![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / pflogd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.35 / (download) - annotate - [select for diffs], Mon Jul 12 15:09:19 2021 UTC (2 years, 10 months ago) by beck
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
HEAD
Changes since 1.34: +6 -6 lines
Diff to previous 1.34 (colored)
Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
Revision 1.34 / (download) - annotate - [select for diffs], Wed Nov 27 17:49:09 2019 UTC (4 years, 6 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.33: +6 -4 lines
Diff to previous 1.33 (colored)
use _PATH_ names for unveil if possible
Revision 1.33 / (download) - annotate - [select for diffs], Fri Jun 28 13:32:45 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.32: +3 -3 lines
Diff to previous 1.32 (colored)
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
Revision 1.32 / (download) - annotate - [select for diffs], Sun Aug 26 18:26:51 2018 UTC (5 years, 9 months ago) by brynet
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.31: +14 -1 lines
Diff to previous 1.31 (colored)
Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8),
the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.
To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")
Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".
The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.
With feedback/testing from florian@, deraadt@
ok florian@ deraadt@
Revision 1.31 / (download) - annotate - [select for diffs], Sun Aug 26 18:24:46 2018 UTC (5 years, 9 months ago) by brynet
Branch: MAIN
Changes since 1.30: +1 -68 lines
Diff to previous 1.30 (colored)
pflogd(8): don't try to rename(2) broken/invalid pflog files, instead, suspend logging until the log file has been moved out of the way, and we have received either SIGHUP or SIGALRM. ok florian@ deraadt@
Revision 1.30 / (download) - annotate - [select for diffs], Sat Sep 9 13:02:52 2017 UTC (6 years, 8 months ago) by brynet
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.29: +40 -57 lines
Diff to previous 1.29 (colored)
Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the privileged parent. Based on feedback from deraadt@ and bluhm@ (worked on syslogd). ok deraadt@
Revision 1.29 / (download) - annotate - [select for diffs], Wed Sep 6 12:43:16 2017 UTC (6 years, 8 months ago) by brynet
Branch: MAIN
Changes since 1.28: +2 -13 lines
Diff to previous 1.28 (colored)
pflogd(8) currently spams the console on shutdown if syslogd(8) wins the race to die, so just stop logging pflogd exits. This logging probably comes from the fact that pflogd was largely based on syslogd. Removes the annoying "pflogd[23954]: Exiting" messages pointed out by deraadt@ Also cleanup some missed SIGCHLD handling code that is no longer needed. "LGTM" mikeb@
Revision 1.28 / (download) - annotate - [select for diffs], Tue Sep 5 15:41:25 2017 UTC (6 years, 8 months ago) by brynet
Branch: MAIN
Changes since 1.27: +110 -16 lines
Diff to previous 1.27 (colored)
fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep parent and use 'legit' fdpassing primitives to send the bpf fd to the unprivileged child process. Also reduces the pledge(2) promises in the unpriv child to just "stdio recvfd" with help from deraadt, pcap feedback from canacar ok deraadt@
Revision 1.27 / (download) - annotate - [select for diffs], Sat Aug 12 16:31:09 2017 UTC (6 years, 9 months ago) by florian
Branch: MAIN
Changes since 1.26: +3 -3 lines
Diff to previous 1.26 (colored)
Make not yet implemented pledges more visible in grep output. input benno, deraadt, tedu also standardize on #if 0 since it makes tedu's editor vomit. OK benno, pirofti on a previous version
Revision 1.26 / (download) - annotate - [select for diffs], Tue Jul 4 23:13:09 2017 UTC (6 years, 10 months ago) by mestre
Branch: MAIN
Changes since 1.25: +4 -1 lines
Diff to previous 1.25 (colored)
Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at least not as is Reported by tim@, OK deraadt@ to backout the pledge for now
Revision 1.25 / (download) - annotate - [select for diffs], Mon Jun 12 23:37:44 2017 UTC (6 years, 11 months ago) by mestre
Branch: MAIN
Changes since 1.24: +2 -5 lines
Diff to previous 1.24 (colored)
pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable it also for pflogd(8)'s priv proc. OK deraadt@
Revision 1.24 / (download) - annotate - [select for diffs], Mon Jan 23 04:25:05 2017 UTC (7 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only upon "inet". Adjust the 4 programs that care about this.
Revision 1.23 / (download) - annotate - [select for diffs], Mon Jan 23 03:47:37 2017 UTC (7 years, 4 months ago) by benno
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
pflogd will need pledge(proc), still disabled because of bfd ok deraadt@
Revision 1.22 / (download) - annotate - [select for diffs], Sat Jan 16 03:17:48 2016 UTC (8 years, 4 months ago) by canacar
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.21: +1 -33 lines
Diff to previous 1.21 (colored)
Interface status printing (at exit and USR1) was broken for a while. Remove it completely to simplify the code. even better deraadt@
Revision 1.21 / (download) - annotate - [select for diffs], Sat Oct 10 22:36:06 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.20: +49 -8 lines
Diff to previous 1.20 (colored)
pflogd contained the same "privsep error" as tcpdump -- assuming that it can ioctl()'s against a bpf device node. Privsep that operation via a message to the parent process. Unfortunately "rpath wpath cpath" is still needed due to SIGHUP handling, but I have asked canacar the expert to look into this.
Revision 1.20 / (download) - annotate - [select for diffs], Tue Apr 28 05:54:31 2015 UTC (9 years, 1 month ago) by mlarkin
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
Someone went to the trouble of vertically aligning a set of parameters but missed one. This diff is only a spacing change.
Revision 1.19 / (download) - annotate - [select for diffs], Thu Jun 26 17:56:09 2014 UTC (9 years, 11 months ago) by tobias
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7,
OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.18: +5 -6 lines
Diff to previous 1.18 (colored)
Create temporary file with mkstemp and unlink if rename operation fails. ok deraadt@, henning@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Sep 13 08:49:17 2013 UTC (10 years, 8 months ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
errx() provides its own newline, so remove it from the string here ok henning@
Revision 1.17 / (download) - annotate - [select for diffs], Thu Dec 24 10:06:35 2009 UTC (14 years, 5 months ago) by sobrado
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3,
OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)
spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h as neither arrayified not arrayfied exist -- sanctioned dictionaries like Merriam-Webster ones suggest a few alternatives (e.g., arrayed), however these made up words are easy to understand and we are not certain that current ones are not ok. ok jmc@
Revision 1.16 / (download) - annotate - [select for diffs], Wed Oct 25 20:55:04 2006 UTC (17 years, 7 months ago) by moritz
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4,
OPENBSD_4_3_BASE,
OPENBSD_4_3,
OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.15: +1 -4 lines
Diff to previous 1.15 (colored)
Remove some unneeded externs. OK canacar@
Revision 1.15 / (download) - annotate - [select for diffs], Mon Mar 6 10:45:56 2006 UTC (18 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.14: +5 -9 lines
Diff to previous 1.14 (colored)
convert permanent privilege revocation to use setresuid/setresgid; ok henning@
Revision 1.14 / (download) - annotate - [select for diffs], Sun Jan 15 16:38:04 2006 UTC (18 years, 4 months ago) by canacar
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.13: +67 -2 lines
Diff to previous 1.13 (colored)
If the log file is invalid/incompatible, try to rename the bad log file and continue with a new name instead of suspending. ok mcbride@
Revision 1.13 / (download) - annotate - [select for diffs], Wed Dec 22 09:21:02 2004 UTC (19 years, 5 months ago) by otto
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8,
OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.12: +4 -2 lines
Diff to previous 1.12 (colored)
also pass SIGINT/QUIT to child, from mpech@. ok avsm@
Revision 1.12 / (download) - annotate - [select for diffs], Wed Jul 14 19:07:03 2004 UTC (19 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
no \n in errx(3) From: Andrey Matveev <andrushock@korovino.net>
Revision 1.11 / (download) - annotate - [select for diffs], Thu Apr 8 14:32:47 2004 UTC (20 years, 1 month ago) by avsm
Branch: MAIN
Changes since 1.10: +5 -4 lines
Diff to previous 1.10 (colored)
sigh, really fix the error message this time, thanks Moritz Jodeit
Revision 1.10 / (download) - annotate - [select for diffs], Thu Apr 8 12:26:06 2004 UTC (20 years, 1 month ago) by avsm
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
reorder error message and send_fd in order to display the correct errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>
Revision 1.9 / (download) - annotate - [select for diffs], Sat Apr 3 10:21:18 2004 UTC (20 years, 2 months ago) by avsm
Branch: MAIN
Changes since 1.8: +4 -3 lines
Diff to previous 1.8 (colored)
dont close an invalid fd, canacar@ ok
Revision 1.8 / (download) - annotate - [select for diffs], Sun Mar 14 19:17:05 2004 UTC (20 years, 2 months ago) by otto
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.7: +3 -2 lines
Diff to previous 1.7 (colored)
Check return code of chdir() after chroot(); noted by Joris Vink, slight mod from avsm@. ok avsm@ hshoexer@ henning@
Revision 1.7 / (download) - annotate - [select for diffs], Fri Feb 13 19:01:57 2004 UTC (20 years, 3 months ago) by otto
Branch: MAIN
Changes since 1.6: +9 -5 lines
Diff to previous 1.6 (colored)
cleanup signal handling; close descriptors. ok avsm@ millert@ canacar@
Revision 1.6 / (download) - annotate - [select for diffs], Sun Jan 18 14:21:52 2004 UTC (20 years, 4 months ago) by canacar
Branch: MAIN
Changes since 1.5: +5 -4 lines
Diff to previous 1.5 (colored)
Create log files if they do not already exist, but do not follow symlinks. ok markus@
Revision 1.5 / (download) - annotate - [select for diffs], Thu Jan 15 20:10:43 2004 UTC (20 years, 4 months ago) by canacar
Branch: MAIN
Changes since 1.4: +27 -3 lines
Diff to previous 1.4 (colored)
Synchronize with syslogd privsep: When reading a new command fails, terminate the loop instead of exiting directly, suggested by avsm@ Also get rid of trailing comma in enum, makes lint(1) happier, from Andrey Matveev andrushock at korovino dot net
Revision 1.4 / (download) - annotate - [select for diffs], Wed Oct 22 19:53:15 2003 UTC (20 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
spacing
Revision 1.3 / (download) - annotate - [select for diffs], Wed Oct 22 19:35:44 2003 UTC (20 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +6 -0 lines
Diff to previous 1.2 (colored)
use setgroups too; canacar ok
Revision 1.2 / (download) - annotate - [select for diffs], Wed Oct 22 19:21:57 2003 UTC (20 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +4 -3 lines
Diff to previous 1.1 (colored)
caution with kill
Revision 1.1 / (download) - annotate - [select for diffs], Wed Oct 22 18:51:55 2003 UTC (20 years, 7 months ago) by canacar
Branch: MAIN
privilege seperated pflogd _pflogd user and group must be created for proper operation. ok frantzen@ henning@ mcbride@ deraadt@