![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / kern
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.316 / (download) - annotate - [select for diffs], Mon Jun 3 03:41:47 2024 UTC (8 days, 10 hours ago) by deraadt
Branch: MAIN
CVS Tags: HEAD
Changes since 1.315: +3 -3 lines
Diff to previous 1.315 (colored)
avoid shadowing a local variable in a lower scope
Revision 1.315 / (download) - annotate - [select for diffs], Sun Jun 2 15:31:56 2024 UTC (8 days, 22 hours ago) by deraadt
Branch: MAIN
Changes since 1.314: +3 -3 lines
Diff to previous 1.314 (colored)
pledge, MAP_STACK, and pinsyscall failures have been providing failure visibility with kernel printf(9) (thus, onto console and into dmesg) since the start of development. I want to reduce the dmesg spam, and bring this more into the attention of the user who ran the command, so let's try using uprintf(9) which puts it onto the active foreground tty (yes, there maybe cases where there is no tty, but that's ok. I'll admit I've considered deleting the logging messages entirely) tested in snaps for a week
Revision 1.314 / (download) - annotate - [select for diffs], Sat May 18 05:20:22 2024 UTC (3 weeks, 3 days ago) by guenther
Branch: MAIN
Changes since 1.313: +2 -1 lines
Diff to previous 1.313 (colored)
Add pathconfat(2): pathconf(2) but with at-fd and flags arguments, the latter supporting the ability to get timestamp resolution of symlinks. ok deraadt@ millert@
Revision 1.313 / (download) - annotate - [select for diffs], Fri Apr 5 13:55:26 2024 UTC (2 months ago) by deraadt
Branch: MAIN
Changes since 1.312: +1 -2 lines
Diff to previous 1.312 (colored)
noone calls msyscall() anymore.
Revision 1.312 / (download) - annotate - [select for diffs], Thu Mar 28 02:19:57 2024 UTC (2 months, 2 weeks ago) by deraadt
Branch: MAIN
Changes since 1.311: +1 -2 lines
Diff to previous 1.311 (colored)
Delete pinsyscall(2) [which was specific only to SYS_execve] now that it has been replaced with pinsyscalls(2) [which tells the kernel the location of all system calls in libc.so] floated to various people before release, but it was prudent to wait.
Revision 1.311 / (download) - annotate - [select for diffs], Fri Mar 22 05:54:25 2024 UTC (2 months, 2 weeks ago) by ratchov
Branch: MAIN
Changes since 1.310: +2 -1 lines
Diff to previous 1.310 (colored)
pledge: Allow the AUDIO_GETDEV ioctl in "audio" ok deraadt, kn, phessler
Revision 1.310 / (download) - annotate - [select for diffs], Tue Dec 12 17:43:10 2023 UTC (5 months, 4 weeks ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.309: +2 -1 lines
Diff to previous 1.309 (colored)
put pinsyscalls(2) into the "always" group
Revision 1.309 / (download) - annotate - [select for diffs], Fri Sep 29 12:47:34 2023 UTC (8 months, 1 week ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.308: +3 -3 lines
Diff to previous 1.308 (colored)
Extend single_thread_set() mode with additional flag attributes. The mode can now be or-ed with SINGLE_DEEP or SINGLE_NOWAIT to alter the behaviour of single_thread_set(). This allows explicit control of the SINGLE_DEEP behaviour. If SINGLE_DEEP is set the deep flag is passed to the initial check call and by that the check will error out instead of suspending (SINGLE_UNWIND) or exiting (SINGLE_EXIT). The SINGLE_DEEP flag is required in calls to single_thread_set() outside of userret. E.g. at the start of sys_execve because the proc is not allowed to call exit1() in that location. SINGLE_NOWAIT skips the wait at the end of single_thread_set() and therefor returns BEFORE all threads have been parked. Currently this is only used by the ptrace code and should not be used anywhere else. Not waiting for all threads to settle is asking for trouble. This solves an issue by using SINGLE_UNWIND in the coredump case where the code should actually exit in case another thread crashed moments earlier. Also the SINGLE_UNWIND in pledge_fail() is now marked SINGLE_DEEP since the call to pledge_fail() is for sure not at the kernel boundary. OK mpi@
Revision 1.308 / (download) - annotate - [select for diffs], Tue Sep 19 10:43:33 2023 UTC (8 months, 3 weeks ago) by claudio
Branch: MAIN
Changes since 1.307: +2 -2 lines
Diff to previous 1.307 (colored)
Before coredump or in pledge_fail use SINGLE_UNWIND to stop all threads. SINGLE_UNWIND unwinds to the kernel boundary. On the other hand SINGLE_SUSPEND will sleep inside tsleep(9) and other sleep functions. Since the code will exit1() very soon after it is better to already unwind. Now one could argue that for coredumps all threads should stop asap to get a clean dump. Using SINGLE_UNWIND the sleep will fail with ERESTART and no copyout should happen in that case. This is a bit of a workaround since SINGLE_SUSPEND has a small race where single_thread_wait() returns before all threads are really stopped. When SINGLE_EXIT is called quickly after this can blow up inside sleep_finish. Reported-by: syzbot+3ef066fcfaf991f2ac2c@syzkaller.appspotmail.com OK mpi@ kettenis@
Revision 1.307 / (download) - annotate - [select for diffs], Sun Aug 20 15:13:43 2023 UTC (9 months, 3 weeks ago) by visa
Branch: MAIN
Changes since 1.306: +2 -1 lines
Diff to previous 1.306 (colored)
Add kqueue1() system call kqueue1() takes the flags argument. This lets the kqueue file descriptor be opened with O_CLOEXEC. Adapted from NetBSD. OK guenther@
Revision 1.306 / (download) - annotate - [select for diffs], Fri Jun 2 17:44:29 2023 UTC (12 months, 1 week ago) by cheloha
Branch: MAIN
Changes since 1.305: +14 -1 lines
Diff to previous 1.305 (colored)
pledge(2): stdio: permit restricted profil(2) for moncontrol(3) Currently, pledged '-pg' binaries get killed in _mcleanup() when they try to disable profil(2) via moncontrol(3). Disabling profil(2) is harmless. Add profil(2) to the "stdio" pledge(2) promise and permit profil(2) calls when the scale argument is zero. Enabling profil(2) remains forbidden in pledged processes. This gets us one step closer to making '-pg' binaries compatible with pledge(2). The next step is to decide how to exfiltrate the profiling data from the process during _mcleanup(). Prompted by semarie@. Cleaned up by deraadt@. With input from deraadt@, espie@, and semarie@. "Looks good" deraadt@ pledge(2) pieces ok semarie@
Revision 1.305 / (download) - annotate - [select for diffs], Fri May 19 01:12:23 2023 UTC (12 months, 3 weeks ago) by guenther
Branch: MAIN
Changes since 1.304: +2 -1 lines
Diff to previous 1.304 (colored)
Since waitid(2) shares code with wait4(2) and doesn't expose any
non-trivial new information or code-paths over wait4(), include
it in pledge("stdio")
discussed with deraadt@
Revision 1.304 / (download) - annotate - [select for diffs], Sun Feb 19 18:46:46 2023 UTC (15 months, 3 weeks ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.303: +2 -1 lines
Diff to previous 1.303 (colored)
Make pinsyscall(2) always available for pledged processes. Needed by pledge execpromises, as noted by regress/sys/kern/pledge/execpromise. sure deraadt@
Revision 1.303 / (download) - annotate - [select for diffs], Sat Feb 11 23:22:17 2023 UTC (15 months, 4 weeks ago) by deraadt
Branch: MAIN
Changes since 1.302: +1 -13 lines
Diff to previous 1.302 (colored)
non-padded 64-bit system calls arrived 2021/12/23, over a year ago. time to delete the backwards compat padded functions in the kernel.
Revision 1.302 / (download) - annotate - [select for diffs], Sat Jan 7 05:24:58 2023 UTC (17 months ago) by guenther
Branch: MAIN
Changes since 1.301: +3 -1 lines
Diff to previous 1.301 (colored)
Add {get,set}thrname(2) for putting thread names in the kernel and
exposed in a new field returned by sysctl(KERN_PROC). Update
pthread_{get,set}_name_np(3) to use the syscalls. Show them, when
set, in ps -H and top -H output.
libc and libpthread minor bumps
ok mpi@, mvs@, deraadt@
Revision 1.301 / (download) - annotate - [select for diffs], Fri Dec 23 05:35:08 2022 UTC (17 months, 2 weeks ago) by deraadt
Branch: MAIN
Changes since 1.300: +2 -3 lines
Diff to previous 1.300 (colored)
wrap a line better
Revision 1.300 / (download) - annotate - [select for diffs], Mon Dec 5 23:18:37 2022 UTC (18 months ago) by deraadt
Branch: MAIN
Changes since 1.299: +2 -2 lines
Diff to previous 1.299 (colored)
zap a pile of dangling tabs
Revision 1.299 / (download) - annotate - [select for diffs], Thu Nov 10 00:14:11 2022 UTC (19 months ago) by jsg
Branch: MAIN
Changes since 1.298: +2 -1 lines
Diff to previous 1.298 (colored)
fix build after 1.298
Revision 1.298 / (download) - annotate - [select for diffs], Wed Nov 9 22:25:08 2022 UTC (19 months ago) by deraadt
Branch: MAIN
Changes since 1.297: +6 -2 lines
Diff to previous 1.297 (colored)
Some limited setsockopt/getsockopt are allowed in pledge "stdio". Also allow IPPROTO_TCP:TCP_NODELAY It is very small kernel code, and will allow some software to drop "inet" requested by djm
Revision 1.297 / (download) - annotate - [select for diffs], Tue Nov 8 19:17:58 2022 UTC (19 months ago) by robert
Branch: MAIN
Changes since 1.296: +2 -1 lines
Diff to previous 1.296 (colored)
allow the KERN_AUTOCONF_SERIAL sysctl in pledge'd processes ok deraadt@
Revision 1.296 / (download) - annotate - [select for diffs], Fri Oct 7 14:59:39 2022 UTC (20 months ago) by deraadt
Branch: MAIN
Changes since 1.295: +2 -1 lines
Diff to previous 1.295 (colored)
Add mimmutable(2) system call which locks the permissions (PROT_*) of memory mappings so they cannot be changed by a later mmap(), mprotect(), or munmap(), which will error with EPERM instead. ok kettenis
Revision 1.295 / (download) - annotate - [select for diffs], Mon Sep 5 16:37:47 2022 UTC (21 months ago) by mbuhl
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.294: +3 -1 lines
Diff to previous 1.294 (colored)
Pledge sendmmsg and recvmmsg with stdio similar to their non-loop counter parts. Input deraadt. ok bluhm
Revision 1.294 / (download) - annotate - [select for diffs], Sun Aug 14 01:58:27 2022 UTC (21 months, 4 weeks ago) by jsg
Branch: MAIN
Changes since 1.293: +1 -4 lines
Diff to previous 1.293 (colored)
remove unneeded includes in sys/kern ok mpi@ miod@
Revision 1.293 / (download) - annotate - [select for diffs], Thu Aug 11 09:13:21 2022 UTC (22 months ago) by claudio
Branch: MAIN
Changes since 1.292: +4 -3 lines
Diff to previous 1.292 (colored)
Add TCP_INFO support to getsockopt for tcp sessions. TCP_INFO provides a lot of information about the TCP session of this socket. Many processes like to peek at the rtt of a connection but this also provides a lot of more special info for use by e.g. tcpbench(1). While the basic minimal info is available all the time the more specific data is only populated for privileged processes. This is done to not share data back to userland that may allow to attack a session. TCP_INFO is available to pledge "inet" since pledged processes like chrome tend to use TCP_INFO when available. OK bluhm@
Revision 1.292 / (download) - annotate - [select for diffs], Mon Aug 8 01:53:01 2022 UTC (22 months ago) by deraadt
Branch: MAIN
Changes since 1.291: +1 -22 lines
Diff to previous 1.291 (colored)
Before ypconnect(2) addition, "getpw" was a horrible "hole" that triggered on libc trying to open /var/run/ypbind.lock, so pledge had to BYPASSUNVEIL accesses to this file. We accepted the opening of that file for a small period for build cross-over, but that waiting period ends now.
Revision 1.291 / (download) - annotate - [select for diffs], Tue Aug 2 11:04:25 2022 UTC (22 months, 1 week ago) by deraadt
Branch: MAIN
Changes since 1.290: +13 -1 lines
Diff to previous 1.290 (colored)
some ports bootstraps, and go internals, need a bit more time to adapt to the padded syscalls going away.
Revision 1.290 / (download) - annotate - [select for diffs], Mon Jul 18 18:02:27 2022 UTC (22 months, 3 weeks ago) by jca
Branch: MAIN
Changes since 1.289: +14 -4 lines
Diff to previous 1.289 (colored)
Restrict pledge("vminfo") callers to read-only swapctl(2) operations.
Those are the read-only operations allowed for non-root users:
SWAP_NSWAP and SWAP_STATS. Users of pledge("vminfo") in base which also
call swapctl(2) with said commands: top(1) and pstat(8).
No regression spotted with top(1) and pstat(8) -s/-T.
ok deraadt@
Revision 1.289 / (download) - annotate - [select for diffs], Mon Jul 18 17:45:46 2022 UTC (22 months, 3 weeks ago) by deraadt
Branch: MAIN
Changes since 1.288: +27 -72 lines
Diff to previous 1.288 (colored)
Delete the YPACTIVE toggling code when "getpw" code access/open are done to /var/run/ypbind.lock. "getpw" is now only allows ypconnect(2) and the minimum unveil bypasses. Still allow open/acesss to file for a little while, because getpwent/getgrent/etc were opening it unconditionally to hint for YPACTIVE. That code should be deleted before 7.2
Revision 1.288 / (download) - annotate - [select for diffs], Sun Jul 17 04:29:38 2022 UTC (22 months, 3 weeks ago) by deraadt
Branch: MAIN
Changes since 1.287: +64 -15 lines
Diff to previous 1.287 (colored)
backout last step: the path checks are too strong until everyone has a new libc..
Revision 1.287 / (download) - annotate - [select for diffs], Sun Jul 17 03:17:01 2022 UTC (22 months, 3 weeks ago) by deraadt
Branch: MAIN
Changes since 1.286: +16 -65 lines
Diff to previous 1.286 (colored)
the PLEDGE_YPACTIVE "hack" bit related to "getpw" pledge goes away. libc no longer does accesses /var/run/ypbind.lock to trigger extra permissions for userland-opening of files & sockets to engage with ypserver for YP/LDAP lookups. libc now uses the super secret special ypconnect() system call to perform socket-setup. Delete some other things which are no longer reached via libc/rpc ok jmatthew, miod
Revision 1.286 / (download) - annotate - [select for diffs], Fri Jul 15 17:25:18 2022 UTC (22 months, 3 weeks ago) by deraadt
Branch: MAIN
Changes since 1.285: +5 -2 lines
Diff to previous 1.285 (colored)
Allow ypconnect() in "getpw" Annotate two blocks relating to ypbind.lock that will be deleted once libc switches over to the new mechanism.
Revision 1.285 / (download) - annotate - [select for diffs], Thu Jun 30 15:35:14 2022 UTC (23 months, 1 week ago) by claudio
Branch: MAIN
Changes since 1.284: +4 -1 lines
Diff to previous 1.284 (colored)
Allow sysctl mib CTL_NET.PF_INET6 with a length of 3 in PLEDGE_VMINFO. This will be used for sysconf(3) and getconf(1) to handle _POSIX_IPV6 without opening a socket. OK sthen@ deraadt@
Revision 1.284 / (download) - annotate - [select for diffs], Wed Jun 29 12:17:31 2022 UTC (23 months, 1 week ago) by jca
Branch: MAIN
Changes since 1.283: +39 -15 lines
Diff to previous 1.283 (colored)
Unlock the pledge(2) system call Protect the ps_pledge/ps_execpledge fields with ps_mtx. Shuffle the code to call unveil_destroy() outside the critical section. Only writes to those fields are protected. Since we may only remove bits from those fields, garbage values should do no harm even when a read crosses a write on 32 bits systems. Input claudio@ kettenis@ deraadt@, ok deraadt@
Revision 1.283 / (download) - annotate - [select for diffs], Wed Jun 29 12:01:22 2022 UTC (23 months, 1 week ago) by jca
Branch: MAIN
Changes since 1.282: +6 -6 lines
Diff to previous 1.282 (colored)
Use READ_ONCE() when saving pr->ps_pledge to a local variable This prevents the compiler from reloading a possibly different value from memory. Even if it doesn't matter in this code it's just better practice. Discussed with kettenis@ and deraadt@, ok deraadt@
Revision 1.282 / (download) - annotate - [select for diffs], Sun Jun 26 06:11:49 2022 UTC (23 months, 2 weeks ago) by jsg
Branch: MAIN
Changes since 1.281: +2 -1 lines
Diff to previous 1.281 (colored)
allow HW_USERMEM64 in sysctl pledge chromium loads vulkan when going to chrome://gpu anv, the Intel vulkan driver in Mesa uses HW_USERMEM64 ok sthen@ deraadt@
Revision 1.281 / (download) - annotate - [select for diffs], Fri Mar 25 17:40:59 2022 UTC (2 years, 2 months ago) by robert
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.280: +7 -1 lines
Diff to previous 1.280 (colored)
add an exception to the CPU_ID_AA64ISAR0 in pledged applications so that libcrypto can access this sysctl on arm64 without restrictions to determine cpu features ok deraadt@, kettenis@
Revision 1.280 / (download) - annotate - [select for diffs], Fri Feb 25 18:24:01 2022 UTC (2 years, 3 months ago) by tedu
Branch: MAIN
Changes since 1.279: +2 -1 lines
Diff to previous 1.279 (colored)
add setrtable to pledge("id"). from Matthew Martin
ok deraadt
Revision 1.279 / (download) - annotate - [select for diffs], Fri Feb 4 17:50:28 2022 UTC (2 years, 4 months ago) by tedu
Branch: MAIN
Changes since 1.278: +11 -6 lines
Diff to previous 1.278 (colored)
whitelist resolv.conf for stat. go dns library does this. ok deraadt
Revision 1.278 / (download) - annotate - [select for diffs], Thu Jan 20 03:43:30 2022 UTC (2 years, 4 months ago) by jsg
Branch: MAIN
Changes since 1.277: +3 -1 lines
Diff to previous 1.277 (colored)
initial support for drm sync files, fences associated with file descriptors for explicit fencing tested with libdrm's amdgpu_test syncobj timeline tests and vkcube on intel broadwell with Mesa 21.3 (which hangs without sync file support after the 'anv: Assume syncobj support' Mesa commit) feedback and ok visa@
Revision 1.277 / (download) - annotate - [select for diffs], Thu Dec 23 18:50:32 2021 UTC (2 years, 5 months ago) by guenther
Branch: MAIN
Changes since 1.276: +13 -1 lines
Diff to previous 1.276 (colored)
Roll the syscalls that have an off_t argument to remove the explicit padding. Switch libc and ld.so to the generic stubs for these calls. WARNING: reboot to updated kernel before installing libc or ld.so! Time for a story... When gcc (back in 1.x days) first implemented long long, it didn't (always) pass 64bit arguments in 'aligned' registers/stack slots, with the result that argument offsets didn't match structure offsets. This affected the nine system calls that pass off_t arguments: ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate To avoid having to do custom ASM wrappers for those, BSD put an explicit pad argument in so that the off_t argument would always start on a even slot and thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use __syscall() and pass an extra '0' argument. The ABIs for different CPUs eventually settled how things should be passed on each and gcc 2.x followed them. The only arch now where it helps is landisk, which needs to skip the last argument register if it would be the first half of a 64bit argument. So: add new syscalls without the pad argument and on landisk do that skipping directly in the syscall handler in the kernel. Keep compat support for the existing syscalls long enough for the transition. ok deraadt@
Revision 1.276 / (download) - annotate - [select for diffs], Mon Nov 15 17:14:51 2021 UTC (2 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.275: +65 -54 lines
Diff to previous 1.275 (colored)
Copy p_p->ps_pledge into a local variable (called pledge) in every function which checks PLEDGE_* bits more than once. Some functions are called without locking, and this avoids misinterpreting bits which have some coupled behaviour. ok cheloha kettenis
Revision 1.275 / (download) - annotate - [select for diffs], Tue Jun 29 01:46:35 2021 UTC (2 years, 11 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.274: +1 -6 lines
Diff to previous 1.274 (colored)
remove arch ifdefs around drm.h include ok deraadt@ kettenis@
Revision 1.274 / (download) - annotate - [select for diffs], Sat Jun 26 09:23:24 2021 UTC (2 years, 11 months ago) by kettenis
Branch: MAIN
Changes since 1.273: +3 -2 lines
Diff to previous 1.273 (colored)
Add powerpc64 and riscv64 to the list of architectures that have DRM. ok matthieu@, deraadt@, jsg@
Revision 1.273 / (download) - annotate - [select for diffs], Wed Jun 9 17:52:47 2021 UTC (3 years ago) by semarie
Branch: MAIN
Changes since 1.272: +2 -3 lines
Diff to previous 1.272 (colored)
unveil: small cleanup for UNVEIL_INSPECT remove two leftover checks which were used when ni_unveil was used with UNVEIL_INSPECT. it was used by: - readlink(2) - removed 2019-08-31 - stat(2) and access(2) - removed 2019-03-24 ok claudio@
Revision 1.272 / (download) - annotate - [select for diffs], Fri Apr 30 02:06:22 2021 UTC (3 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.271: +5 -1 lines
Diff to previous 1.271 (colored)
When terminating via pledge_fail() stop all threads, before issuing a (delayed action) sigabort() and disabling all syscalls for this process (ie. all threads). This resulted in multiple-threads crashing over top of themselves, and a poor debugging experience. We keep using sigabort() rather than sigexit(), to keep the debugging process good. Diagnosed from a report from brynet, and followup discussion with many.
Revision 1.271 / (download) - annotate - [select for diffs], Thu Mar 25 21:27:45 2021 UTC (3 years, 2 months ago) by abieber
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.270: +2 -2 lines
Diff to previous 1.270 (colored)
Permit kern.somaxconn when the unix pledge is used. Previously this was only allowed when inet was used. This lets Go programs use 'unix' without also including 'inet'. from Josh Rickmar ok / tree review from deraadt@, commit message cluestick from tb@
Revision 1.270 / (download) - annotate - [select for diffs], Wed Feb 3 22:46:55 2021 UTC (3 years, 4 months ago) by tobhe
Branch: MAIN
Changes since 1.269: +3 -1 lines
Diff to previous 1.269 (colored)
Add SIOCAIFADDR_IN and SIOCDIFADDR_IN to the wroute pledge to allow setting and removing IPv4 addresses. Needed for future iked(8) improvements. Discussed with sthen@ and florian@ ok bluhm@ deraadt@
Revision 1.269 / (download) - annotate - [select for diffs], Wed Jan 20 16:36:09 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.268: +2 -2 lines
Diff to previous 1.268 (colored)
If pledge "wroute" is missing for setsockopt SO_RTABLE, print failure message "wroute" into dmesg. Since revision 1.263 pledge "wroute" allows to change the routing table of a socket. OK florian@ semarie@
Revision 1.268 / (download) - annotate - [select for diffs], Tue Jan 19 17:41:51 2021 UTC (3 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.267: +1 -9 lines
Diff to previous 1.267 (colored)
/etc/malloc.conf path-approval in pledge is no longer needed since 6.5 moved option control into a sysctl. reminder that we can delete this from benjamin baier
Revision 1.267 / (download) - annotate - [select for diffs], Thu Oct 29 21:15:27 2020 UTC (3 years, 7 months ago) by denis
Branch: MAIN
Changes since 1.266: +2 -2 lines
Diff to previous 1.266 (colored)
Add feature to force the selection of source IP address Based/previous work on an idea from deraadt@ Input from claudio@, djm@, deraadt@, sthen@ OK deraadt@
Revision 1.266 / (download) - annotate - [select for diffs], Wed Sep 16 13:50:42 2020 UTC (3 years, 8 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.265: +2 -7 lines
Diff to previous 1.265 (colored)
Move duplicated code to send an uncatchable SIGABRT into a function. ok claudio@
Revision 1.265 / (download) - annotate - [select for diffs], Wed Sep 16 10:06:56 2020 UTC (3 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.264: +2 -2 lines
Diff to previous 1.264 (colored)
put HW_PHYSMEM64 case under CTL_HW not CTL_KERN Fixes previous. Problem spotted by kettenis@
Revision 1.264 / (download) - annotate - [select for diffs], Wed Sep 16 08:02:53 2020 UTC (3 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.263: +2 -4 lines
Diff to previous 1.263 (colored)
As discovered by kettenis, recent mesa wants sysctl hw.physmem64, and in pledged programs that is unfortable. My snark levels are a bit drained, but I must say I'm always dissapointed when programs operating on virtual resources enquire about total physical resource availability, the only reason to ask is so they can act unfair relative to others in the shared environment. SIGH.
Revision 1.263 / (download) - annotate - [select for diffs], Fri Jul 17 16:28:19 2020 UTC (3 years, 10 months ago) by florian
Branch: MAIN
Changes since 1.262: +11 -1 lines
Diff to previous 1.262 (colored)
Allow setsockopt SO_RTABLE when pleding "wroute" soon to be needed by slaacd(8). "wroute" allows changes to the routing table so this is a good fit. Nothing else in base is effected by this. dhclient might use the wroute pledge in the future and might also want SO_RTABLE in a more distant future. OK deraadt
Revision 1.262 / (download) - annotate - [select for diffs], Sun Apr 5 07:31:45 2020 UTC (4 years, 2 months ago) by visa
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.261: +2 -2 lines
Diff to previous 1.261 (colored)
Declare pledgenames[] as const. OK deraadt@
Revision 1.261 / (download) - annotate - [select for diffs], Sat Feb 15 09:35:48 2020 UTC (4 years, 3 months ago) by anton
Branch: MAIN
Changes since 1.260: +3 -3 lines
Diff to previous 1.260 (colored)
Consistently perform atomic writes to the ps_flags field of struct process. ok bluhm@ claudio@ visa@
Revision 1.260 / (download) - annotate - [select for diffs], Tue Feb 11 16:02:39 2020 UTC (4 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.259: +19 -18 lines
Diff to previous 1.259 (colored)
the pledge_ioctl() rule checker is written in a style which could read ps_pledge more than once. That will cause problems if sys_ioctl is changed to be unlocked (in at least some cases), so switch to a read-once local variable. discussed with a few, ok mpi
Revision 1.259 / (download) - annotate - [select for diffs], Wed Feb 5 10:40:37 2020 UTC (4 years, 4 months ago) by ratchov
Branch: MAIN
Changes since 1.258: +4 -1 lines
Diff to previous 1.258 (colored)
Allow programs with the "audio" promise to use the AUDIO_MIXER_xxx ioctls. ok semarie, deraadt
Revision 1.258 / (download) - annotate - [select for diffs], Tue Feb 4 10:09:37 2020 UTC (4 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.257: +7 -1 lines
Diff to previous 1.257 (colored)
allow reading of sysctl kern.somaxconn in "inet", due to operational behaviour of "go" which is not unreasonable from Jimmy Brush
Revision 1.257 / (download) - annotate - [select for diffs], Thu Jan 23 01:02:34 2020 UTC (4 years, 4 months ago) by dlg
Branch: MAIN
Changes since 1.256: +6 -2 lines
Diff to previous 1.256 (colored)
add /etc/protocols to the magic unveil whitelist that the dns pledge has "i get it" deraadt@
Revision 1.256 / (download) - annotate - [select for diffs], Sun Dec 8 23:08:59 2019 UTC (4 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.255: +2 -1 lines
Diff to previous 1.255 (colored)
msyscall(2) is like kbind(2), and should be always permitted. it does it's own checks.
Revision 1.255 / (download) - annotate - [select for diffs], Sun Aug 25 18:46:40 2019 UTC (4 years, 9 months ago) by pamela
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.254: +2 -1 lines
Diff to previous 1.254 (colored)
Add SIOCDIFADDR_IN6 to the wroute pledge to allow removal of IPv6 addresses Needed for future slaacd(8) improvements OK florian@ deraadt@
Revision 1.254 / (download) - annotate - [select for diffs], Wed Jun 26 17:04:55 2019 UTC (4 years, 11 months ago) by robert
Branch: MAIN
Changes since 1.253: +14 -1 lines
Diff to previous 1.253 (colored)
allow more video(4) ioctls for the video pledge (required by chromium) ok deraadt@
Revision 1.253 / (download) - annotate - [select for diffs], Sun Jun 16 21:00:42 2019 UTC (4 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.252: +2 -2 lines
Diff to previous 1.252 (colored)
SYS___realpath is legitimately PLEDGE_STDIO, because the other pledge feature bits checked in namei()
Revision 1.252 / (download) - annotate - [select for diffs], Mon May 13 22:55:27 2019 UTC (5 years, 1 month ago) by beck
Branch: MAIN
Changes since 1.251: +2 -1 lines
Diff to previous 1.251 (colored)
Add a kernel implementation of realpath() as __realpath(). We want this so that we can stop allowing readlink() on traversed vnodes in unveil(). This includes all the kernel side and the system call. This is not yet used in libc for realpath, so nothing calls this yet. The libc wrapper will be committed later. Testing by many, and ports build by naddy@ ok deraadt@
Revision 1.251 / (download) - annotate - [select for diffs], Thu Feb 14 15:41:47 2019 UTC (5 years, 3 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.250: +3 -1 lines
Diff to previous 1.250 (colored)
Allow *at variant of mkfifo and mknod, too. OK deraadt
Revision 1.250 / (download) - annotate - [select for diffs], Tue Jan 22 00:59:31 2019 UTC (5 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.249: +4 -2 lines
Diff to previous 1.249 (colored)
#ifdef video junk as required.
Revision 1.249 / (download) - annotate - [select for diffs], Mon Jan 21 20:09:37 2019 UTC (5 years, 4 months ago) by landry
Branch: MAIN
Changes since 1.248: +31 -1 lines
Diff to previous 1.248 (colored)
Add "video" promise. Allows a subset of ioctls on video(4) devices, subset selected from video(1) and firefox webrtc implementation. ok semarie@ deraadt@
Revision 1.248 / (download) - annotate - [select for diffs], Fri Jan 18 01:34:50 2019 UTC (5 years, 4 months ago) by pd
Branch: MAIN
Changes since 1.247: +2 -2 lines
Diff to previous 1.247 (colored)
delete vmm(4) in i386 We will still be able to run i386 guests on amd64 vmm. Reasons to delete i386 vmm: - Been broken for a while, almost no one complained. - Had been falling out of sync from amd64 while it worked. - If your machine has vmx, you most probably can run amd64, so why not run that? ok deraadt@ mlarkin@
Revision 1.247 / (download) - annotate - [select for diffs], Sun Jan 6 22:09:55 2019 UTC (5 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.246: +3 -2 lines
Diff to previous 1.246 (colored)
the pledge handing for access(2) of /var/run/ypbind.lock is artificially tough (so that non-YP using developers don't break the tree for YP/LDAP users). This check failed to handle the newish RPATH+UNVEIL_INSPECT namei operation. discovered by florian, ok beck
Revision 1.246 / (download) - annotate - [select for diffs], Sun Jan 6 18:35:55 2019 UTC (5 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.245: +43 -53 lines
Diff to previous 1.245 (colored)
fold a bunch of similar sysctl cases into a switch. ok deraadt mestre
Revision 1.245 / (download) - annotate - [select for diffs], Sat Nov 17 23:10:08 2018 UTC (5 years, 6 months ago) by cheloha
Branch: MAIN
Changes since 1.244: +4 -1 lines
Diff to previous 1.244 (colored)
Add new KERN_CPUSTATS sysctl(2) so we can identify offline CPUs.
Because of hw.smt we need a way to determine whether a given CPU is "online"
or "offline" from userspace. KERN_CPTIME2 is an array, and so cannot be
cleanly extended for this purpose, so add a new sysctl(2) KERN_CPUSTATS
with an extensible struct. At the moment it's just KERN_CPTIME2 with a
flags member, but it can grow as needed.
KERN_CPUSTATS appears to have been defined by BSDi long ago, but there are
few (if any) packages in the wild still using the symbol so breakage in ports
should be near zero. No other system inherited the symbol from BSDi, either.
Then, use the new sysctl(2) in systat(1) and top(1):
- systat(1) draws placeholder marks ('-') instead of percentages for
offline CPUs in the cpu view.
- systat(1) omits offline CPU ticks when drawing the "big bar" in
the vmstat view. The upshot is that the bar isn't half idle when
half your logical CPUs are disabled.
- top(1) does not draw lines for offline CPUs; if CPUs toggle on or
offline in interactive mode we redraw the display to expand/reduce
space for the new/missing CPUs. This is consistent with what some
top(1) implementations do on Linux.
- top(1) omits offline CPUs from the totals when CPU totals are
combined into a single line (the '-1' flag).
Originally prompted by deraadt@. Discussed endlessly with deraadt@,
ketennis@, and sthen@. Tested by jmc@ and jca@. Earlier versions also
discussed with jca@. Earlier versions tested by jmc@, tb@, and many
others.
docs ok jmc@, kernel bits ok ketennis@, everything ok sthen@,
"Is your stuff in yet?" deraadt@
Revision 1.244 / (download) - annotate - [select for diffs], Tue Nov 6 07:49:38 2018 UTC (5 years, 7 months ago) by otto
Branch: MAIN
Changes since 1.243: +4 -1 lines
Diff to previous 1.243 (colored)
new sysctl for userland malloc flags, kernel part. ok millert@ deraadt@
Revision 1.243 / (download) - annotate - [select for diffs], Thu Sep 13 07:49:33 2018 UTC (5 years, 8 months ago) by mestre
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.242: +2 -1 lines
Diff to previous 1.242 (colored)
When unveil(2) was introduced one break from SYS_access case was removed here, this adds it back. Noticed by Coverity 1471854. feedback from semarie@ OK deraadt@
Revision 1.242 / (download) - annotate - [select for diffs], Mon Aug 20 10:00:04 2018 UTC (5 years, 9 months ago) by kettenis
Branch: MAIN
Changes since 1.241: +4 -4 lines
Diff to previous 1.241 (colored)
Preparations for arm64 radeondrm(4) support. ok jsg@ (who pointed out the kern_pledge.c change was necessary as well)
Revision 1.241 / (download) - annotate - [select for diffs], Mon Aug 13 20:31:38 2018 UTC (5 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.240: +3 -3 lines
Diff to previous 1.240 (colored)
The first panic in pledge_namei should only be for ni_pledge == 0 (the other cause is implausible, and crashes with a nice *NULL)
Revision 1.240 / (download) - annotate - [select for diffs], Sat Aug 11 16:16:07 2018 UTC (5 years, 10 months ago) by beck
Branch: MAIN
Changes since 1.239: +7 -7 lines
Diff to previous 1.239 (colored)
Get rid of PLEDGE_STAT, which was a hack used for unveil. We use UNVEIL_INSPECT instead in the unveil flags for the same purpose, and now add traversed vnodes of a path with UNVEIL_INSPECT instead of with 0 flags and voodoo in unveil_flagmatch. This allows us to uncontort the logic of unveil_flagmatch a bunch. helpful review and ok from semarie@
Revision 1.239 / (download) - annotate - [select for diffs], Thu Aug 2 15:34:07 2018 UTC (5 years, 10 months ago) by rob
Branch: MAIN
Changes since 1.238: +2 -2 lines
Diff to previous 1.238 (colored)
Grammar fix in comment. ok deraadt@
Revision 1.238 / (download) - annotate - [select for diffs], Fri Jul 27 06:15:10 2018 UTC (5 years, 10 months ago) by bket
Branch: MAIN
Changes since 1.237: +5 -1 lines
Diff to previous 1.237 (colored)
Add SIOCSIFMTU to the wroute pledge. This is required by, for example, slaacd(8) (which has been pledged) to set MTU on an interface. OK florian@, deraadt@
Revision 1.237 / (download) - annotate - [select for diffs], Sun Jul 15 12:44:09 2018 UTC (5 years, 10 months ago) by beck
Branch: MAIN
Changes since 1.236: +8 -12 lines
Diff to previous 1.236 (colored)
Restore correct behaviour to pledge for access and stat, which was broken by the unveil diff. Noticed at, and diff from semarie@
Revision 1.236 / (download) - annotate - [select for diffs], Fri Jul 13 09:25:23 2018 UTC (5 years, 11 months ago) by beck
Branch: MAIN
Changes since 1.235: +68 -17 lines
Diff to previous 1.235 (colored)
Unveiling unveil(2). This brings unveil into the tree, disabled by default - Currently this will return EPERM on all attempts to use it until we are fully certain it is ready for people to start using, but this now allows for others to do more tweaking and experimentation. Still needs to send the unveil's across forks and execs before fully enabling. Many thanks to robert@ and deraadt@ for extensive testing. ok deraadt@
Revision 1.235 / (download) - annotate - [select for diffs], Thu Jul 12 01:23:38 2018 UTC (5 years, 11 months ago) by cheloha
Branch: MAIN
Changes since 1.234: +3 -3 lines
Diff to previous 1.234 (colored)
Add hw.ncpuonline to count the number of online CPUs. The introduction of hw.smt means that logical CPUs can be disabled after boot and prior to suspend/resume. If hw.smt=0 (the default), there needs to be a way to count the number of hardware threads available on the system at any given time. So, import HW_NCPUONLINE/hw.ncpuonline from NetBSD and document it. hw.ncpu becomes equal to the number of CPUs given to sched_init_cpu() during boot, while hw.ncpuonline is equal to the number of CPUs available to the scheduler in the cpuset "sched_all_cpus". Set_SC_NPROCESSORS_ONLN equal to this new sysctl and keep _SC_NPROCESSORS_CONF equal to hw.ncpu. This is preferable to adding a new sysctl to count the number of configured CPUs and keeping hw.ncpu equal to the number of online CPUs because such a change would break software in the ecosystem that relies on HW_NCPU/hw.ncpu to measure CPU usage and the like. Such software in base includes top(1), systat(1), and snmpd(8), and perhaps others. We don't need additional locking to count the cardinality of a cpuset in this case because the only interfaces that can modify said cardinality are sysctl(2) and ioctl(2), both of which are under the KERNEL_LOCK. Software using HW_NCPU/hw.ncpu to determine optimal parallism will need to be updated to use HW_NCPUONLINE/hw.ncpuonline. Until then, such software may perform suboptimally. However, most changes will be similar to the change included here for libcxx's std::thread:hardware_concurrency(): using HW_NCPUONLINE in lieu of HW_NCPU should be sufficient for determining optimal parallelism for most software if the change to _SC_NPROCESSORS_ONLN is insufficient. Prompted by deraadt. Discussed at length with kettenis, deraadt, and sthen. Lots of patch tweaks from kettenis. ok kettenis, "proceed" deraadt
Revision 1.234 / (download) - annotate - [select for diffs], Mon Jun 25 22:29:16 2018 UTC (5 years, 11 months ago) by kettenis
Branch: MAIN
Changes since 1.233: +3 -1 lines
Diff to previous 1.233 (colored)
Implement DRI3/prime support. This allows graphics buffers to be passed between processes using file descriptors. This provides an alternative to eporting them with guesable 32-bit IDs. This implementation does not (yet) allow sharing of graphics buffers between GPUs. ok mpi@, visa@
Revision 1.233 / (download) - annotate - [select for diffs], Wed Jun 20 10:48:55 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.232: +3 -1 lines
Diff to previous 1.232 (colored)
Grab and/or assert for the KERNEL_LOCK() in in ktrace & pledge. This is required to run network syscall mostly without the KERNEL_LOCK(). ok visa@, kettenis@ as part of a larger diff.
Revision 1.232 / (download) - annotate - [select for diffs], Sat Jun 16 15:37:00 2018 UTC (5 years, 11 months ago) by florian
Branch: MAIN
Changes since 1.231: +18 -1 lines
Diff to previous 1.231 (colored)
Introduce "wroute" promise. For now this allows configuring an IPv6 address on an interface and reading the net.inet6.ip6.soiikey sysctl. To be used by slaacd. prodding & OK deraadt
Revision 1.231 / (download) - annotate - [select for diffs], Sun Jun 3 18:20:28 2018 UTC (6 years ago) by deraadt
Branch: MAIN
Changes since 1.230: +6 -1 lines
Diff to previous 1.230 (colored)
on i386, libm does sysctl to discover is the system has SSE. Whitelist that sysctl in pledge. Discovered by Stuart Cassoff
Revision 1.230 / (download) - annotate - [select for diffs], Sat Apr 28 12:49:21 2018 UTC (6 years, 1 month ago) by kn
Branch: MAIN
Changes since 1.229: +2 -2 lines
Diff to previous 1.229 (colored)
Remove redundant error check error is set by copyinstr(9) only and we return early if it is non-zero, so the loop's last condition is always true. OK deraadt, jca
Revision 1.229 / (download) - annotate - [select for diffs], Tue Mar 27 08:42:49 2018 UTC (6 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.228: +3 -1 lines
Diff to previous 1.228 (colored)
Make sure that programs violating a pledge(2) promise or some memory protection cannot block the final SIGABRT. While here apply the same logic to ddb(4)'s kill command. From semarie@, ok deraadt@
Revision 1.228 / (download) - annotate - [select for diffs], Tue Jan 9 15:14:23 2018 UTC (6 years, 5 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.227: +2 -2 lines
Diff to previous 1.227 (colored)
Change `so_state' and `so_error' to unsigned int such that they can be atomically read from any context. ok bluhm@, visa@
Revision 1.227 / (download) - annotate - [select for diffs], Mon Jan 8 11:54:28 2018 UTC (6 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.226: +9 -1 lines
Diff to previous 1.226 (colored)
Allow TIOCUCNTL issued on a pty(4) master in promise "tty". This will be soon be used to emulate BREAK commands in vmd(8). ok nicm@, ccardenas@, deraadt@
Revision 1.226 / (download) - annotate - [select for diffs], Tue Dec 12 01:12:34 2017 UTC (6 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.225: +81 -48 lines
Diff to previous 1.225 (colored)
pledge()'s 2nd argument becomes char *execpromises, which becomes the
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of killing the
program ("error" may not be handed to a setuid/setgid program, which
may be missing/ignoring syscall return values and would continue with
inconsistant state)
Discussion with many
florian has used this to improve the strictness of a daemon
Revision 1.225 / (download) - annotate - [select for diffs], Sat Dec 9 06:50:32 2017 UTC (6 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.224: +2 -2 lines
Diff to previous 1.224 (colored)
More precision in pledge sysctl report
Revision 1.224 / (download) - annotate - [select for diffs], Fri Nov 17 23:08:10 2017 UTC (6 years, 6 months ago) by abieber
Branch: MAIN
Changes since 1.223: +1 -3 lines
Diff to previous 1.223 (colored)
permit IPV6_V6ONLY in sockopt OK deraadt@
Revision 1.223 / (download) - annotate - [select for diffs], Thu Oct 12 15:04:33 2017 UTC (6 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.222: +3 -3 lines
Diff to previous 1.222 (colored)
Print the word pledge in the kernel log when there is a violation. This should make it easier to figure out what is going on. Note that the pledgecode it shows is only a guess which pledge(2) might help. OK deraadt@ semarie@
Revision 1.222 / (download) - annotate - [select for diffs], Sat Oct 7 06:06:26 2017 UTC (6 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.221: +2 -1 lines
Diff to previous 1.221 (colored)
In "tty", permitting TIOCSTART is fine
Revision 1.221 / (download) - annotate - [select for diffs], Sat Oct 7 06:04:00 2017 UTC (6 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.220: +2 -1 lines
Diff to previous 1.220 (colored)
permit SYS___set_tcb, upcoming code will require this
Revision 1.220 / (download) - annotate - [select for diffs], Fri Sep 8 05:36:53 2017 UTC (6 years, 9 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.219: +1 -2 lines
Diff to previous 1.219 (colored)
If you use sys/param.h, you don't need sys/types.h
Revision 1.219 / (download) - annotate - [select for diffs], Tue Aug 29 02:51:27 2017 UTC (6 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.218: +2 -335 lines
Diff to previous 1.218 (colored)
Remove old deactivated pledge path code. A replacement mechanism is being brewed. ok beck
Revision 1.218 / (download) - annotate - [select for diffs], Mon Aug 21 14:40:07 2017 UTC (6 years, 9 months ago) by florian
Branch: MAIN
Changes since 1.217: +3 -1 lines
Diff to previous 1.217 (colored)
Allow SIOCGIFAFLAG_IN6 and SIOCGIFALIFETIME_IN6 ioctls with
pledge("route"). These are read only and expose only minimal kernel
code.
slaacd(8) needs this on startup and when an interface gains the
autoconf6 flag to get lifetime and autoconf information about already
configured addresses.
OK deraadt
Revision 1.217 / (download) - annotate - [select for diffs], Fri Jul 28 02:14:56 2017 UTC (6 years, 10 months ago) by rob
Branch: MAIN
Changes since 1.216: +2 -1 lines
Diff to previous 1.216 (colored)
Allow SIOCGIFDESCR with "route" promise in preparation for pledging snmpd. ok deraadt@ benno@
Revision 1.216 / (download) - annotate - [select for diffs], Thu Jun 29 04:10:07 2017 UTC (6 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.215: +1 -6 lines
Diff to previous 1.215 (colored)
Due to risks known for decades, TIOCSTI now performs no action, and simply returns EIO. The base system has been cleaned of TIOCSTI uses (collaboration between anton and I), and the ports tree appears mostly clean. A few stragglers may be discovered and cleaned up later... In a month or so, we should see if the #define can be removed entirely. ok anton tedu, support from millert
Revision 1.215 / (download) - annotate - [select for diffs], Wed Jun 21 17:13:20 2017 UTC (6 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.214: +2 -1 lines
Diff to previous 1.214 (colored)
Permit TIOCSTAT on a tty.
Revision 1.214 / (download) - annotate - [select for diffs], Mon Jun 19 18:35:05 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.213: +3 -3 lines
Diff to previous 1.213 (colored)
Terminate pledge log(9) with newline. This fixes dmesg(8) output. found by regress/sys/kern/pledge/generic; OK deraadt@
Revision 1.213 / (download) - annotate - [select for diffs], Mon Jun 12 21:55:16 2017 UTC (7 years ago) by deraadt
Branch: MAIN
Changes since 1.212: +12 -7 lines
Diff to previous 1.212 (colored)
Pledge is fairly done, so the kernel printf's can be converted to log() calls. They'll be a little less visible, but still in the system logs. ok bluhm
Revision 1.212 / (download) - annotate - [select for diffs], Wed Jun 7 20:53:59 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.211: +3 -1 lines
Diff to previous 1.211 (colored)
Add an acct(5) flag for pledge violations. Then lastcomm(1) shows when something went wrong. This allows to monitor whether the system is under attack and that the attack has been prevented by OpenBSD pledge(2). OK deraadt@ millert@ jmc@
Revision 1.211 / (download) - annotate - [select for diffs], Sat Jun 3 04:34:41 2017 UTC (7 years ago) by tb
Branch: MAIN
Changes since 1.210: +8 -4 lines
Diff to previous 1.210 (colored)
Avoid printing garbage when aborting a program that tries to use a prohibited sysctl. ok deraadt
Revision 1.210 / (download) - annotate - [select for diffs], Tue May 30 15:04:45 2017 UTC (7 years ago) by deraadt
Branch: MAIN
Changes since 1.209: +2 -1 lines
Diff to previous 1.209 (colored)
getrtable() is now permitted in "stdio". It carries no risk factors.
Revision 1.209 / (download) - annotate - [select for diffs], Sun May 21 13:00:53 2017 UTC (7 years ago) by visa
Branch: MAIN
Changes since 1.208: +3 -2 lines
Diff to previous 1.208 (colored)
Enable radeondrm(4) on loongson to get accelerated graphics with the RS780E chipset. OK kettenis@, jsg@
Revision 1.208 / (download) - annotate - [select for diffs], Tue May 2 16:46:00 2017 UTC (7 years, 1 month ago) by natano
Branch: MAIN
Changes since 1.207: +4 -2 lines
Diff to previous 1.207 (colored)
Stricter pledge for bpf. ok deraadt
Revision 1.207 / (download) - annotate - [select for diffs], Sat Apr 29 08:02:56 2017 UTC (7 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.206: +2 -2 lines
Diff to previous 1.206 (colored)
Mark futex(2) as PLEDGE_STDIO like all other thread-related syscalls. From semarie@, ok deraadt@
Revision 1.206 / (download) - annotate - [select for diffs], Fri Apr 28 13:50:55 2017 UTC (7 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.205: +2 -1 lines
Diff to previous 1.205 (colored)
Add futex(2) syscall based on a sane subset of its Linux equivalent. The syscall is marked NOLOCK and only FUTEX_WAIT grabs the KERNEL_LOCK() because of PCATCH and the signal nightmare. Serialization of threads is currently done with a global & exclusive rwlock. Note that the current implementation still use copyin(9) which is not guaranteed to be atomic. Committing now such that remaining issues can be addressed in-tree. With inputs from guenther@, kettenis@ and visa@. ok deraadt@, visa@
Revision 1.205 / (download) - annotate - [select for diffs], Thu Apr 20 15:21:53 2017 UTC (7 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.204: +2 -2 lines
Diff to previous 1.204 (colored)
only 32 bits of the pledgecode were passed up via ktrace from Anton Lindqvist ok semarie
Revision 1.204 / (download) - annotate - [select for diffs], Mon Apr 17 20:22:14 2017 UTC (7 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.203: +7 -4 lines
Diff to previous 1.203 (colored)
matthieu@ observes % pax (without any arguments) hits pledge violation, because it tries MTIOCTOP against stdin, the tty. It is very inconvenient to use isatty to distinguish this difference in userland, so return ENOTTY for tty devices. ok natano
Revision 1.203 / (download) - annotate - [select for diffs], Thu Apr 13 04:06:46 2017 UTC (7 years, 2 months ago) by guenther
Branch: MAIN
Changes since 1.202: +1 -2 lines
Diff to previous 1.202 (colored)
Delete the getlogin59 syscall, which was last used one year, two releases, and four libc major versions ago ok sthen@ jsing@ deraadt@ jca@
Revision 1.202 / (download) - annotate - [select for diffs], Tue Apr 11 15:55:41 2017 UTC (7 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.201: +2 -1 lines
Diff to previous 1.201 (colored)
Add SIOCATMARK to allow pledge("inet") programs to call sockatmark(3).
from Matthias Pitzl; OK deraadt@
Revision 1.201 / (download) - annotate - [select for diffs], Thu Mar 30 15:22:07 2017 UTC (7 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.200: +3 -3 lines
Diff to previous 1.200 (colored)
correct NBPFILTER #ifdef's from sthen and others
Revision 1.200 / (download) - annotate - [select for diffs], Tue Mar 28 16:03:31 2017 UTC (7 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.199: +5 -1 lines
Diff to previous 1.199 (colored)
Allow the multicast ttl/hops and loop options with the mcast pledge. from Matthias Pitzl; OK deraadt@
Revision 1.199 / (download) - annotate - [select for diffs], Mon Mar 27 00:33:15 2017 UTC (7 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.198: +4 -1 lines
Diff to previous 1.198 (colored)
wrap bpf pledge code in #if BPFFILTER
Revision 1.198 / (download) - annotate - [select for diffs], Sun Mar 26 22:47:45 2017 UTC (7 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.197: +9 -9 lines
Diff to previous 1.197 (colored)
Inside pledge_ioctl, wrap #if's around the complete sub-blocks.
Revision 1.197 / (download) - annotate - [select for diffs], Sun Mar 26 22:42:36 2017 UTC (7 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.196: +3 -2 lines
Diff to previous 1.196 (colored)
For the tape ioctls, recognize that block devices don't exist anymore. Also fail if the descriptor is actually a tty. ok guenther
Revision 1.196 / (download) - annotate - [select for diffs], Sat Mar 18 01:50:21 2017 UTC (7 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.195: +1 -2 lines
Diff to previous 1.195 (colored)
The "ioctl" pledge which was had functionality split out into "tape", "bpf", and "inet" can finally go away. Use a snapshot if you get into trouble, most likely in pax..
Revision 1.195 / (download) - annotate - [select for diffs], Tue Mar 14 16:49:18 2017 UTC (7 years, 2 months ago) by florian
Branch: MAIN
Changes since 1.194: +2 -1 lines
Diff to previous 1.194 (colored)
Allow SIOCGIFXFLAGS in pledge("route") along side SIOCGIFFLAGS, needed
for upcoming IPv6 stateless address autoconfiguration daemon to see
if autoconfiguration and autoconfprivacy are enabled.
Input semarie@; OK deraadt@
Revision 1.194 / (download) - annotate - [select for diffs], Sat Mar 11 16:54:54 2017 UTC (7 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.193: +2 -1 lines
Diff to previous 1.193 (colored)
pax conversion was missed; give this another week
Revision 1.193 / (download) - annotate - [select for diffs], Sat Mar 11 07:03:38 2017 UTC (7 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.192: +1 -2 lines
Diff to previous 1.192 (colored)
remove pledge "ioctl" backwards compat
Revision 1.192 / (download) - annotate - [select for diffs], Mon Jan 23 05:49:24 2017 UTC (7 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.191: +2 -1 lines
Diff to previous 1.191 (colored)
Backwards compat for pledge "ioctl" for about a week
Revision 1.191 / (download) - annotate - [select for diffs], Mon Jan 23 04:25:05 2017 UTC (7 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.190: +19 -20 lines
Diff to previous 1.190 (colored)
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only upon "inet". Adjust the 4 programs that care about this.
Revision 1.190 / (download) - annotate - [select for diffs], Mon Jan 23 03:17:55 2017 UTC (7 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.189: +6 -6 lines
Diff to previous 1.189 (colored)
whitespace
Revision 1.189 / (download) - annotate - [select for diffs], Sat Jan 21 05:42:03 2017 UTC (7 years, 4 months ago) by guenther
Branch: MAIN
Changes since 1.188: +5 -5 lines
Diff to previous 1.188 (colored)
p_comm is the process's command and isn't per thread, so move it from struct proc to struct process. ok deraadt@ kettenis@
Revision 1.188 / (download) - annotate - [select for diffs], Sun Nov 13 00:40:09 2016 UTC (7 years, 6 months ago) by tb
Branch: MAIN
Changes since 1.187: +2 -2 lines
Diff to previous 1.187 (colored)
Fix typo in comment: it's vm.loadavg, not kern.loadavg. From patrick keshishian
Revision 1.187 / (download) - annotate - [select for diffs], Thu Oct 27 10:48:25 2016 UTC (7 years, 7 months ago) by schwarze
Branch: MAIN
Changes since 1.186: +2 -1 lines
Diff to previous 1.186 (colored)
For consistency, allow symlinkat(2) in the same way as symlink(2); no need to wait until the first program using it breaks... "could make sense" semarie@ (and thanks for the cluestick) OK deraadt@
Revision 1.186 / (download) - annotate - [select for diffs], Fri Oct 21 06:56:38 2016 UTC (7 years, 7 months ago) by mlarkin
Branch: MAIN
Changes since 1.185: +2 -2 lines
Diff to previous 1.185 (colored)
pledge changes needed to support pledging vmd(8) on i386, forthcoming. ok deraadt@
Revision 1.185 / (download) - annotate - [select for diffs], Thu Oct 6 04:39:30 2016 UTC (7 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.184: +2 -2 lines
Diff to previous 1.184 (colored)
In pledge_namei_wlpath() if resolvpath() errors out early it will not set variables that will be later used as the size argument to free(NULL calls. This should be harmless as free returns early if the address is NULL without checking the size. Initialise these variables before the call to ensure they are never passed to another function uninitialised. ok tedu@ millert@ deraadt@
Revision 1.184 / (download) - annotate - [select for diffs], Wed Oct 5 05:22:02 2016 UTC (7 years, 8 months ago) by guenther
Branch: MAIN
Changes since 1.183: +13 -12 lines
Diff to previous 1.183 (colored)
Display the process's PID with p->p_p->ps_pid, not p->p_pid. Use a local variable struct process *pr to simplify expressions ok deraadt@
Revision 1.183 / (download) - annotate - [select for diffs], Sat Sep 17 00:42:35 2016 UTC (7 years, 8 months ago) by tedu
Branch: MAIN
Changes since 1.182: +4 -3 lines
Diff to previous 1.182 (colored)
NPF > 0 is a better test than SMALL for presence of pf. ok deraadt
Revision 1.182 / (download) - annotate - [select for diffs], Sun Sep 4 17:22:40 2016 UTC (7 years, 9 months ago) by jsing
Branch: MAIN
Changes since 1.181: +1 -2 lines
Diff to previous 1.181 (colored)
Remove sys_o58_kill since OpenBSD 6.0 has been tagged/released. ok deraadt@
Revision 1.181 / (download) - annotate - [select for diffs], Wed Aug 31 07:22:43 2016 UTC (7 years, 9 months ago) by ratchov
Branch: MAIN
Changes since 1.180: +0 -5 lines
Diff to previous 1.180 (colored)
Delete unused ioctls and associated macros. Move macros that are still used internally by low-level drivers from sys/audioio.h to dev/audio_if.h instead of deleting them.
Revision 1.180 / (download) - annotate - [select for diffs], Thu Jul 28 12:12:16 2016 UTC (7 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.179: +1 -1 lines
Diff to previous 1.179 (colored)
Revert previous commit
Revision 1.179 / (download) - annotate - [select for diffs], Thu Jul 28 12:08:14 2016 UTC (7 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.178: +2 -2 lines
Diff to previous 1.178 (colored)
Convert ifq_deq_{begin,rollback,commit} dance to a single ifq_dequeue
Revision 1.178 / (download) - annotate - [select for diffs], Tue Jul 12 06:06:34 2016 UTC (7 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.177: +4 -11 lines
Diff to previous 1.177 (colored)
remove more noisy messages in "sendfd" and "recvfd"
Revision 1.177 / (download) - annotate - [select for diffs], Mon Jul 11 19:11:34 2016 UTC (7 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.176: +2 -4 lines
Diff to previous 1.176 (colored)
be less noisy on console in case of "recvfd" refusal ok semarie
Revision 1.176 / (download) - annotate - [select for diffs], Sun Jul 10 14:21:24 2016 UTC (7 years, 11 months ago) by semarie
Branch: MAIN
Changes since 1.175: +4 -4 lines
Diff to previous 1.175 (colored)
pledge: use uint64_t instead of int for temporary storing a 64bit integer affects only 32 bits platform (like i386). problem spotted and diff from pelikan@ ok deraadt@ jca@
Revision 1.175 / (download) - annotate - [select for diffs], Sun Jul 10 00:39:23 2016 UTC (7 years, 11 months ago) by guenther
Branch: MAIN
Changes since 1.174: +3 -2 lines
Diff to previous 1.174 (colored)
Paranoia: check KTRPOINT() before calling ktrpledge() to guarantee we can't (in the future) loop from ktrace writing hitting a pledge condition. diff from Michal Mazurek (akfaew (at) jasminek.net)
Revision 1.174 / (download) - annotate - [select for diffs], Sun Jul 3 04:36:08 2016 UTC (7 years, 11 months ago) by semarie
Branch: MAIN
Changes since 1.173: +11 -6 lines
Diff to previous 1.173 (colored)
introduces new promise "chown" to allow changing owner/group with *chown(2) family
it splits PLEDGE_FATTR in two ("fattr" stills grant the 2 flags, so no functional changes):
- PLEDGE_CHOWN : to be able to call *chown(2) syscalls
- PLEDGE_FATTR : the rest
it introduces "chown" which grant:
- PLEDGE_CHOWN : be able to call *chown(2)
- PLEDGE_CHOWNUID : be able to modifying owner/group
ok deraadt@ tedu@
Revision 1.173 / (download) - annotate - [select for diffs], Tue Jun 28 04:27:58 2016 UTC (7 years, 11 months ago) by semarie
Branch: MAIN
Changes since 1.172: +2 -2 lines
Diff to previous 1.172 (colored)
in pledgereq (the array for doing correspondance between textual promise as in pledge(2) and internal PLEDGE_* flag), the flags member should be a uint64_t and not a int. ok deraadt@
Revision 1.172 / (download) - annotate - [select for diffs], Mon Jun 27 16:49:45 2016 UTC (7 years, 11 months ago) by jsing
Branch: MAIN
Changes since 1.171: +2 -1 lines
Diff to previous 1.171 (colored)
Restore the sys_o58_kill system call. By keeping both the new (sys_kill/sys_thrkill) and old (sys_o58_kill) system calls for the OpenBSD 6.0 release, code that uses either of these mechanisms will work on both of the supported OpenBSD releases. This provides a clean transition for runtimes that make direct system calls (namely the Go programming language). This requires a minimal amount of non-intrusive code and does not block development progress within OpenBSD. ok deraadt@ guenther@
Revision 1.171 / (download) - annotate - [select for diffs], Mon Jun 27 16:33:48 2016 UTC (7 years, 11 months ago) by jca
Branch: MAIN
Changes since 1.170: +2 -1 lines
Diff to previous 1.170 (colored)
Implement IPV6_MINHOPCOUNT support. Useful to implement GTSM support in daemons such as bgpd(8). Diff from 2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@
Revision 1.170 / (download) - annotate - [select for diffs], Tue Jun 7 01:31:54 2016 UTC (8 years ago) by tedu
Branch: MAIN
Changes since 1.169: +2 -2 lines
Diff to previous 1.169 (colored)
per trending style, add continue to empty loops. ok mglocker
Revision 1.169 / (download) - annotate - [select for diffs], Tue May 31 22:14:43 2016 UTC (8 years ago) by deraadt
Branch: MAIN
Changes since 1.168: +1 -2 lines
Diff to previous 1.168 (colored)
sys_o58_kill is no longer needed for compat. ok guenther sthen
Revision 1.168 / (download) - annotate - [select for diffs], Tue May 31 22:12:26 2016 UTC (8 years ago) by deraadt
Branch: MAIN
Changes since 1.167: +1 -2 lines
Diff to previous 1.167 (colored)
sys_osendsyslog can go away; we have transitioned to the new version with a flags argument ok guenther sthen
Revision 1.167 / (download) - annotate - [select for diffs], Fri May 27 16:33:55 2016 UTC (8 years ago) by deraadt
Branch: MAIN
Changes since 1.166: +2 -2 lines
Diff to previous 1.166 (colored)
rename(2) operation requires "rpath cpath" at the underlying operation (the src path lookup is considered a rpath operation) noticed by kristaps, discussed with semarie
Revision 1.166 / (download) - annotate - [select for diffs], Sun May 15 05:04:28 2016 UTC (8 years ago) by semarie
Branch: MAIN
Changes since 1.165: +1 -3 lines
Diff to previous 1.165 (colored)
remove chroot(2) from allowed syscalls under pledge(2). please note that chrooted process are still possible with pledge(2), but only if the chroot(2) is done *before* calling pledge(2). Once pledged, no more chroot(2) call are permitted.
Revision 1.165 / (download) - annotate - [select for diffs], Thu Apr 28 14:25:08 2016 UTC (8 years, 1 month ago) by beck
Branch: MAIN
Changes since 1.164: +73 -61 lines
Diff to previous 1.164 (colored)
1) Split pledge whitelist path handling out of pledge_namei() and into pledge_namei_wlpath(). Call the wlpath check only at the end of namei after the namei lookup would otherwise succeed. 2) Add support to namei to keep the path that was looked up, without the symlinks in it, and use that path for whitelist path lookups. This means that paths in pledge whitelists will need to always be the real path to an intended file to whitelist, without symlinks. Any symlinks to the "real" file will then be allowed ok deraadt@ semarie@
Revision 1.164 / (download) - annotate - [select for diffs], Mon Apr 25 10:01:23 2016 UTC (8 years, 1 month ago) by semarie
Branch: MAIN
Changes since 1.163: +9 -11 lines
Diff to previous 1.163 (colored)
simplifies the check for allowing only promises reductions. ok deraadt@
Revision 1.163 / (download) - annotate - [select for diffs], Mon Apr 25 09:58:23 2016 UTC (8 years, 1 month ago) by semarie
Branch: MAIN
Changes since 1.162: +1 -4 lines
Diff to previous 1.162 (colored)
removes an unneeded check on flags (used historically when tame(2) was using bitflags) ok deraadt@ jca@
Revision 1.162 / (download) - annotate - [select for diffs], Wed Mar 30 07:49:11 2016 UTC (8 years, 2 months ago) by guenther
Branch: MAIN
Changes since 1.161: +3 -2 lines
Diff to previous 1.161 (colored)
Add getlogin_r syscall that checks and returns errors like userspace getlogin_r() API; keep existing syscall as getlogin59 for temporary compat. ok kettenis@ deraadt@
Revision 1.161 / (download) - annotate - [select for diffs], Fri Mar 25 17:25:36 2016 UTC (8 years, 2 months ago) by semarie
Branch: MAIN
Changes since 1.160: +2 -2 lines
Diff to previous 1.160 (colored)
Silences compiler warnings, about used uninitialized variables. These lengths are passed uninitialized to free(9) only when pointers are NULL. found by jsg@ ok deraadt@
Revision 1.160 / (download) - annotate - [select for diffs], Tue Mar 22 05:59:17 2016 UTC (8 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.159: +2 -1 lines
Diff to previous 1.159 (colored)
allow fpathconf() in stdio mode, since it is an innocuous query system call. discussed with semarie and everyone else during the 5.9 lock.
Revision 1.159 / (download) - annotate - [select for diffs], Mon Mar 21 22:41:29 2016 UTC (8 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.158: +2 -2 lines
Diff to previous 1.158 (colored)
Rename the system call sendsyslog2 to sendsyslog. Keep the old one as osendsyslog for a while. The three argument variant is the only one that will stay. input kettenis@; OK deraadt@
Revision 1.149.2.1 / (download) - annotate - [select for diffs], Wed Mar 16 08:30:01 2016 UTC (8 years, 2 months ago) by semarie
Branch: OPENBSD_5_9
Changes since 1.149: +2 -2 lines
Diff to previous 1.149 (colored) next main 1.150 (colored)
Incorrect path processing in pledge_namei() could result in unexpected program termination of pledge(2)'d programs. Expand path variable size to +1 in order to add extra byte for canonpath() processing. -current was fixed by a large rewrite of canonpath(). ok deraadt@ tedu@
Revision 1.158 / (download) - annotate - [select for diffs], Wed Mar 16 06:46:39 2016 UTC (8 years, 2 months ago) by ratchov
Branch: MAIN
Changes since 1.157: +4 -0 lines
Diff to previous 1.157 (colored)
Expose new audio ioctls that do one thing only: start and stop DMA, set and get parameters. This is much simpler. ok semarie, armani, tweaks from jmc
Revision 1.157 / (download) - annotate - [select for diffs], Tue Mar 15 15:10:09 2016 UTC (8 years, 2 months ago) by semarie
Branch: MAIN
Changes since 1.156: +73 -64 lines
Diff to previous 1.156 (colored)
pledge: wl_paths: resolvpath() logic error prepend chroot value *after* canonization and not before.
Revision 1.156 / (download) - annotate - [select for diffs], Tue Mar 15 15:05:23 2016 UTC (8 years, 2 months ago) by semarie
Branch: MAIN
Changes since 1.155: +4 -2 lines
Diff to previous 1.155 (colored)
pledge: wl_paths: corrects a memory leak in error code path and an evaluation
order ("a += b > c" is the same as "a += (b > c)" which is wrong here)
ok jca@
Revision 1.155 / (download) - annotate - [select for diffs], Sun Mar 13 18:40:52 2016 UTC (8 years, 3 months ago) by semarie
Branch: MAIN
Changes since 1.154: +5 -1 lines
Diff to previous 1.154 (colored)
keep disabled wl_paths for now. the expensiveness impact need to be better considered. ok deraadt@
Revision 1.154 / (download) - annotate - [select for diffs], Sun Mar 13 15:27:21 2016 UTC (8 years, 3 months ago) by semarie
Branch: MAIN
Changes since 1.153: +1 -4 lines
Diff to previous 1.153 (colored)
reenable wl_paths (whitelisted-paths) in pledge(2)
Revision 1.153 / (download) - annotate - [select for diffs], Sun Mar 13 15:05:15 2016 UTC (8 years, 3 months ago) by semarie
Branch: MAIN
Changes since 1.152: +29 -14 lines
Diff to previous 1.152 (colored)
pledge: replace #if 0 printf with DNPRINTF macro
Revision 1.152 / (download) - annotate - [select for diffs], Sun Mar 13 14:27:18 2016 UTC (8 years, 3 months ago) by semarie
Branch: MAIN
Changes since 1.151: +173 -113 lines
Diff to previous 1.151 (colored)
pledge: let wl_paths works well with chroot it factorizes path resolution in resolvpath() function, and use it in sys_pledge() and pledge_namei(). please note that wl_paths is still disabled.
Revision 1.151 / (download) - annotate - [select for diffs], Sun Mar 13 04:51:59 2016 UTC (8 years, 3 months ago) by semarie
Branch: MAIN
Changes since 1.150: +25 -47 lines
Diff to previous 1.150 (colored)
corrects on off-by-one error in pledge_namei() - rewrite canonpath() to not require extra byte before shrinking - make canonpath() error not fatal for the caller (proposition from tedu@) ok millert@ tedu@ deraadt@
Revision 1.150 / (download) - annotate - [select for diffs], Fri Mar 11 05:57:16 2016 UTC (8 years, 3 months ago) by semarie
Branch: MAIN
Changes since 1.149: +17 -14 lines
Diff to previous 1.149 (colored)
pledge: define the meaning of passing NULL to one arguments of pledge(2) as "I don't want to change the current value" it changes only the `request' argument behaviour when NULL is passed: previously it was traited as "" was passed. with help from jmc@ for man-page OK tb@ on previous version
Revision 1.149 / (download) - annotate - [select for diffs], Wed Feb 17 21:52:06 2016 UTC (8 years, 3 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE
Branch point for: OPENBSD_5_9
Changes since 1.148: +2 -2 lines
Diff to previous 1.148 (colored)
Return ENOTTY for TIOCFLUSH when allowed by pledge but the fd is not a tty. Fixes a pledge failure in telnet when piping the output. OK deraadt@
Revision 1.148 / (download) - annotate - [select for diffs], Tue Jan 19 07:31:48 2016 UTC (8 years, 4 months ago) by ratchov
Branch: MAIN
Changes since 1.147: +5 -2 lines
Diff to previous 1.147 (colored)
Check if the vnode type is VBAD (corresponds to disconnected usb devices) and return ENOTTY rather than terminating the caller program. Found by Michael Reed <m.reed at mykolab.com> ok semarie, deraadt
Revision 1.147 / (download) - annotate - [select for diffs], Mon Jan 18 17:19:55 2016 UTC (8 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.146: +2 -1 lines
Diff to previous 1.146 (colored)
Add SYS_truncate as a "wpath" operation. Omission noticed by tb and sthen.
Revision 1.146 / (download) - annotate - [select for diffs], Sat Jan 9 06:13:43 2016 UTC (8 years, 5 months ago) by semarie
Branch: MAIN
Changes since 1.145: +9 -17 lines
Diff to previous 1.145 (colored)
drop "abort" promise, and make it the default behaviour. The current code has already setted it by default since 1.74 any pledge failure tries to make a coredump (default rules for coredump still applies: so setuid binaries don't create them locally). ok deraadt@
Revision 1.145 / (download) - annotate - [select for diffs], Fri Jan 8 11:20:58 2016 UTC (8 years, 5 months ago) by reyk
Branch: MAIN
Changes since 1.144: +21 -1 lines
Diff to previous 1.144 (colored)
Add "vmm" pledge to allow restricted ioctl access to /dev/vmm. This will allow to pledge vmd(8)'s vmm and vm processes, so that VMs themselves run "sandboxed", including their host-side virtio layer. It will remain disabled for now (in userland) to not get into the way of ongoing development and upcoming changes in vmd and the ioctl interface. OK mlarkin@ deraadt@ "kernel side in, but not the callers in userland"
Revision 1.144 / (download) - annotate - [select for diffs], Wed Jan 6 18:43:10 2016 UTC (8 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.143: +4 -1 lines
Diff to previous 1.143 (colored)
turn off the whitepath code for now; we're not sure it's ready for release ok deraadt
Revision 1.143 / (download) - annotate - [select for diffs], Wed Jan 6 17:59:30 2016 UTC (8 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.142: +4 -4 lines
Diff to previous 1.142 (colored)
remove unnecessary casts where the incoming type is void *.
Revision 1.142 / (download) - annotate - [select for diffs], Wed Jan 6 09:09:16 2016 UTC (8 years, 5 months ago) by kettenis
Branch: MAIN
Changes since 1.141: +21 -2 lines
Diff to previous 1.141 (colored)
Add pledge "drm", which allows a subset of the drm(4) ioctls. These are basically only the ioctls that Linux allows on the so-called "render nodes". For now, it also allows DRM_IOCTL_GET_MAGIC and DRM_IOCTL_GEM_OPEN, as we don't implement prime/dma-buf yet in OpenBSD. That still leaves a big gaping hole, so they will be removed as soon as we can. Based on a diff by robert@, who did all the heavy lifting by studying the behaviour of the chromium GPU process, with some further suggestions by deraadt@. ok jsg@, deraadt@, robert@
Revision 1.141 / (download) - annotate - [select for diffs], Tue Jan 5 18:09:24 2016 UTC (8 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.140: +3 -3 lines
Diff to previous 1.140 (colored)
annoying whitespace
Revision 1.140 / (download) - annotate - [select for diffs], Sun Dec 27 16:36:07 2015 UTC (8 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.139: +2 -2 lines
Diff to previous 1.139 (colored)
Add missing #include "audio.h". Fixes sndiod pledge issue reported by timo.myyra () wickedbsd ! net, thanks! While there, remove extraneous "pty.h". ok deraadt@
Revision 1.139 / (download) - annotate - [select for diffs], Sun Dec 27 01:37:46 2015 UTC (8 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.138: +4 -3 lines
Diff to previous 1.138 (colored)
wrap "audio" pledge code in NAUDIO > 0, because there are a few GENERIC kernels which lack audio drivers.
Revision 1.138 / (download) - annotate - [select for diffs], Wed Dec 23 21:07:57 2015 UTC (8 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.137: +3 -1 lines
Diff to previous 1.137 (colored)
pledge "audio" code block must be !SMALL_KERNEL
Revision 1.137 / (download) - annotate - [select for diffs], Wed Dec 23 20:09:47 2015 UTC (8 years, 5 months ago) by ratchov
Branch: MAIN
Changes since 1.136: +17 -1 lines
Diff to previous 1.136 (colored)
If PLEDGE_AUDIO is set, allow audio(4) ioctls necessary to use raw audio devices. ok deraadt, semarie
Revision 1.136 / (download) - annotate - [select for diffs], Sun Dec 6 17:50:21 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.135: +4 -4 lines
Diff to previous 1.135 (colored)
Change kernel internal pledge variables to 64bit (to prepare for more extensions). This change is exposed in ktrace.out files ok semarie
Revision 1.135 / (download) - annotate - [select for diffs], Sat Dec 5 19:21:49 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.134: +2 -1 lines
Diff to previous 1.134 (colored)
Study of kernel code complete. Permit ioctl SIOCGIFMEDIA for pledge "route", which krw and mestre will be able to use in dhclient(8).
Revision 1.134 / (download) - annotate - [select for diffs], Fri Dec 4 16:56:35 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.133: +2 -1 lines
Diff to previous 1.133 (colored)
allow utrace(2) by default. conversation with jsg
Revision 1.133 / (download) - annotate - [select for diffs], Fri Dec 4 13:05:34 2015 UTC (8 years, 6 months ago) by semarie
Branch: MAIN
Changes since 1.132: +25 -7 lines
Diff to previous 1.132 (colored)
remove PLEDGE_INET granting when using "getpw" in YP environnment it makes PLEDGE_YPACTIVE enough for doing required networking with YP. It should permit to bring YP internals into the light. discuted with deraadt@
Revision 1.132 / (download) - annotate - [select for diffs], Fri Dec 4 07:33:05 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.131: +6 -1 lines
Diff to previous 1.131 (colored)
Add pledge "dpath", which provides access to mknod(2) and mkfifo(2). This will be required to keep pax/tar/cpio at otherwise very high levels of pledge (and we will see where else it is beneficial). Allocate a bit for pledge "audio", which will be coming soon. good discussions with semarie
Revision 1.131 / (download) - annotate - [select for diffs], Fri Dec 4 06:01:55 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.130: +3 -3 lines
Diff to previous 1.130 (colored)
Do not think atomicity is required here. In any case, prepare for ps_pledge to become 64-bits over the next few days (things are getting a bit tight; most newer pledges will be quite device-driver specific)
Revision 1.130 / (download) - annotate - [select for diffs], Thu Dec 3 16:50:44 2015 UTC (8 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.129: +1 -8 lines
Diff to previous 1.129 (colored)
Remove the /usr/share/nls/ exception from pledge(2). The libc native language support was deleted a month ago at u2k15. OK semarie@ deraadt@
Revision 1.129 / (download) - annotate - [select for diffs], Thu Dec 3 16:05:51 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.128: +2 -1 lines
Diff to previous 1.128 (colored)
pledge(pf) needs to allow DIOCKILLSRCNODES, used in relayd. ok deaadt@
Revision 1.128 / (download) - annotate - [select for diffs], Sun Nov 29 03:23:19 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.127: +3 -1 lines
Diff to previous 1.127 (colored)
On a SMALL_KERNEL, pledge "pf" has to be a no-op. We cannot match the device node (since it does not exist...)
Revision 1.127 / (download) - annotate - [select for diffs], Sun Nov 29 01:15:49 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.126: +26 -3 lines
Diff to previous 1.126 (colored)
Add pledge "pf" which allows ioctls on pf(4). This will be used by relayd and other programs manipulating the packet filter. ok deraadt@
Revision 1.126 / (download) - annotate - [select for diffs], Sat Nov 28 18:10:12 2015 UTC (8 years, 6 months ago) by benno
Branch: MAIN
Changes since 1.125: +2 -1 lines
Diff to previous 1.125 (colored)
pledge: allow getsockopt IP_IPDEFTTL with promise inet then relayd's host check engine can be pledged. ok reyk@, approach suggested by deraadt@ weeks ago.
Revision 1.125 / (download) - annotate - [select for diffs], Fri Nov 27 18:54:47 2015 UTC (8 years, 6 months ago) by jca
Branch: MAIN
Changes since 1.124: +3 -1 lines
Diff to previous 1.124 (colored)
Two additional ioctls for pledge("disklabel"), needed by installboot.
Committing on behalf of tb@, problem reported by Rolf Sommerhalder on misc@.
Revision 1.124 / (download) - annotate - [select for diffs], Wed Nov 25 15:53:01 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.123: +5 -1 lines
Diff to previous 1.123 (colored)
permit kern.maxpartitions
Revision 1.123 / (download) - annotate - [select for diffs], Tue Nov 24 23:59:22 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.122: +11 -1 lines
Diff to previous 1.122 (colored)
Add sendsyslog2(), which accepts the syslog/openlog "logopt" flag LOG_CONS. If syslogd is not accepting messages, direct them to the console. This allows us to remove the direct /dev/console opening code from the bowels of libc. Of course, that forgotten code was exposed by pledge. ok kettenis millert beck
Revision 1.122 / (download) - annotate - [select for diffs], Mon Nov 23 21:32:29 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.121: +3 -3 lines
Diff to previous 1.121 (colored)
the "getpw" test for /dev/tty is only needed for readpassphrase(3), getpass(3), so don't specifically allow it for "rpath" (rpath will accept it in the end, unless it is on the whitelist)
Revision 1.121 / (download) - annotate - [select for diffs], Mon Nov 23 07:23:24 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.120: +2 -1 lines
Diff to previous 1.120 (colored)
need sys/device.h
Revision 1.120 / (download) - annotate - [select for diffs], Sun Nov 22 18:50:45 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.119: +12 -1 lines
Diff to previous 1.119 (colored)
For "disklabel", allow sysctl mach.chr2kblk and ioctl BIOCINQ/BIOCVOL also, to satisfy midlayers that some fs/install tools need.
Revision 1.119 / (download) - annotate - [select for diffs], Sun Nov 22 18:48:16 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.118: +3 -1 lines
Diff to previous 1.118 (colored)
"getpw" should also allow access to /etc/netid discovered by rpe
Revision 1.118 / (download) - annotate - [select for diffs], Fri Nov 20 20:59:52 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.117: +2 -1 lines
Diff to previous 1.117 (colored)
Permit msync(2) in the "stdio" set; only a few programs use it related to mmap, but thinking about it nothing feels risky Long discussions with florian
Revision 1.117 / (download) - annotate - [select for diffs], Fri Nov 20 16:06:54 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.116: +33 -1 lines
Diff to previous 1.116 (colored)
Add pledge "disklabel", which allows sysctl kern.rawpartition, a few disklabel ioctls, and the DIOCMAP ioctl against /dev/diskmap used to translate duid numbers into partitions. This will allow pledging of at least 12 disk/filesystem aware programs; due to the negative impact that diff will wait a bit so everyone has a chance to update their kernels. ok semarie
Revision 1.116 / (download) - annotate - [select for diffs], Fri Nov 20 07:15:30 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.115: +3 -1 lines
Diff to previous 1.115 (colored)
Exempt accept(2) from the pledge_socket() check part of the "domain" check. You cannot open a socket in a domain unless permitted -- but you need to be able to accept one if the code flow asks for that to happen. The most recent check is too tight. We may need to iterate the policy here until we hit the right vibe...
Revision 1.115 / (download) - annotate - [select for diffs], Wed Nov 18 08:24:22 2015 UTC (8 years, 6 months ago) by semarie
Branch: MAIN
Changes since 1.114: +25 -9 lines
Diff to previous 1.114 (colored)
check domain and state of socket against pledge promise. ok deraadt@
Revision 1.114 / (download) - annotate - [select for diffs], Tue Nov 17 15:03:53 2015 UTC (8 years, 6 months ago) by sthen
Branch: MAIN
Changes since 1.113: +2 -1 lines
Diff to previous 1.113 (colored)
backout removal of SYS_break from stdio, suggested by deraadt@ ports using base gcc with PCH include: boost, keepassx, wxWidgets, jdk
Revision 1.113 / (download) - annotate - [select for diffs], Tue Nov 17 04:09:35 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.112: +24 -12 lines
Diff to previous 1.112 (colored)
Allow sysctl kern.clockrate, kern.argmax, kern.ngroups, kern.sysvshm, and kern.posix1version. Enough to satisfy getconf, and I hope we don't need to add much more after this. Largely from jca
Revision 1.112 / (download) - annotate - [select for diffs], Mon Nov 16 21:20:20 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.111: +2 -1 lines
Diff to previous 1.111 (colored)
Allow TIOCEXT in pledge "tty" Discussed with millert
Revision 1.111 / (download) - annotate - [select for diffs], Mon Nov 16 18:29:35 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.110: +3 -1 lines
Diff to previous 1.110 (colored)
Permit revoke(2) for a pledge "rpath tty" ok millert semarie tedu guenther
Revision 1.110 / (download) - annotate - [select for diffs], Mon Nov 16 17:41:45 2015 UTC (8 years, 6 months ago) by pascal
Branch: MAIN
Changes since 1.109: +1 -2 lines
Diff to previous 1.109 (colored)
brk/sbrk's use case is way too narrow to be a default stdio pledge. Since this only affects base gcc and the ports most in need of PCHs are compiled with ports compilers anyway, let's see what happens if we break it. discussed with and ok deraadt@
Revision 1.109 / (download) - annotate - [select for diffs], Sat Nov 14 22:23:22 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.108: +2 -1 lines
Diff to previous 1.108 (colored)
Add pathconf() to pledge "rpath"; ok guenther
Revision 1.108 / (download) - annotate - [select for diffs], Sat Nov 14 07:02:23 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.107: +2 -1 lines
Diff to previous 1.107 (colored)
For pledge "stdio", allow the break(2) system call which backends the brk/sbrk
library routines. The manpage declares, in bold:
The brk() and sbrk() functions are historical curiosities left over from
earlier days before the advent of virtual memory management.
In our base tree, only one program uses these functions -- cc1 in the
gcc toolset. A historical curiosity using a historical curiosity, how
quaint. brk is used because precompiled c headers are not position
independent. Another program which relies upon brk is emacs. Other
uses of brk are EXCEEDINGLY RARE, because most software grew up and
use modern practices such as malloc and mmap, thereby gaining ASLR
benefits. Position independence has become an important part of
mitigations. These two programs fight such improvements.
Permitting brk/sbrk allows the large attack surface of cc1 to be pledged.
"I would rather have cc1 pledged than purity in pledge" guenther
Revision 1.107 / (download) - annotate - [select for diffs], Fri Nov 13 17:12:01 2015 UTC (8 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.106: +2 -1 lines
Diff to previous 1.106 (colored)
All setsockopt IPPROTO_IPV6 IPV6_TCLASS (v4 calls this IP_TOS)
Revision 1.106 / (download) - annotate - [select for diffs], Tue Nov 10 04:30:59 2015 UTC (8 years, 7 months ago) by guenther
Branch: MAIN
Changes since 1.105: +4 -2 lines
Diff to previous 1.105 (colored)
Split the intra-thread functionality from kill(2) into its own syscall thrkill(2), rolling the kill(2) syscall number with the ABI change to avoid breaking binaries during during the transition. thrkill(2) includes a 'tcb' argument that eliminates the need for locking in pthread_kill() and simplifies pthread_cancel(). Switch __stack_smash_handler() to use thrkill(2) and explicitly unblock SIGABRT. Minor bump to both libc and libpthread: make sure you install a new kernel! ok semarie@
Revision 1.105 / (download) - annotate - [select for diffs], Thu Nov 5 15:10:11 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.104: +3 -13 lines
Diff to previous 1.104 (colored)
revert sys/kern/kern_pledge.c 1.103 and reenable pledge in pwd_mkdb ok deraadt@
Revision 1.104 / (download) - annotate - [select for diffs], Wed Nov 4 21:24:23 2015 UTC (8 years, 7 months ago) by tedu
Branch: MAIN
Changes since 1.103: +4 -4 lines
Diff to previous 1.103 (colored)
pledge_ioctl only takes files, adjust prototype. ok semarie
Revision 1.103 / (download) - annotate - [select for diffs], Wed Nov 4 19:18:21 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.102: +13 -3 lines
Diff to previous 1.102 (colored)
move /etc/spwd.db blacklist outside PLEDGE_GETPW check. so that all pledged programs would get it instead of only ones with PLEDGE_GETPW. ok deraadt@
Revision 1.102 / (download) - annotate - [select for diffs], Tue Nov 3 16:14:14 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.101: +11 -10 lines
Diff to previous 1.101 (colored)
pledge_aftersyscall has been reduced to one case, "getpw", to open a window for chatting to ypserv. This can be done in pledge_namei, so improve system call performance by removing the pledge_aftersyscall hook. ok semarie
Revision 1.101 / (download) - annotate - [select for diffs], Mon Nov 2 23:17:23 2015 UTC (8 years, 7 months ago) by tedu
Branch: MAIN
Changes since 1.100: +2 -2 lines
Diff to previous 1.100 (colored)
some tweaks to the signal code. allow signals to any thread (they'll be checked within process later). guenther also notes the pid check should be process pid, not proc pid.
Revision 1.100 / (download) - annotate - [select for diffs], Mon Nov 2 17:53:00 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.99: +40 -26 lines
Diff to previous 1.99 (colored)
use binary-search for pledge-request (semblable diff proposed by Peter J. Philipp) "no problem" deraadt@
Revision 1.99 / (download) - annotate - [select for diffs], Mon Nov 2 16:31:55 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.98: +24 -30 lines
Diff to previous 1.98 (colored)
move the pledgenote annotation from `struct proc' to `struct nameidata' pledgenote is used for annotate the policy for a namei context. So make it tracking the nameidata. It is expected for the caller to explicitly define the policy. It is a kernel bug to not do so. ok deraadt@
Revision 1.98 / (download) - annotate - [select for diffs], Mon Nov 2 15:33:40 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored)
also handle the kill(self) case for threads; from Theo Buehler
Revision 1.97 / (download) - annotate - [select for diffs], Sun Nov 1 19:03:33 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.96: +52 -27 lines
Diff to previous 1.96 (colored)
refactor pledge_*_check and pledge_fail functions - rename _check function without suffix: a "pledge" function called from anywhere is a "check" function. - makes pledge_fail call the responsability to the _check function. remove it from caller. - make proper use of (potential) returned error of _check() functions. - adds pledge_kill() and pledge_protexec() with and OK deraadt@
Revision 1.96 / (download) - annotate - [select for diffs], Sun Nov 1 15:43:50 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.95: +2 -2 lines
Diff to previous 1.95 (colored)
Do not need to check the pledge control bits for system calls that are PLEDGE_ALWAYS. ok semarie
Revision 1.95 / (download) - annotate - [select for diffs], Sun Nov 1 13:01:58 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.94: +7 -8 lines
Diff to previous 1.94 (colored)
uniformize "always allowed syscalls" with pledge - use a proper name PLEDGE_ALWAYS (suggested by derradt@) - unify the check for allowing it in order to allow all of them ok deraadt@
Revision 1.94 / (download) - annotate - [select for diffs], Sat Oct 31 21:53:53 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.93: +2 -1 lines
Diff to previous 1.93 (colored)
oops, forgot pselect! crazy how many interface the kernel has here. It is just risk, risk, risk, risk. Is there anyway to unify them?
Revision 1.93 / (download) - annotate - [select for diffs], Sat Oct 31 02:46:23 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.92: +4 -4 lines
Diff to previous 1.92 (colored)
expose the sysctl backing getloadavg(3) all the time, now that more consumers have been found. Spotted by Nathanael Rensen
Revision 1.92 / (download) - annotate - [select for diffs], Thu Oct 29 15:04:54 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.91: +13 -1 lines
Diff to previous 1.91 (colored)
Add some setsockopt hacks for libisc, aka John Frum
Revision 1.91 / (download) - annotate - [select for diffs], Thu Oct 29 12:51:06 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.90: +105 -58 lines
Diff to previous 1.90 (colored)
Reorder system call table into sequential blocks of alike-functionality and similar usage cases. Should provide abit more clarity for those who read the kernel code.
Revision 1.90 / (download) - annotate - [select for diffs], Wed Oct 28 17:38:52 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.89: +15 -16 lines
Diff to previous 1.89 (colored)
cleanup indentation and comments in sysctl whitelist
Revision 1.89 / (download) - annotate - [select for diffs], Wed Oct 28 15:33:44 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.88: +8 -13 lines
Diff to previous 1.88 (colored)
merge whitelisted r/w paths and rd paths switch to only one. It becomes possible due to the move of failing case later.
Revision 1.88 / (download) - annotate - [select for diffs], Wed Oct 28 14:07:58 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.87: +1 -6 lines
Diff to previous 1.87 (colored)
make sys_chroot() only allowed to be used when pledged, with "rpath id proc". the previous check in pledge_namei() was incomplete. For using SYS_chroot we needed "id", and we could have passed pledge_namei() just with "rpath" (without using the now removed whitelisted entry). the check for "rpath id proc" is now done using p_pledgenote: pledge_namei() will check that the pledgenote is permitted by your pledge. "go ahead" deraadt@
Revision 1.87 / (download) - annotate - [select for diffs], Wed Oct 28 13:59:07 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.86: +18 -29 lines
Diff to previous 1.86 (colored)
refactor pledge_namei() a bit - remove all explicit checks that ensure p_pledgenote have counterpart in ps_pledge by one unique check. It makes management of explicit whitelisted operations on some paths more simple to manage. And now, we can use p_pledgenote for more fined checking in namei usage. - add special case for unsetted p_pledgenote: the behaviour is the same as previously (we allow the operation with "rpath", "wpath" or "cpath" request) but it should be changed soon to be more strict. "go ahead" deraadt@
Revision 1.86 / (download) - annotate - [select for diffs], Wed Oct 28 13:42:57 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.85: +3 -3 lines
Diff to previous 1.85 (colored)
canonpath() error isn't related to p_pledgenote requirement (only possible error currently is ENAMETOOLONG), so don't use p_pledgenote when failing.
Revision 1.85 / (download) - annotate - [select for diffs], Wed Oct 28 13:36:38 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.84: +6 -6 lines
Diff to previous 1.84 (colored)
in pledge_namei(), move PLEDGE_EXEC check sooner: it doesn't depend of path processing.
Revision 1.84 / (download) - annotate - [select for diffs], Wed Oct 28 12:17:20 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.83: +12 -1 lines
Diff to previous 1.83 (colored)
Prevent F_SETOWN, unless a "proc" pledge was made.
Revision 1.83 / (download) - annotate - [select for diffs], Wed Oct 28 12:03:39 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.82: +1 -5 lines
Diff to previous 1.82 (colored)
The short-lived dnssocket/dnsconnect calls are being required because we suspect everyone has upgraded through the approx week-long window since SOCK_DNS became available and the libc resolver started using them.
Revision 1.82 / (download) - annotate - [select for diffs], Wed Oct 28 09:35:03 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.81: +2 -2 lines
Diff to previous 1.81 (colored)
kern.cptime is length 2
Revision 1.81 / (download) - annotate - [select for diffs], Wed Oct 28 02:12:54 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.80: +4 -1 lines
Diff to previous 1.80 (colored)
support kern.cptime also
Revision 1.80 / (download) - annotate - [select for diffs], Mon Oct 26 17:52:19 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.79: +2 -1 lines
Diff to previous 1.79 (colored)
Add ppoll() to "stdio"
Revision 1.79 / (download) - annotate - [select for diffs], Mon Oct 26 12:13:45 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.78: +2 -2 lines
Diff to previous 1.78 (colored)
Allow NET_RT_IFLIST in pledge "dns" as well
Revision 1.78 / (download) - annotate - [select for diffs], Mon Oct 26 11:17:52 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.77: +7 -4 lines
Diff to previous 1.77 (colored)
If the system call is entirely unpermitted, code will be 0, and there is no pledge to recommend.
Revision 1.77 / (download) - annotate - [select for diffs], Mon Oct 26 11:11:45 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.76: +3 -1 lines
Diff to previous 1.76 (colored)
add setreuid/setregid to "id"
Revision 1.76 / (download) - annotate - [select for diffs], Mon Oct 26 07:44:43 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.75: +4 -4 lines
Diff to previous 1.75 (colored)
change some pledge_fail() error/code - for PLEDGE_FATTR: the code is more accurate to be PLEDGE_FATTR, has p->p_pledgenote could have multiple bits inside, and it is the lake of PLEDGE_FATTR that make the check fail. - for PLEDGE_RECVFD and PLEDGE_SENDFD, change the error to be EINVAL: we fail, not because of lake of PLEDGE_RECVFD / PLEDGE_SENDFD permission, but because the value passed is invalid in pledged program (for example trying to send a VDIR). "go ahead" deraadt@
Revision 1.75 / (download) - annotate - [select for diffs], Mon Oct 26 07:24:20 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.74: +12 -5 lines
Diff to previous 1.74 (colored)
make pledge_check(), used for syscall check with pledge, returns an error and provide the required pledge request for pledge_fail(). ok deraadt@
Revision 1.74 / (download) - annotate - [select for diffs], Sun Oct 25 20:39:54 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.73: +156 -144 lines
Diff to previous 1.73 (colored)
Fold "malloc" into "stdio" and -- recognizing that no program so far has used less than "stdio" -- include all the "self" operations. Instead of different defines, use regular PLEDGE_* in the "p_pledgenote" variable (which indicates the operation subtype a system call is performing). Many checks before easier to understand. p_pledgenote can often be passed directly to ktrace, so that kdump says: 15565 test CALL pledge(0xa9a3f804c51,0) 15565 test STRU pledge request="stdio" 15565 test RET pledge 0 15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>) 15565 test NAMI "/tmp/testfile" 15565 test PLDG open, "wpath", errno 1 Operation not permitted with help from semarie, ok guenther
Revision 1.73 / (download) - annotate - [select for diffs], Sun Oct 25 17:45:29 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.72: +13 -13 lines
Diff to previous 1.72 (colored)
pledge_sockopt_check is shared between setsockopt/getsockopt. nicm found the first case of "get allowed, set not allowed". Tiny refactoring of that.
Revision 1.72 / (download) - annotate - [select for diffs], Sun Oct 25 11:09:28 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.71: +21 -21 lines
Diff to previous 1.71 (colored)
reorder some checks in pledge_namei() in order to properly work. mainly move read/write whitelisted paths that should be *before* checking if you have PLEDGE_WPATH. with and ok deraadt@
Revision 1.71 / (download) - annotate - [select for diffs], Sun Oct 25 10:30:58 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.70: +4 -1 lines
Diff to previous 1.70 (colored)
ps(1) needs sysctl KERN_PROC_CWD exposed as well in the pledge "ps" set. hit by czarkoff
Revision 1.70 / (download) - annotate - [select for diffs], Sun Oct 25 01:57:09 2015 UTC (8 years, 7 months ago) by millert
Branch: MAIN
Changes since 1.69: +4 -5 lines
Diff to previous 1.69 (colored)
For SYS_open let the /dev/null special case match if any TMN_RPATH, TMN_WPATH or both are set in p_pledgenote. Matches the style used for /dev/tty special cases (among others). From deraadt@
Revision 1.69 / (download) - annotate - [select for diffs], Sun Oct 25 00:02:00 2015 UTC (8 years, 7 months ago) by nicm
Branch: MAIN
Changes since 1.68: +5 -1 lines
Diff to previous 1.68 (colored)
Allow getsockopt(IP_OPTIONS) (with inet), needed by portmap (for RPC). ok deraadt
Revision 1.68 / (download) - annotate - [select for diffs], Fri Oct 23 15:53:49 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.67: +5 -4 lines
Diff to previous 1.67 (colored)
Allow SIOCGIFINFO_IN6
Revision 1.67 / (download) - annotate - [select for diffs], Fri Oct 23 10:22:29 2015 UTC (8 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.66: +5 -1 lines
Diff to previous 1.66 (colored)
Introduce a new sysctl NET_RT_IFNAMES that returns only ifnames to ifindex mappings. This will be used by if_nameindex(3), if_nametoindex(3) and if_indextoname(3) soon to fix the issues in pledge because of inet6 link local addressing. OK mpi@ benno@ deraadt@ The libc version will follow soon so better start updating your kernels
Revision 1.66 / (download) - annotate - [select for diffs], Fri Oct 23 01:10:01 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.65: +72 -1 lines
Diff to previous 1.65 (colored)
Add 3 new pledge requests. "ps" exposes enough sysctl information for ps-style programs (there are quite a few in the tree, including tmux). "vminfo" exposes a bit more system operation information, which many observation programs want (such as top). settime allows setting the system time, and will be used to pledge-protect the last ntpd process.
Revision 1.65 / (download) - annotate - [select for diffs], Fri Oct 23 00:56:52 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.64: +4 -1 lines
Diff to previous 1.64 (colored)
Allow hw.ncpu sysctl (a few reasons showed up in my mailbox rapidly..)
Revision 1.64 / (download) - annotate - [select for diffs], Thu Oct 22 11:01:43 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.63: +1 -2 lines
Diff to previous 1.63 (colored)
Further study shows "route" should allow all address families in NET_RT_DUMP With benno
Revision 1.63 / (download) - annotate - [select for diffs], Thu Oct 22 10:35:23 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.62: +2 -6 lines
Diff to previous 1.62 (colored)
After some consideration, simply allow TIOCSCTTY in the "tty" pledge. Discussion with nicm.
Revision 1.62 / (download) - annotate - [select for diffs], Tue Oct 20 18:04:03 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.61: +13 -26 lines
Diff to previous 1.61 (colored)
At guenther's suggestion replace dnssocket() with a SOCK_DNS flag on socket(). Without pledge, all other socket behaviours become permitted, except this one case: connect/send* only works to *:53. In pledge mode, a very few are further restricted. Some backwards compatibility for the dnssocket/dnsconnect calls will remain in the tree temporarily so that people can build through the transition. ok tedu guenther semarie
Revision 1.61 / (download) - annotate - [select for diffs], Tue Oct 20 17:44:48 2015 UTC (8 years, 7 months ago) by reyk
Branch: MAIN
Changes since 1.60: +2 -1 lines
Diff to previous 1.60 (colored)
Add SIOCGIFGMEMB to "route" (returns a list of all interfaces who are member of the given group). This is used by some parse.y. OK deraadt@
Revision 1.60 / (download) - annotate - [select for diffs], Tue Oct 20 06:40:00 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.59: +48 -5 lines
Diff to previous 1.59 (colored)
clear whitelisted-paths view in pledge. the following diff adds a clear view of whitelisted-paths in pledge. before, whitelisting "/usr/local/bin" path would make only "/usr/local/bin" VNODE was present and let "/usr/local", "/usr", and "/" been ENOENT. It was a somehow odd filesystem hierarchy, and it breaks realpath(3). with this diff, the directories that are one of the parents of a whitelisted-directory become visible to stat(2) related syscalls, but only with restricted permissions: stat(2) will lie a bit, and saying they owned by root:wheel and mode is --x--x--x. Note that only stat(2) is affected by this "view", and the owner/mode aren't effectively changed: it is just a "lie". while here, refactor a bit pledge_namei() in order to avoid multiple for-loop on whitelisted-path array. ok deraadt@
Revision 1.59 / (download) - annotate - [select for diffs], Tue Oct 20 05:18:34 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.58: +2 -1 lines
Diff to previous 1.58 (colored)
allow SO_ERROR all the time
Revision 1.58 / (download) - annotate - [select for diffs], Tue Oct 20 01:44:00 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.57: +29 -6 lines
Diff to previous 1.57 (colored)
Always allow the setsockopt & getsockopt system calls... however, in the default case only allows SOL_SOCKET SO_RCVBUF which is very common in network-facing daemons. Many of them manage this on a socket after dropping abilities which can get them _new_ sockets.. syslogd, bgpd, relayd, etc etc. Other sockopts still require specific pledges. Tested by bluhm.
Revision 1.57 / (download) - annotate - [select for diffs], Mon Oct 19 16:20:56 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.56: +4 -2 lines
Diff to previous 1.56 (colored)
Allow setpriority in "proc" as well, since a few shells have "nice" builtin. make a note that setpriority() should be weakened, unless "id" is also present. pointed out by Theo Buehler
Revision 1.56 / (download) - annotate - [select for diffs], Mon Oct 19 12:55:32 2015 UTC (8 years, 7 months ago) by nicm
Branch: MAIN
Changes since 1.55: +6 -6 lines
Diff to previous 1.55 (colored)
Print vnode type for sendfd/recvfd not file type, ok semarie
Revision 1.55 / (download) - annotate - [select for diffs], Sun Oct 18 20:15:10 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.54: +39 -108 lines
Diff to previous 1.54 (colored)
Instead of fragile CMSG parsing, control pledge "sendfd" and "recvfd" in unp_internalize and unp_externalize. ok kettenis guenther
Revision 1.54 / (download) - annotate - [select for diffs], Sun Oct 18 05:26:55 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.53: +2 -10 lines
Diff to previous 1.53 (colored)
move SS_DNS socket check from kern_plegde.c to sys_generic.c this check has nothing to do with pledge(2). make it lives in sys_ioctl() call. while here, move the (fp == NULL) check early and remove duplicate check from pledge_ioctl_check(). ok guenther@ deraadt@
Revision 1.53 / (download) - annotate - [select for diffs], Sun Oct 18 04:21:39 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.52: +2 -1 lines
Diff to previous 1.52 (colored)
getting sloppy, lost a }
Revision 1.52 / (download) - annotate - [select for diffs], Sun Oct 18 03:30:01 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.51: +9 -1 lines
Diff to previous 1.51 (colored)
Move your drink further away... When a program pledged "getpw" fails to
get a response from a YP server, it will open "/dev/tty" and spit out:
'YP server for domain %s not responding, still trying'
For now allow open of /dev/tty for "getpw". I hope to re-architect the
libc:YP communication protocol (strategy similar to syslog->sendsyslog,
isatty->fcntl, dnssocket/dnsconnect) and then we can reevaluate this.
Revision 1.51 / (download) - annotate - [select for diffs], Sun Oct 18 01:53:31 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.50: +3 -3 lines
Diff to previous 1.50 (colored)
TIOCSTI and TIOCSCTTY; oops got the condition backwards.
Revision 1.50 / (download) - annotate - [select for diffs], Sun Oct 18 01:07:19 2015 UTC (8 years, 7 months ago) by doug
Branch: MAIN
Changes since 1.49: +8 -1 lines
Diff to previous 1.49 (colored)
Allow read/write access to /dev/tty when using "tty" pledge. Without this change, you need "rpath" and "wpath" to open /dev/tty. Some applications explicitly open /dev/tty, but deraadt@ found the most common use is indirectly via readpassphrase(). tweak and ok deraadt@ pre-tweak ok millert@, semarie@
Revision 1.49 / (download) - annotate - [select for diffs], Sun Oct 18 00:04:43 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.48: +32 -65 lines
Diff to previous 1.48 (colored)
Add two new system calls: dnssocket() and dnsconnect(). This creates a SS_DNS tagged socket which has limited functionality (for example, you cannot accept on them...) The libc resolver will switch to using these, therefore pledge can identify a DNS transaction better. ok tedu guenther kettenis beck and others
Revision 1.48 / (download) - annotate - [select for diffs], Sat Oct 17 23:50:04 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.47: +2 -1 lines
Diff to previous 1.47 (colored)
naddy asks me if __tfork should be allowed by "proc". yes!
We may need a better semantic later ("thread"?), but this allows
progress, and people can report their experiences.
Revision 1.47 / (download) - annotate - [select for diffs], Sat Oct 17 23:12:46 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.46: +3 -4 lines
Diff to previous 1.46 (colored)
Allow the nasty ioctl TIOCSTI in "tty", but also require the "proc" permission. For now, we'll tighten it down further later.
Revision 1.46 / (download) - annotate - [select for diffs], Sat Oct 17 23:04:06 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.45: +3 -3 lines
Diff to previous 1.45 (colored)
better wording in a comment
Revision 1.45 / (download) - annotate - [select for diffs], Sat Oct 17 23:01:37 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.44: +4 -7 lines
Diff to previous 1.44 (colored)
Unify TIOCGPGRP/TIOCGWINSZ/TIOCGWINSZ behaviour regarding ENOTTY return. (both "tty" and "ioctl" allow these; they should behave the same)
Revision 1.44 / (download) - annotate - [select for diffs], Sat Oct 17 22:58:30 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.43: +6 -1 lines
Diff to previous 1.43 (colored)
Allow TIOCSCTTY on tty devices, if the pledge says "tty id" worked out with nicm
Revision 1.43 / (download) - annotate - [select for diffs], Sat Oct 17 22:54:23 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.42: +4 -4 lines
Diff to previous 1.42 (colored)
whitespace
Revision 1.42 / (download) - annotate - [select for diffs], Sat Oct 17 04:31:10 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.41: +16 -7 lines
Diff to previous 1.41 (colored)
Add pledge "id" support. This request permits setuid/seteuid/setresuid, setgid/setegid/setresgid, setgroups, setlogin, and setpriority. setrlimit and getpriority are also allowed (they are also in "proc") some of these were previously permitted in "proc" but have been removed. this seperation is intentional. "proc" is intended for reasoning about the relationship of a process "with other processes", whereas "id" deals the powerful/dangerous concept of unix ids. "id" will see some action very soon. ok gilles tedu semarie doug
Revision 1.41 / (download) - annotate - [select for diffs], Sat Oct 17 00:58:50 2015 UTC (8 years, 7 months ago) by jca
Branch: MAIN
Changes since 1.40: +4 -1 lines
Diff to previous 1.40 (colored)
Allow a few 'get' ioctls for pledge("route"). route6d will soon use this.
ok deraadt@
Revision 1.40 / (download) - annotate - [select for diffs], Fri Oct 16 23:00:01 2015 UTC (8 years, 7 months ago) by jca
Branch: MAIN
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
Also allow 6 as a miblen for NET_RT_DUMP, not all users specify a rtable. ok deraadt@
Revision 1.39 / (download) - annotate - [select for diffs], Fri Oct 16 17:03:31 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.38: +5 -1 lines
Diff to previous 1.38 (colored)
Repair the pty check for kernels without pty support.
Revision 1.38 / (download) - annotate - [select for diffs], Fri Oct 16 15:39:14 2015 UTC (8 years, 7 months ago) by nicm
Branch: MAIN
Changes since 1.37: +14 -1 lines
Diff to previous 1.37 (colored)
Allow PTMGET with "tty rpath wpath" but restrict only to /dev/ptm by checking cdevsw. ok deraadt
Revision 1.37 / (download) - annotate - [select for diffs], Fri Oct 16 14:20:48 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.36: +8 -1 lines
Diff to previous 1.36 (colored)
Always allow a r/w opening of /dev/null though the namei check. This pattern is common, especially because of daemon(3) usage. Will probably help some daemons move their pledge() calls further upwards. ok doug,
Revision 1.36 / (download) - annotate - [select for diffs], Fri Oct 16 14:04:11 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.35: +1 -12 lines
Diff to previous 1.35 (colored)
delete pledge_bind_check() function and remove pledge_bind_check() call from sys_bind(). bind(2) still require PLEDGE_INET or PLEDGE_UNIX in order to be called, due to SYS_bind entry in pledge_syscalls array. The diff restores also the ability for PLEDGE_UNIX to call bind(2) (pledge_bind_check function missed that). problem spotted by doug@ OK deraadt@
Revision 1.35 / (download) - annotate - [select for diffs], Fri Oct 16 14:00:37 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.34: +6 -6 lines
Diff to previous 1.34 (colored)
Place TIOCSTI reminder block better
Revision 1.34 / (download) - annotate - [select for diffs], Fri Oct 16 13:59:58 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.33: +3 -3 lines
Diff to previous 1.33 (colored)
For "tty" pledges, treat TIOCGPGRP and TIOCGWINSZ like TIOCGETA - returning ENOTTY instead of killing the process.
Revision 1.33 / (download) - annotate - [select for diffs], Fri Oct 16 13:37:43 2015 UTC (8 years, 7 months ago) by millert
Branch: MAIN
Changes since 1.32: +13 -3 lines
Diff to previous 1.32 (colored)
Implement real "flock" request and add it to userland programs that use pledge and file locking. OK deraadt@
Revision 1.32 / (download) - annotate - [select for diffs], Fri Oct 16 06:42:02 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.31: +1 -4 lines
Diff to previous 1.31 (colored)
FIOSETOWN/FIOGETOWN were added to "ioctl", but study finds no programs currently needing them. delete 'em for now. ok doug
Revision 1.31 / (download) - annotate - [select for diffs], Fri Oct 16 06:40:53 2015 UTC (8 years, 7 months ago) by doug
Branch: MAIN
Changes since 1.30: +3 -1 lines
Diff to previous 1.30 (colored)
Add TIOCCBRK and TIOCSDTR to the whitelist for pledge ioctl. cu(1) uses these. ok deraadt@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Oct 15 17:55:41 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.29: +2 -1 lines
Diff to previous 1.29 (colored)
Add TIOCFLUSH to "tty" in support of tcflush()
Revision 1.29 / (download) - annotate - [select for diffs], Thu Oct 15 17:50:05 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.28: +1 -2 lines
Diff to previous 1.28 (colored)
Exposing FIOASYNC in pledge "ioctl" is a mistake; remove it, cannot find safe uses of it
Revision 1.28 / (download) - annotate - [select for diffs], Thu Oct 15 04:58:54 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.27: +3 -3 lines
Diff to previous 1.27 (colored)
FIOCLEX & FIONCLEX should be in base ioctl set
Revision 1.27 / (download) - annotate - [select for diffs], Wed Oct 14 23:15:37 2015 UTC (8 years, 7 months ago) by sthen
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
FALTHROUGH->FALLTHROUGH in comment, ok deraadt a few days ago
Revision 1.26 / (download) - annotate - [select for diffs], Wed Oct 14 22:34:47 2015 UTC (8 years, 7 months ago) by millert
Branch: MAIN
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
Add a dummy "flock" request that will allow file locking. It is not currently enforced but we want the kernel to be able to parse it for an upcoming diff in the next few days.
Revision 1.25 / (download) - annotate - [select for diffs], Wed Oct 14 14:24:03 2015 UTC (8 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.24: +13 -1 lines
Diff to previous 1.24 (colored)
When pledged with "fattr", allow chown to supplimentary groups. This came out of a discussion regarding "sort foo -o foo". ok semarie
Revision 1.24 / (download) - annotate - [select for diffs], Wed Oct 14 04:05:43 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.23: +2 -1 lines
Diff to previous 1.23 (colored)
pledge "tty" can allow ioctl TIOCEXCL on a tty
Revision 1.23 / (download) - annotate - [select for diffs], Wed Oct 14 03:27:02 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.22: +4 -4 lines
Diff to previous 1.22 (colored)
sendmsg() is allowed to pass cmsg's which are not CMSG_RIGHTS - last refactoring inverted the checks; spotted by sthen in ping6.
Revision 1.22 / (download) - annotate - [select for diffs], Tue Oct 13 20:00:49 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.21: +4 -1 lines
Diff to previous 1.21 (colored)
3 more headers required for one stinking inet6 ioctl..
Revision 1.21 / (download) - annotate - [select for diffs], Tue Oct 13 18:42:06 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.20: +2 -1 lines
Diff to previous 1.20 (colored)
Allow ioctl SIOCGNBRINFO_IN6 in case of "route", for use by ndp.
Revision 1.20 / (download) - annotate - [select for diffs], Tue Oct 13 18:38:34 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.19: +3 -2 lines
Diff to previous 1.19 (colored)
NET_RT_FLAGS must also accept a proto selection.
Revision 1.19 / (download) - annotate - [select for diffs], Tue Oct 13 16:09:24 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.18: +3 -1 lines
Diff to previous 1.18 (colored)
allow getsockopt IP_RECVDSTPORT & IPV6_RECVDSTPORT for an "inet" pledge
Revision 1.18 / (download) - annotate - [select for diffs], Tue Oct 13 00:03:42 2015 UTC (8 years, 8 months ago) by doug
Branch: MAIN
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)
Pledge "fattr" request should allow fchflags(). "add it" deraadt@
Revision 1.17 / (download) - annotate - [select for diffs], Mon Oct 12 23:16:23 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)
pledge "proc" request should allow setsid()
Revision 1.16 / (download) - annotate - [select for diffs], Mon Oct 12 21:43:20 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.15: +1 -2 lines
Diff to previous 1.15 (colored)
Remove the "cmsg" attribute, as promised. Use "sendfd" or "recvfd", depending on what you need. inet/inet6 cmsg's come through unmolested -- that is something to consider later.
Revision 1.15 / (download) - annotate - [select for diffs], Sun Oct 11 16:19:48 2015 UTC (8 years, 8 months ago) by semarie
Branch: MAIN
Changes since 1.14: +6 -1 lines
Diff to previous 1.14 (colored)
add a missed check for PLEDGE_RPATH when reading a file. ok deraadt@
Revision 1.14 / (download) - annotate - [select for diffs], Sun Oct 11 16:01:06 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.13: +2 -1 lines
Diff to previous 1.13 (colored)
sigaltstack is directly used by setjmp on some architectures. it only refers to the process itself. pledge should allow it.
Revision 1.13 / (download) - annotate - [select for diffs], Sun Oct 11 15:40:48 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.12: +13 -13 lines
Diff to previous 1.12 (colored)
put TIOCSWINSZ in the right block "tty", not in "ioctl". this happened because the "route' tests were placed between the two, creating confusion. fix that while here.
Revision 1.12 / (download) - annotate - [select for diffs], Sun Oct 11 15:25:39 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)
In pledge "tty", allow TIOCSWINSZ. stty(1) is the obvious silly use. The more important use will be tmux(1) and other active window size controlling programs. There seems little risk in exposing this small tty setting alongside the tcsetattr() family. ok millert
Revision 1.11 / (download) - annotate - [select for diffs], Sun Oct 11 01:56:56 2015 UTC (8 years, 8 months ago) by guenther
Branch: MAIN
Changes since 1.10: +2 -1 lines
Diff to previous 1.10 (colored)
__get_tcb() is needed for errno access in threaded programs on some archs. Make it always available. ok deraadt@
Revision 1.10 / (download) - annotate - [select for diffs], Sat Oct 10 19:15:53 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
For pledge, sigsuspend() should is affecting the behaviour a process itself, so we should allow it for 'self'. ok djm
Revision 1.9 / (download) - annotate - [select for diffs], Sat Oct 10 16:35:08 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.8: +6 -3 lines
Diff to previous 1.8 (colored)
shuffle #ifdef TIOCSTI block to avoid a future /*FALLTHROUGH*/ mistake.
Revision 1.8 / (download) - annotate - [select for diffs], Sat Oct 10 14:48:03 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +4 -1 lines
Diff to previous 1.7 (colored)
allow sysctl of kern.clockrate
Revision 1.7 / (download) - annotate - [select for diffs], Sat Oct 10 14:46:15 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.6: +6 -1 lines
Diff to previous 1.6 (colored)
I forgot execve would go through the namei codepath, so a program marked "stdio rpath" this would fail to execve. pre-indicate exec actions to the namei checker to allow them through. ok semarie
Revision 1.6 / (download) - annotate - [select for diffs], Fri Oct 9 23:55:03 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
Allow kill(self, sig) in pledge SELF also. the stack protector, abort(), and readpassphrase() in particular use this. ok millert tedu semarie
Revision 1.5 / (download) - annotate - [select for diffs], Fri Oct 9 17:18:20 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +3 -2 lines
Diff to previous 1.4 (colored)
Have not come up with a great pattern for flock() yet. flock() is permitted
by "getpw" because libc getpw*/getgr* use open() of /var/run/ypbind.lock plus
flock() to detect YP running. The kernel observes this dance to "open up" the
YP door (ugliness should drive us to rewrite this mechanism from SunOS later).
however, flock is also used independently. Current users are
htpasswd mail skeyinit tmux authpf pwd_mkdb ldapd smtpd ypbind
login_token mail.local lockspool
Let's enable flock() for "cpath", and see if that helps these programs,
otherwise we'll try "wpath" next.
Revision 1.4 / (download) - annotate - [select for diffs], Fri Oct 9 05:30:03 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +7 -1 lines
Diff to previous 1.3 (colored)
shortcircuit TIOCGETA to directly return ENOTTY for non-ttys. It could be called against a non-tty fd, so as to test "is this a tty". Discovered by sthen and rob pierce at the same time.
Revision 1.3 / (download) - annotate - [select for diffs], Fri Oct 9 02:44:22 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
stardate 93370.16: a whitespace appears to have entered our quadrant...
Revision 1.2 / (download) - annotate - [select for diffs], Fri Oct 9 02:36:46 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +3 -3 lines
Diff to previous 1.1 (colored)
multicast test backwards; noted by renato
Revision 1.1 / (download) - annotate - [select for diffs], Fri Oct 9 01:17:21 2015 UTC (8 years, 8 months ago) by deraadt
Branch: MAIN
Rename tame() to pledge(). This fairly interface has evolved to be more strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.