argv[arg], 2, sizeof(W_), HS_WORD_MAX) / sizeof(W_);
777	812	break;
778	813
779	814	case 'k':
	815	OPTION_UNSAFE;
780	816	switch(rts_argv[arg][2]) {
781	817	case 'c':
782	818	RtsFlags.GcFlags.stkChunkSize =
…	…
798	834	break;
799	835
800	836	case 'M':
	837	OPTION_UNSAFE;
801	838	RtsFlags.GcFlags.maxHeapSize =
802	839	decodeSize(rts_argv[arg], 2, BLOCK_SIZE, HS_WORD_MAX) / BLOCK_SIZE;
803	840	/* user give size in bytes but "maxHeapSize" is in blocks */
804	841	break;
805	842
806	843	case 'm':
	844	OPTION_UNSAFE;
807	845	RtsFlags.GcFlags.pcFreeHeap = atof(rts_argv[arg]+2);
808	846
809	847	if (RtsFlags.GcFlags.pcFreeHeap < 0 \|\|
…	…
812	850	break;
813	851
814	852	case 'G':
	853	OPTION_UNSAFE;
815	854	RtsFlags.GcFlags.generations =
816	855	decodeSize(rts_argv[arg], 2, 1, HS_INT_MAX);
817	856	break;
818	857
819	858	case 'H':
	859	OPTION_UNSAFE;
820	860	if (rts_argv[arg][2] == '\0') {
821	861	RtsFlags.GcFlags.heapSizeSuggestionAuto = rtsTrue;
822	862	} else {
…	…
827	867
828	868	#ifdef RTS_GTK_FRONTPANEL
829	869	case 'f':
	870	OPTION_UNSAFE;
830	871	RtsFlags.GcFlags.frontpanel = rtsTrue;
831	872	break;
832	873	#endif
833	874
834	875	case 'I': /* idle GC delay */
	876	OPTION_UNSAFE;
835	877	if (rts_argv[arg][2] == '\0') {
836	878	/* use default */
837	879	} else {
…	…
844	886	break;
845	887
846	888	case 'T':
	889	OPTION_UNSAFE;
847	890	RtsFlags.GcFlags.giveStats = COLLECT_GC_STATS;
848	891	break; /* Don't initialize statistics file. */
849	892
850	893	case 'S':
	894	OPTION_UNSAFE;
851	895	RtsFlags.GcFlags.giveStats = VERBOSE_GC_STATS;
852	896	goto stats;
853	897
854	898	case 's':
	899	OPTION_UNSAFE;
855	900	RtsFlags.GcFlags.giveStats = SUMMARY_GC_STATS;
856	901	goto stats;
857	902
858	903	case 't':
	904	OPTION_UNSAFE;
859	905	RtsFlags.GcFlags.giveStats = ONELINE_GC_STATS;
860	906	goto stats;
861	907
…	…
869	915	break;
870	916
871	917	case 'Z':
	918	OPTION_UNSAFE;
872	919	RtsFlags.GcFlags.squeezeUpdFrames = rtsFalse;
873	920	break;
874	921
…	…
876	923
877	924	case 'P': /* detailed cost centre profiling (time/alloc) */
878	925	case 'p': /* cost centre profiling (time/alloc) */
	926	OPTION_SAFE;
879	927	PROFILING_BUILD_ONLY(
880	928	switch (rts_argv[arg][2]) {
881	929	case 'x':
…	…
897	945	) break;
898	946
899	947	case 'R':
	948	OPTION_SAFE;
900	949	PROFILING_BUILD_ONLY(
901	950	RtsFlags.ProfFlags.maxRetainerSetSize = atof(rts_argv[arg]+2);
902	951	) break;
903	952	case 'L':
	953	OPTION_SAFE;
904	954	PROFILING_BUILD_ONLY(
905	955	RtsFlags.ProfFlags.ccsLength = atof(rts_argv[arg]+2);
906	956	if(RtsFlags.ProfFlags.ccsLength <= 0) {
…	…
909	959	) break;
910	960	case 'h': /* serial heap profile */
911	961	#if !defined(PROFILING)
	962	OPTION_UNSAFE;
912	963	switch (rts_argv[arg][2]) {
913	964	case '\0':
914	965	case 'T':
…	…
919	970	error = rtsTrue;
920	971	}
921	972	#else
	973	OPTION_SAFE;
922	974	PROFILING_BUILD_ONLY(
923	975	switch (rts_argv[arg][2]) {
924	976	case '\0':
…	…
1027	1079	break;
1028	1080
1029	1081	case 'i': /* heap sample interval */
	1082	OPTION_UNSAFE;
1030	1083	if (rts_argv[arg][2] == '\0') {
1031	1084	/* use default */
1032	1085	} else {
…	…
1040	1093
1041	1094	/* =========== CONCURRENT ========================= */
1042	1095	case 'C': /* context switch interval */
	1096	OPTION_UNSAFE;
1043	1097	if (rts_argv[arg][2] == '\0')
1044	1098	RtsFlags.ConcFlags.ctxtSwitchTime = 0;
1045	1099	else {
…	…
1052	1106	break;
1053	1107
1054	1108	case 'V': /* master tick interval */
	1109	OPTION_UNSAFE;
1055	1110	if (rts_argv[arg][2] == '\0') {
1056	1111	// turns off ticks completely
1057	1112	RtsFlags.MiscFlags.tickInterval = 0;
…	…
1066	1121
1067	1122	#if !defined(NOSMP)
1068	1123	case 'N':
	1124	OPTION_SAFE;
1069	1125	THREADED_BUILD_ONLY(
1070	1126	if (rts_argv[arg][2] == '\0') {
1071	1127	#if defined(PROFILING)
…	…
1075	1131	#endif
1076	1132	} else {
1077	1133	int nNodes;
	1134	OPTION_SAFE; /* but see extra checks below... */
1078	1135	nNodes = strtol(rts_argv[arg]+2, (char **) NULL, 10);
1079	1136	if (nNodes <= 0) {
1080	1137	errorBelch("bad value for -N");
1081	1138	error = rtsTrue;
1082	1139	}
	1140	if (enabled == RtsOptsSafeOnly &&
	1141	nNodes > (int)getNumberOfProcessors()) {
	1142	errorBelch("Using large values for -N is not allowed by default. Link with -rtsopts to allow full control.");
	1143	stg_exit(EXIT_FAILURE);
	1144	}
1083	1145	#if defined(PROFILING)
1084	1146	if (nNodes > 1) {
1085	1147	errorBelch("bad option %s: only -N1 is supported with profiling", rts_argv[arg]);
…	…
1091	1153	) break;
1092	1154
1093	1155	case 'g':
	1156	OPTION_UNSAFE;
1094	1157	THREADED_BUILD_ONLY(
1095	1158	switch (rts_argv[arg][2]) {
1096	1159	case '1':
…	…
1105	1168	) break;
1106	1169
1107	1170	case 'q':
	1171	OPTION_UNSAFE;
1108	1172	THREADED_BUILD_ONLY(
1109	1173	switch (rts_argv[arg][2]) {
1110	1174	case '\0':
…	…
1148	1212	#endif
1149	1213	/* =========== PARALLEL =========================== */
1150	1214	case 'e':
	1215	OPTION_UNSAFE;
1151	1216	THREADED_BUILD_ONLY(
1152	1217	if (rts_argv[arg][2] != '\0') {
1153	1218	RtsFlags.ParFlags.maxLocalSparks
…	…
1162	1227	/* =========== TICKY ============================== */
1163	1228
1164	1229	case 'r': /* Basic profiling stats */
	1230	OPTION_SAFE;
1165	1231	TICKY_BUILD_ONLY(
1166	1232
1167	1233	RtsFlags.TickyFlags.showTickyStats = rtsTrue;
…	…
1178	1244	/* =========== TRACING ---------=================== */
1179	1245
1180	1246	case 'l':
	1247	OPTION_SAFE;
1181	1248	TRACING_BUILD_ONLY(
1182	1249	RtsFlags.TraceFlags.tracing = TRACE_EVENTLOG;
1183	1250	read_trace_flags(&rts_argv[arg][2]);
…	…
1185	1252	break;
1186	1253
1187	1254	case 'v':
	1255	OPTION_SAFE;
1188	1256	DEBUG_BUILD_ONLY(
1189	1257	RtsFlags.TraceFlags.tracing = TRACE_STDERR;
1190	1258	read_trace_flags(&rts_argv[arg][2]);
…	…
1196	1264	case 'x': /* Extend the argument space */
1197	1265	switch(rts_argv[arg][2]) {
1198	1266	case '\0':
	1267	OPTION_SAFE;
1199	1268	errorBelch("incomplete RTS option: %s",rts_argv[arg]);
1200	1269	error = rtsTrue;
1201	1270	break;
1202	1271
1203	1272	case 'b': /* heapBase in hex; undocumented */
	1273	OPTION_UNSAFE;
1204	1274	if (rts_argv[arg][3] != '\0') {
1205	1275	RtsFlags.GcFlags.heapBase
1206	1276	= strtol(rts_argv[arg]+3, (char **) NULL, 16);
…	…
1212	1282
1213	1283	#if defined(x86_64_HOST_ARCH)
1214	1284	case 'm': /* linkerMemBase */
	1285	OPTION_UNSAFE;
1215	1286	if (rts_argv[arg][3] != '\0') {
1216	1287	RtsFlags.MiscFlags.linkerMemBase
1217	1288	= strtol(rts_argv[arg]+3, (char **) NULL, 16);
…	…
1226	1297	#endif
1227	1298
1228	1299	case 'c': /* Debugging tool: show current cost centre on an exception */
	1300	OPTION_SAFE;
1229	1301	PROFILING_BUILD_ONLY(
1230	1302	RtsFlags.ProfFlags.showCCSOnException = rtsTrue;
1231	1303	);
1232	1304	break;
1233	1305
1234	1306	case 't': /* Include memory used by TSOs in a heap profile */
	1307	OPTION_SAFE;
1235	1308	PROFILING_BUILD_ONLY(
1236	1309	RtsFlags.ProfFlags.includeTSOs = rtsTrue;
1237	1310	);
…	…
1240	1313	/* The option prefix '-xx' is reserved for future extension. KSW 1999-11. */
1241	1314
1242	1315	default:
	1316	OPTION_SAFE;
1243	1317	errorBelch("unknown RTS option: %s",rts_argv[arg]);
1244	1318	error = rtsTrue;
1245	1319	break;
…	…
1248	1322
1249	1323	/* =========== OH DEAR ============================ */
1250	1324	default:
	1325	OPTION_SAFE;
1251	1326	errorBelch("unknown RTS option: %s",rts_argv[arg]);
1252	1327	error = rtsTrue;
1253	1328	break;
1254	1329	}
	1330
	1331	if (!option_checked) {
	1332	/* Naughty! Someone didn't use OPTION_UNSAFE / OPTION_SAFE for
	1333	an option above */
	1334	errorBelch("Internal error in the RTS options parser");
	1335	stg_exit(EXIT_FAILURE);
	1336	}
1255	1337	}
1256	1338	}
1257	1339

Download in other formats:

Original Format