summaryrefslogtreecommitdiffstats
path: root/usr.bin
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2011-08-14 00:42:09 +0000
committerrwatson <rwatson@FreeBSD.org>2011-08-14 00:42:09 +0000
commit35b7068df54aac6d028b50251a320efb190b6c41 (patch)
treeca429aeb22aa1af4b3462fdb8fb86944947b7dde /usr.bin
parentae4052d3f376c0fa7111ebe2cc007fd43435d701 (diff)
downloadFreeBSD-src-35b7068df54aac6d028b50251a320efb190b6c41.zip
FreeBSD-src-35b7068df54aac6d028b50251a320efb190b6c41.tar.gz
Updates to libprocstat(3) and procstat(1) to allow monitoring Capsicum
capability mode and capabilities. Right now no attempt is made to unwrap capabilities when operating on a crashdump, so further refinement is required. Approved by: re (bz) Sponsored by: Google Inc
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/procstat/procstat.134
-rw-r--r--usr.bin/procstat/procstat.c16
-rw-r--r--usr.bin/procstat/procstat.h2
-rw-r--r--usr.bin/procstat/procstat_cred.c8
-rw-r--r--usr.bin/procstat/procstat_files.c280
5 files changed, 270 insertions, 70 deletions
diff --git a/usr.bin/procstat/procstat.1 b/usr.bin/procstat/procstat.1
index 0113e37..35fab1f 100644
--- a/usr.bin/procstat/procstat.1
+++ b/usr.bin/procstat/procstat.1
@@ -1,5 +1,5 @@
.\"-
-.\" Copyright (c) 2007-2008 Robert N. M. Watson
+.\" Copyright (c) 2007-2009 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 7, 2010
+.Dd August 14, 2011
.Dt PROCSTAT 1
.Os
.Sh NAME
@@ -35,6 +35,7 @@
.Nm
.Op Fl h
.Op Fl n
+.Op Fl C
.Op Fl w Ar interval
.Op Fl b | c | f | i | j | k | s | t | v
.Op Fl a | Ar pid ...
@@ -88,6 +89,11 @@ If the
.Fl w
flag is not specified, the output will not repeat.
.Pp
+The
+.Fl C
+flag requests the printing of additional capability information in the file
+descriptor view.
+.Pp
Some information, such as VM and file descriptor information, is available
only to the owner of a process or the superuser.
.Ss Binary Information
@@ -116,7 +122,8 @@ command line arguments (if available)
Display detailed information about each file descriptor referenced by a
process, including the process ID, command, file descriptor number, and
per-file descriptor object information, such as object type and file system
-path:
+path.
+By default, the following information will be printed:
.Pp
.Bl -tag -width indent -compact
.It PID
@@ -208,7 +215,17 @@ non-blocking
direct I/O
.It l
lock held
+.It c
+descriptor is a capability
.El
+.Pp
+If the
+.Fl C
+flag is specified, the vnode type, reference count, and offset fields will be
+omitted, and a new capabilities field will be included listing capabilities,
+as described in
+.Xr cap_new 2 ,
+present for each capability descriptor.
.Ss Signal Disposition Information
Display signal pending and disposition for a process:
.Pp
@@ -306,9 +323,18 @@ effective group ID
real group ID
.It SVGID
saved group ID
+.It FLAGS
+credential flags
.It GROUPS
group set
.El
+.Pp
+The following credential flags may be displayed:
+.Pp
+.Bl -tag -width X -compact
+.It C
+capability mode
+.El
.Ss Thread Information
Display per-thread information, including process ID, per-thread ID, name,
CPU, and execution state:
@@ -402,6 +428,8 @@ needs copy
.Xr fstat 1 ,
.Xr ps 1 ,
.Xr sockstat 1 ,
+.Xr cap_enter 2 ,
+.Xr cap_new 2 ,
.Xr ddb 4 ,
.Xr stack 9
.Sh AUTHORS
diff --git a/usr.bin/procstat/procstat.c b/usr.bin/procstat/procstat.c
index 69648fd..97ff879 100644
--- a/usr.bin/procstat/procstat.c
+++ b/usr.bin/procstat/procstat.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2007 Robert N. M. Watson
+ * Copyright (c) 2007, 2011 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -40,13 +40,13 @@
#include "procstat.h"
static int aflag, bflag, cflag, fflag, iflag, jflag, kflag, sflag, tflag, vflag;
-int hflag, nflag;
+int hflag, nflag, Cflag;
static void
usage(void)
{
- fprintf(stderr, "usage: procstat [-h] [-M core] [-N system] "
+ fprintf(stderr, "usage: procstat [-h] [-C] [-M core] [-N system] "
"[-w interval] [-b | -c | -f | -i | -j | -k | -s | -t | -v]\n");
fprintf(stderr, " [-a | pid ...]\n");
exit(EX_USAGE);
@@ -117,8 +117,12 @@ main(int argc, char *argv[])
interval = 0;
memf = nlistf = NULL;
- while ((ch = getopt(argc, argv, "N:M:abcfijkhstvw:")) != -1) {
+ while ((ch = getopt(argc, argv, "CN:M:abcfijkhstvw:")) != -1) {
switch (ch) {
+ case 'C':
+ Cflag++;
+ break;
+
case 'M':
memf = optarg;
break;
@@ -204,6 +208,10 @@ main(int argc, char *argv[])
if (!(aflag == 1 && argc == 0) && !(aflag == 0 && argc > 0))
usage();
+ /* Only allow -C with -f. */
+ if (Cflag && !fflag)
+ usage();
+
if (memf != NULL)
prstat = procstat_open_kvm(nlistf, memf);
else
diff --git a/usr.bin/procstat/procstat.h b/usr.bin/procstat/procstat.h
index ad425f3..71e3ca7 100644
--- a/usr.bin/procstat/procstat.h
+++ b/usr.bin/procstat/procstat.h
@@ -29,7 +29,7 @@
#ifndef PROCSTAT_H
#define PROCSTAT_H
-extern int hflag, nflag;
+extern int hflag, nflag, Cflag;
struct kinfo_proc;
void kinfo_proc_sort(struct kinfo_proc *kipp, int count);
diff --git a/usr.bin/procstat/procstat_cred.c b/usr.bin/procstat/procstat_cred.c
index ea8fdfd..12db429 100644
--- a/usr.bin/procstat/procstat_cred.c
+++ b/usr.bin/procstat/procstat_cred.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2007 Robert N. M. Watson
+ * Copyright (c) 2007-2008 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -48,9 +48,9 @@ procstat_cred(struct kinfo_proc *kipp)
gid_t *groups = NULL;
if (!hflag)
- printf("%5s %-16s %5s %5s %5s %5s %5s %5s %-20s\n", "PID",
+ printf("%5s %-16s %5s %5s %5s %5s %5s %5s %5s %-15s\n", "PID",
"COMM", "EUID", "RUID", "SVUID", "EGID", "RGID", "SVGID",
- "GROUPS");
+ "FLAGS", "GROUPS");
printf("%5d ", kipp->ki_pid);
printf("%-16s ", kipp->ki_comm);
@@ -60,6 +60,8 @@ procstat_cred(struct kinfo_proc *kipp)
printf("%5d ", kipp->ki_groups[0]);
printf("%5d ", kipp->ki_rgid);
printf("%5d ", kipp->ki_svgid);
+ printf("%s", kipp->ki_cr_flags & CRED_FLAG_CAPMODE ? "C" : "-");
+ printf(" ");
/*
* We may have too many groups to fit in kinfo_proc's statically
diff --git a/usr.bin/procstat/procstat_files.c b/usr.bin/procstat/procstat_files.c
index f7d91a4..84737a1 100644
--- a/usr.bin/procstat/procstat_files.c
+++ b/usr.bin/procstat/procstat_files.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2007 Robert N. M. Watson
+ * Copyright (c) 2007-2011 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -27,6 +27,7 @@
*/
#include <sys/param.h>
+#include <sys/capability.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <sys/un.h>
@@ -131,6 +132,133 @@ print_address(struct sockaddr_storage *ss)
printf("%s", addr);
}
+static struct cap_desc {
+ cap_rights_t cd_right;
+ const char *cd_desc;
+} cap_desc[] = {
+ /* General file I/O. */
+ { CAP_READ, "rd" },
+ { CAP_WRITE, "wr" },
+ { CAP_MMAP, "mm" },
+ { CAP_MAPEXEC, "me" },
+ { CAP_FEXECVE, "fe" },
+ { CAP_FSYNC, "fy" },
+ { CAP_FTRUNCATE, "ft" },
+ { CAP_SEEK, "se" },
+
+ /* VFS methods. */
+ { CAP_FCHFLAGS, "cf" },
+ { CAP_FCHDIR, "cd" },
+ { CAP_FCHMOD, "cm" },
+ { CAP_FCHOWN, "cn" },
+ { CAP_FCNTL, "fc" },
+ { CAP_FPATHCONF, "fp" },
+ { CAP_FLOCK, "fl" },
+ { CAP_FSCK, "fk" },
+ { CAP_FSTAT, "fs" },
+ { CAP_FSTATFS, "sf" },
+ { CAP_FUTIMES, "fu" },
+ { CAP_CREATE, "cr" },
+ { CAP_DELETE, "de" },
+ { CAP_MKDIR, "md" },
+ { CAP_RMDIR, "rm" },
+ { CAP_MKFIFO, "mf" },
+
+ /* Lookups - used to constraint *at() calls. */
+ { CAP_LOOKUP, "lo" },
+
+ /* Extended attributes. */
+ { CAP_EXTATTR_GET, "eg" },
+ { CAP_EXTATTR_SET, "es" },
+ { CAP_EXTATTR_DELETE, "ed" },
+ { CAP_EXTATTR_LIST, "el" },
+
+ /* Access Control Lists. */
+ { CAP_ACL_GET, "ag" },
+ { CAP_ACL_SET, "as" },
+ { CAP_ACL_DELETE, "ad" },
+ { CAP_ACL_CHECK, "ac" },
+
+ /* Socket operations. */
+ { CAP_ACCEPT, "at" },
+ { CAP_BIND, "bd" },
+ { CAP_CONNECT, "co" },
+ { CAP_GETPEERNAME, "pn" },
+ { CAP_GETSOCKNAME, "sn" },
+ { CAP_GETSOCKOPT, "gs" },
+ { CAP_LISTEN, "ln" },
+ { CAP_PEELOFF, "pf" },
+ { CAP_SETSOCKOPT, "ss" },
+ { CAP_SHUTDOWN, "sh" },
+
+ /* Mandatory Access Control. */
+ { CAP_MAC_GET, "mg" },
+ { CAP_MAC_SET, "ms" },
+
+ /* Methods on semaphores. */
+ { CAP_SEM_GETVALUE, "sg" },
+ { CAP_SEM_POST, "sp" },
+ { CAP_SEM_WAIT, "sw" },
+
+ /* Event monitoring and posting. */
+ { CAP_POLL_EVENT, "po" },
+ { CAP_POST_EVENT, "ev" },
+
+ /* Strange and powerful rights that should not be given lightly. */
+ { CAP_IOCTL, "io" },
+ { CAP_TTYHOOK, "ty" },
+
+#ifdef NOTYET
+ { CAP_PDGETPID, "pg" },
+ { CAP_PDWAIT4, "pw" },
+ { CAP_PDKILL, "pk" },
+#endif
+};
+static const u_int cap_desc_count = sizeof(cap_desc) /
+ sizeof(cap_desc[0]);
+
+static u_int
+width_capability(cap_rights_t rights)
+{
+ u_int count, i, width;
+
+ count = 0;
+ width = 0;
+ for (i = 0; i < cap_desc_count; i++) {
+ if (rights & cap_desc[i].cd_right) {
+ width += strlen(cap_desc[i].cd_desc);
+ if (count)
+ width++;
+ count++;
+ }
+ }
+ return (width);
+}
+
+static void
+print_capability(cap_rights_t rights, u_int capwidth)
+{
+ u_int count, i, width;
+
+ count = 0;
+ width = 0;
+ for (i = width_capability(rights); i < capwidth; i++) {
+ if (rights || i != 0)
+ printf(" ");
+ else
+ printf("-");
+ }
+ for (i = 0; i < cap_desc_count; i++) {
+ if (rights & cap_desc[i].cd_right) {
+ printf("%s%s", count ? "," : "", cap_desc[i].cd_desc);
+ width += strlen(cap_desc[i].cd_desc);
+ if (count)
+ width++;
+ count++;
+ }
+ }
+}
+
void
procstat_files(struct procstat *procstat, struct kinfo_proc *kipp)
{
@@ -139,14 +267,39 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp)
struct filestat *fst;
const char *str;
struct vnstat vn;
+ u_int capwidth, width;
int error;
- if (!hflag)
- printf("%5s %-16s %4s %1s %1s %-8s %3s %7s %-3s %-12s\n",
- "PID", "COMM", "FD", "T", "V", "FLAGS", "REF", "OFFSET",
- "PRO", "NAME");
-
+ /*
+ * To print the header in capability mode, we need to know the width
+ * of the widest capability string. Even if we get no processes
+ * back, we will print the header, so we defer aborting due to a lack
+ * of processes until after the header logic.
+ */
+ capwidth = 0;
head = procstat_getfiles(procstat, kipp, 0);
+ if (head != NULL && Cflag) {
+ STAILQ_FOREACH(fst, head, next) {
+ width = width_capability(fst->fs_cap_rights);
+ if (width > capwidth)
+ capwidth = width;
+ }
+ if (capwidth < strlen("CAPABILITIES"))
+ capwidth = strlen("CAPABILITIES");
+ }
+
+ if (!hflag) {
+ if (Cflag)
+ printf("%5s %-16s %4s %1s %-9s %-*s "
+ "%-3s %-12s\n", "PID", "COMM", "FD", "T",
+ "FLAGS", capwidth, "CAPABILITIES", "PRO",
+ "NAME");
+ else
+ printf("%5s %-16s %4s %1s %1s %-9s "
+ "%3s %7s %-3s %-12s\n", "PID", "COMM", "FD", "T",
+ "V", "FLAGS", "REF", "OFFSET", "PRO", "NAME");
+ }
+
if (head == NULL)
return;
STAILQ_FOREACH(fst, head, next) {
@@ -215,50 +368,53 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp)
break;
}
printf("%1s ", str);
- str = "-";
- if (fst->fs_type == PS_FST_TYPE_VNODE) {
- error = procstat_get_vnode_info(procstat, fst, &vn, NULL);
- switch (vn.vn_type) {
- case PS_FST_VTYPE_VREG:
- str = "r";
- break;
-
- case PS_FST_VTYPE_VDIR:
- str = "d";
- break;
-
- case PS_FST_VTYPE_VBLK:
- str = "b";
- break;
-
- case PS_FST_VTYPE_VCHR:
- str = "c";
- break;
-
- case PS_FST_VTYPE_VLNK:
- str = "l";
- break;
-
- case PS_FST_VTYPE_VSOCK:
- str = "s";
- break;
-
- case PS_FST_VTYPE_VFIFO:
- str = "f";
- break;
-
- case PS_FST_VTYPE_VBAD:
- str = "x";
- break;
-
- case PS_FST_VTYPE_VNON:
- case PS_FST_VTYPE_UNKNOWN:
- default:
- str = "?";
- break;
+ if (!Cflag) {
+ str = "-";
+ if (fst->fs_type == PS_FST_TYPE_VNODE) {
+ error = procstat_get_vnode_info(procstat, fst,
+ &vn, NULL);
+ switch (vn.vn_type) {
+ case PS_FST_VTYPE_VREG:
+ str = "r";
+ break;
+
+ case PS_FST_VTYPE_VDIR:
+ str = "d";
+ break;
+
+ case PS_FST_VTYPE_VBLK:
+ str = "b";
+ break;
+
+ case PS_FST_VTYPE_VCHR:
+ str = "c";
+ break;
+
+ case PS_FST_VTYPE_VLNK:
+ str = "l";
+ break;
+
+ case PS_FST_VTYPE_VSOCK:
+ str = "s";
+ break;
+
+ case PS_FST_VTYPE_VFIFO:
+ str = "f";
+ break;
+
+ case PS_FST_VTYPE_VBAD:
+ str = "x";
+ break;
+
+ case PS_FST_VTYPE_VNON:
+ case PS_FST_VTYPE_UNKNOWN:
+ default:
+ str = "?";
+ break;
+ }
}
+ printf("%1s ", str);
}
- printf("%1s ", str);
printf("%s", fst->fs_fflags & PS_FST_FFLAG_READ ? "r" : "-");
printf("%s", fst->fs_fflags & PS_FST_FFLAG_WRITE ? "w" : "-");
printf("%s", fst->fs_fflags & PS_FST_FFLAG_APPEND ? "a" : "-");
@@ -266,16 +422,23 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp)
printf("%s", fst->fs_fflags & PS_FST_FFLAG_SYNC ? "f" : "-");
printf("%s", fst->fs_fflags & PS_FST_FFLAG_NONBLOCK ? "n" : "-");
printf("%s", fst->fs_fflags & PS_FST_FFLAG_DIRECT ? "d" : "-");
- printf("%s ", fst->fs_fflags & PS_FST_FFLAG_HASLOCK ? "l" : "-");
- if (fst->fs_ref_count > -1)
- printf("%3d ", fst->fs_ref_count);
- else
- printf("%3c ", '-');
- if (fst->fs_offset > -1)
- printf("%7jd ", (intmax_t)fst->fs_offset);
- else
- printf("%7c ", '-');
-
+ printf("%s", fst->fs_fflags & PS_FST_FFLAG_HASLOCK ? "l" : "-");
+ printf("%s ", fst->fs_fflags & PS_FST_FFLAG_CAPABILITY ?
+ "c" : "-");
+ if (!Cflag) {
+ if (fst->fs_ref_count > -1)
+ printf("%3d ", fst->fs_ref_count);
+ else
+ printf("%3c ", '-');
+ if (fst->fs_offset > -1)
+ printf("%7jd ", (intmax_t)fst->fs_offset);
+ else
+ printf("%7c ", '-');
+ }
+ if (Cflag) {
+ print_capability(fst->fs_cap_rights, capwidth);
+ printf(" ");
+ }
switch (fst->fs_type) {
case PS_FST_TYPE_VNODE:
case PS_FST_TYPE_FIFO:
@@ -314,7 +477,6 @@ procstat_files(struct procstat *procstat, struct kinfo_proc *kipp)
break;
default:
- printf("%-3s ", "-");
printf("%-18s", "-");
}
OpenPOWER on IntegriCloud