diff options
author | rwatson <rwatson@FreeBSD.org> | 2011-08-14 00:42:09 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2011-08-14 00:42:09 +0000 |
commit | 35b7068df54aac6d028b50251a320efb190b6c41 (patch) | |
tree | ca429aeb22aa1af4b3462fdb8fb86944947b7dde /usr.bin | |
parent | ae4052d3f376c0fa7111ebe2cc007fd43435d701 (diff) | |
download | FreeBSD-src-35b7068df54aac6d028b50251a320efb190b6c41.zip FreeBSD-src-35b7068df54aac6d028b50251a320efb190b6c41.tar.gz |
Updates to libprocstat(3) and procstat(1) to allow monitoring Capsicum
capability mode and capabilities.
Right now no attempt is made to unwrap capabilities when operating on
a crashdump, so further refinement is required.
Approved by: re (bz)
Sponsored by: Google Inc
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/procstat/procstat.1 | 34 | ||||
-rw-r--r-- | usr.bin/procstat/procstat.c | 16 | ||||
-rw-r--r-- | usr.bin/procstat/procstat.h | 2 | ||||
-rw-r--r-- | usr.bin/procstat/procstat_cred.c | 8 | ||||
-rw-r--r-- | usr.bin/procstat/procstat_files.c | 280 |
5 files changed, 270 insertions, 70 deletions
diff --git a/usr.bin/procstat/procstat.1 b/usr.bin/procstat/procstat.1 index 0113e37..35fab1f 100644 --- a/usr.bin/procstat/procstat.1 +++ b/usr.bin/procstat/procstat.1 @@ -1,5 +1,5 @@ .\"- -.\" Copyright (c) 2007-2008 Robert N. M. Watson +.\" Copyright (c) 2007-2009 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 7, 2010 +.Dd August 14, 2011 .Dt PROCSTAT 1 .Os .Sh NAME @@ -35,6 +35,7 @@ .Nm .Op Fl h .Op Fl n +.Op Fl C .Op Fl w Ar interval .Op Fl b | c | f | i | j | k | s | t | v .Op Fl a | Ar pid ... @@ -88,6 +89,11 @@ If the .Fl w flag is not specified, the output will not repeat. .Pp +The +.Fl C +flag requests the printing of additional capability information in the file +descriptor view. +.Pp Some information, such as VM and file descriptor information, is available only to the owner of a process or the superuser. .Ss Binary Information @@ -116,7 +122,8 @@ command line arguments (if available) Display detailed information about each file descriptor referenced by a process, including the process ID, command, file descriptor number, and per-file descriptor object information, such as object type and file system -path: +path. +By default, the following information will be printed: .Pp .Bl -tag -width indent -compact .It PID @@ -208,7 +215,17 @@ non-blocking direct I/O .It l lock held +.It c +descriptor is a capability .El +.Pp +If the +.Fl C +flag is specified, the vnode type, reference count, and offset fields will be +omitted, and a new capabilities field will be included listing capabilities, +as described in +.Xr cap_new 2 , +present for each capability descriptor. .Ss Signal Disposition Information Display signal pending and disposition for a process: .Pp @@ -306,9 +323,18 @@ effective group ID real group ID .It SVGID saved group ID +.It FLAGS +credential flags .It GROUPS group set .El +.Pp +The following credential flags may be displayed: +.Pp +.Bl -tag -width X -compact +.It C +capability mode +.El .Ss Thread Information Display per-thread information, including process ID, per-thread ID, name, CPU, and execution state: @@ -402,6 +428,8 @@ needs copy .Xr fstat 1 , .Xr ps 1 , .Xr sockstat 1 , +.Xr cap_enter 2 , +.Xr cap_new 2 , .Xr ddb 4 , .Xr stack 9 .Sh AUTHORS diff --git a/usr.bin/procstat/procstat.c b/usr.bin/procstat/procstat.c index 69648fd..97ff879 100644 --- a/usr.bin/procstat/procstat.c +++ b/usr.bin/procstat/procstat.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2007 Robert N. M. Watson + * Copyright (c) 2007, 2011 Robert N. M. Watson * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -40,13 +40,13 @@ #include "procstat.h" static int aflag, bflag, cflag, fflag, iflag, jflag, kflag, sflag, tflag, vflag; -int hflag, nflag; +int hflag, nflag, Cflag; static void usage(void) { - fprintf(stderr, "usage: procstat [-h] [-M core] [-N system] " + fprintf(stderr, "usage: procstat [-h] [-C] [-M core] [-N system] " "[-w interval] [-b | -c | -f | -i | -j | -k | -s | -t | -v]\n"); fprintf(stderr, " [-a | pid ...]\n"); exit(EX_USAGE); @@ -117,8 +117,12 @@ main(int argc, char *argv[]) interval = 0; memf = nlistf = NULL; - while ((ch = getopt(argc, argv, "N:M:abcfijkhstvw:")) != -1) { + while ((ch = getopt(argc, argv, "CN:M:abcfijkhstvw:")) != -1) { switch (ch) { + case 'C': + Cflag++; + break; + case 'M': memf = optarg; break; @@ -204,6 +208,10 @@ main(int argc, char *argv[]) if (!(aflag == 1 && argc == 0) && !(aflag == 0 && argc > 0)) usage(); + /* Only allow -C with -f. */ + if (Cflag && !fflag) + usage(); + if (memf != NULL) prstat = procstat_open_kvm(nlistf, memf); else diff --git a/usr.bin/procstat/procstat.h b/usr.bin/procstat/procstat.h index ad425f3..71e3ca7 100644 --- a/usr.bin/procstat/procstat.h +++ b/usr.bin/procstat/procstat.h @@ -29,7 +29,7 @@ #ifndef PROCSTAT_H #define PROCSTAT_H -extern int hflag, nflag; +extern int hflag, nflag, Cflag; struct kinfo_proc; void kinfo_proc_sort(struct kinfo_proc *kipp, int count); diff --git a/usr.bin/procstat/procstat_cred.c b/usr.bin/procstat/procstat_cred.c index ea8fdfd..12db429 100644 --- a/usr.bin/procstat/procstat_cred.c +++ b/usr.bin/procstat/procstat_cred.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2007 Robert N. M. Watson + * Copyright (c) 2007-2008 Robert N. M. Watson * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -48,9 +48,9 @@ procstat_cred(struct kinfo_proc *kipp) gid_t *groups = NULL; if (!hflag) - printf("%5s %-16s %5s %5s %5s %5s %5s %5s %-20s\n", "PID", + printf("%5s %-16s %5s %5s %5s %5s %5s %5s %5s %-15s\n", "PID", "COMM", "EUID", "RUID", "SVUID", "EGID", "RGID", "SVGID", - "GROUPS"); + "FLAGS", "GROUPS"); printf("%5d ", kipp->ki_pid); printf("%-16s ", kipp->ki_comm); @@ -60,6 +60,8 @@ procstat_cred(struct kinfo_proc *kipp) printf("%5d ", kipp->ki_groups[0]); printf("%5d ", kipp->ki_rgid); printf("%5d ", kipp->ki_svgid); + printf("%s", kipp->ki_cr_flags & CRED_FLAG_CAPMODE ? "C" : "-"); + printf(" "); /* * We may have too many groups to fit in kinfo_proc's statically diff --git a/usr.bin/procstat/procstat_files.c b/usr.bin/procstat/procstat_files.c index f7d91a4..84737a1 100644 --- a/usr.bin/procstat/procstat_files.c +++ b/usr.bin/procstat/procstat_files.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2007 Robert N. M. Watson + * Copyright (c) 2007-2011 Robert N. M. Watson * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -27,6 +27,7 @@ */ #include <sys/param.h> +#include <sys/capability.h> #include <sys/socket.h> #include <sys/sysctl.h> #include <sys/un.h> @@ -131,6 +132,133 @@ print_address(struct sockaddr_storage *ss) printf("%s", addr); } +static struct cap_desc { + cap_rights_t cd_right; + const char *cd_desc; +} cap_desc[] = { + /* General file I/O. */ + { CAP_READ, "rd" }, + { CAP_WRITE, "wr" }, + { CAP_MMAP, "mm" }, + { CAP_MAPEXEC, "me" }, + { CAP_FEXECVE, "fe" }, + { CAP_FSYNC, "fy" }, + { CAP_FTRUNCATE, "ft" }, + { CAP_SEEK, "se" }, + + /* VFS methods. */ + { CAP_FCHFLAGS, "cf" }, + { CAP_FCHDIR, "cd" }, + { CAP_FCHMOD, "cm" }, + { CAP_FCHOWN, "cn" }, + { CAP_FCNTL, "fc" }, + { CAP_FPATHCONF, "fp" }, + { CAP_FLOCK, "fl" }, + { CAP_FSCK, "fk" }, + { CAP_FSTAT, "fs" }, + { CAP_FSTATFS, "sf" }, + { CAP_FUTIMES, "fu" }, + { CAP_CREATE, "cr" }, + { CAP_DELETE, "de" }, + { CAP_MKDIR, "md" }, + { CAP_RMDIR, "rm" }, + { CAP_MKFIFO, "mf" }, + + /* Lookups - used to constraint *at() calls. */ + { CAP_LOOKUP, "lo" }, + + /* Extended attributes. */ + { CAP_EXTATTR_GET, "eg" }, + { CAP_EXTATTR_SET, "es" }, + { CAP_EXTATTR_DELETE, "ed" }, + { CAP_EXTATTR_LIST, "el" }, + + /* Access Control Lists. */ + { CAP_ACL_GET, "ag" }, + { CAP_ACL_SET, "as" }, + { CAP_ACL_DELETE, "ad" }, + { CAP_ACL_CHECK, "ac" }, + + /* Socket operations. */ + { CAP_ACCEPT, "at" }, + { CAP_BIND, "bd" }, + { CAP_CONNECT, "co" }, + { CAP_GETPEERNAME, "pn" }, + { CAP_GETSOCKNAME, "sn" }, + { CAP_GETSOCKOPT, "gs" }, + { CAP_LISTEN, "ln" }, + { CAP_PEELOFF, "pf" }, + { CAP_SETSOCKOPT, "ss" }, + { CAP_SHUTDOWN, "sh" }, + + /* Mandatory Access Control. */ + { CAP_MAC_GET, "mg" }, + { CAP_MAC_SET, "ms" }, + + /* Methods on semaphores. */ + { CAP_SEM_GETVALUE, "sg" }, + { CAP_SEM_POST, "sp" }, + { CAP_SEM_WAIT, "sw" }, + + /* Event monitoring and posting. */ + { CAP_POLL_EVENT, "po" }, + { CAP_POST_EVENT, "ev" }, + + /* Strange and powerful rights that should not be given lightly. */ + { CAP_IOCTL, "io" }, + { CAP_TTYHOOK, "ty" }, + +#ifdef NOTYET + { CAP_PDGETPID, "pg" }, + { CAP_PDWAIT4, "pw" }, + { CAP_PDKILL, "pk" }, +#endif +}; +static const u_int cap_desc_count = sizeof(cap_desc) / + sizeof(cap_desc[0]); + +static u_int +width_capability(cap_rights_t rights) +{ + u_int count, i, width; + + count = 0; + width = 0; + for (i = 0; i < cap_desc_count; i++) { + if (rights & cap_desc[i].cd_right) { + width += strlen(cap_desc[i].cd_desc); + if (count) + width++; + count++; + } + } + return (width); +} + +static void +print_capability(cap_rights_t rights, u_int capwidth) +{ + u_int count, i, width; + + count = 0; + width = 0; + for (i = width_capability(rights); i < capwidth; i++) { + if (rights || i != 0) + printf(" "); + else + printf("-"); + } + for (i = 0; i < cap_desc_count; i++) { + if (rights & cap_desc[i].cd_right) { + printf("%s%s", count ? "," : "", cap_desc[i].cd_desc); + width += strlen(cap_desc[i].cd_desc); + if (count) + width++; + count++; + } + } +} + void procstat_files(struct procstat *procstat, struct kinfo_proc *kipp) { @@ -139,14 +267,39 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp) struct filestat *fst; const char *str; struct vnstat vn; + u_int capwidth, width; int error; - if (!hflag) - printf("%5s %-16s %4s %1s %1s %-8s %3s %7s %-3s %-12s\n", - "PID", "COMM", "FD", "T", "V", "FLAGS", "REF", "OFFSET", - "PRO", "NAME"); - + /* + * To print the header in capability mode, we need to know the width + * of the widest capability string. Even if we get no processes + * back, we will print the header, so we defer aborting due to a lack + * of processes until after the header logic. + */ + capwidth = 0; head = procstat_getfiles(procstat, kipp, 0); + if (head != NULL && Cflag) { + STAILQ_FOREACH(fst, head, next) { + width = width_capability(fst->fs_cap_rights); + if (width > capwidth) + capwidth = width; + } + if (capwidth < strlen("CAPABILITIES")) + capwidth = strlen("CAPABILITIES"); + } + + if (!hflag) { + if (Cflag) + printf("%5s %-16s %4s %1s %-9s %-*s " + "%-3s %-12s\n", "PID", "COMM", "FD", "T", + "FLAGS", capwidth, "CAPABILITIES", "PRO", + "NAME"); + else + printf("%5s %-16s %4s %1s %1s %-9s " + "%3s %7s %-3s %-12s\n", "PID", "COMM", "FD", "T", + "V", "FLAGS", "REF", "OFFSET", "PRO", "NAME"); + } + if (head == NULL) return; STAILQ_FOREACH(fst, head, next) { @@ -215,50 +368,53 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp) break; } printf("%1s ", str); - str = "-"; - if (fst->fs_type == PS_FST_TYPE_VNODE) { - error = procstat_get_vnode_info(procstat, fst, &vn, NULL); - switch (vn.vn_type) { - case PS_FST_VTYPE_VREG: - str = "r"; - break; - - case PS_FST_VTYPE_VDIR: - str = "d"; - break; - - case PS_FST_VTYPE_VBLK: - str = "b"; - break; - - case PS_FST_VTYPE_VCHR: - str = "c"; - break; - - case PS_FST_VTYPE_VLNK: - str = "l"; - break; - - case PS_FST_VTYPE_VSOCK: - str = "s"; - break; - - case PS_FST_VTYPE_VFIFO: - str = "f"; - break; - - case PS_FST_VTYPE_VBAD: - str = "x"; - break; - - case PS_FST_VTYPE_VNON: - case PS_FST_VTYPE_UNKNOWN: - default: - str = "?"; - break; + if (!Cflag) { + str = "-"; + if (fst->fs_type == PS_FST_TYPE_VNODE) { + error = procstat_get_vnode_info(procstat, fst, + &vn, NULL); + switch (vn.vn_type) { + case PS_FST_VTYPE_VREG: + str = "r"; + break; + + case PS_FST_VTYPE_VDIR: + str = "d"; + break; + + case PS_FST_VTYPE_VBLK: + str = "b"; + break; + + case PS_FST_VTYPE_VCHR: + str = "c"; + break; + + case PS_FST_VTYPE_VLNK: + str = "l"; + break; + + case PS_FST_VTYPE_VSOCK: + str = "s"; + break; + + case PS_FST_VTYPE_VFIFO: + str = "f"; + break; + + case PS_FST_VTYPE_VBAD: + str = "x"; + break; + + case PS_FST_VTYPE_VNON: + case PS_FST_VTYPE_UNKNOWN: + default: + str = "?"; + break; + } } + printf("%1s ", str); } - printf("%1s ", str); printf("%s", fst->fs_fflags & PS_FST_FFLAG_READ ? "r" : "-"); printf("%s", fst->fs_fflags & PS_FST_FFLAG_WRITE ? "w" : "-"); printf("%s", fst->fs_fflags & PS_FST_FFLAG_APPEND ? "a" : "-"); @@ -266,16 +422,23 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp) printf("%s", fst->fs_fflags & PS_FST_FFLAG_SYNC ? "f" : "-"); printf("%s", fst->fs_fflags & PS_FST_FFLAG_NONBLOCK ? "n" : "-"); printf("%s", fst->fs_fflags & PS_FST_FFLAG_DIRECT ? "d" : "-"); - printf("%s ", fst->fs_fflags & PS_FST_FFLAG_HASLOCK ? "l" : "-"); - if (fst->fs_ref_count > -1) - printf("%3d ", fst->fs_ref_count); - else - printf("%3c ", '-'); - if (fst->fs_offset > -1) - printf("%7jd ", (intmax_t)fst->fs_offset); - else - printf("%7c ", '-'); - + printf("%s", fst->fs_fflags & PS_FST_FFLAG_HASLOCK ? "l" : "-"); + printf("%s ", fst->fs_fflags & PS_FST_FFLAG_CAPABILITY ? + "c" : "-"); + if (!Cflag) { + if (fst->fs_ref_count > -1) + printf("%3d ", fst->fs_ref_count); + else + printf("%3c ", '-'); + if (fst->fs_offset > -1) + printf("%7jd ", (intmax_t)fst->fs_offset); + else + printf("%7c ", '-'); + } + if (Cflag) { + print_capability(fst->fs_cap_rights, capwidth); + printf(" "); + } switch (fst->fs_type) { case PS_FST_TYPE_VNODE: case PS_FST_TYPE_FIFO: @@ -314,7 +477,6 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp) break; default: - printf("%-3s ", "-"); printf("%-18s", "-"); } |