DragonFlyBSD Kernel Audit
DF-0015 / run.log
← back to finding ↓ download raw
running as uid=1001 (./leak_pathname); self pid=1855; target pid=1 (not ours)
kern.ps_argsopen = 0

=== exe-path leak via kern.proc.pathname.<target> ===
  kern.proc.pathname     .1    : rc=0 len= 11  '/sbin/init'

=== contrast: gated siblings on the same target ===
  kern.proc.args         .1    : rc=0 len=0  (blocked/empty)
  kern.proc.cwd          .1    : rc=0 len=0  (blocked/empty)

=== self control (we own self) ===
  kern.proc.pathname     .1855 : rc=0 len= 37  '/home/maxx/poc/DF-0015/leak_pathname'

=== several other root-owned daemons ===
  kern.proc.pathname     .1    : rc=0 len= 11  '/sbin/init'
  kern.proc.pathname     .68   : rc=0 len= 14  '/sbin/hammer2'
  kern.proc.pathname     .285  : rc=0 len= 15  '/sbin/dhclient'
  kern.proc.pathname     .328  : rc=0 len= 11  '/sbin/devd'
  kern.proc.pathname     .411  : rc=0 len= 18  '/usr/sbin/syslogd'
  kern.proc.pathname     .699  : rc=0 len= 15  '/usr/sbin/sshd'
  kern.proc.pathname     .730  : rc=0 len= 15  '/usr/sbin/cron'

INTERPRETATION:
  - pathname.<target> returns a path  -> exe path of a process we
    do NOT own is leaked to us.
  - If ps_argsopen==0 and args/cwd are blocked while pathname is
    NOT, then pathname is the un-gated sibling -> DF-0015 reproduced.
RUN_EXIT=0