summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-06 15:21:27 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-06 15:21:27 +0000
commit7752716ab06a6d64834016a0ff71351501b8297e (patch)
tree51380045b22bca3033694f785416c46dc90894e4
parent2b7e1ba212e541c909cf6e78db703c91b697a46c (diff)
Add new "tty" request, which allows TIOCGETA, TIOCGPGRP, TIOCGWINSZ,
TIOCSBRK, TIOCCDTR, TIOCSETA, TIOCSETAW, and TIOCSETAF on tty vnodes. This helps programs which call tcsetattr(), tcgetattr(), or readpassphrase(). Especially the latter - tame's goal is to satisfy the libc requirements of security-sensitive programs. Remove TIOCSETAF from the basic "ioctl" request, because it is a "set" option. "ioctl" is slowly turning into a "request information, cannot set options" package. Split the "cmsg" request into "sendfd" and "recvfd". Non-SCM_RIGHTS messages are currently flowing through freely and we'll need to think about that. This split lets us more strictly describe what our many fd-passing programs will do.
-rw-r--r--sys/kern/kern_tame.c58
-rw-r--r--sys/sys/param.h4
-rw-r--r--sys/sys/tame.h11
3 files changed, 44 insertions, 29 deletions
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index 0c36fb6293c..73f83a5c9fa 100644
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_tame.c,v 1.61 2015/10/06 14:55:41 claudio Exp $ */
+/* $OpenBSD: kern_tame.c,v 1.62 2015/10/06 15:21:26 deraadt Exp $ */
/*
* Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -142,7 +142,7 @@ const u_int tame_syscalls[SYS_MAXSYSCALL] = {
[SYS_setresuid] = TAME_PROC,
/* FIONREAD/FIONBIO, plus further checks in tame_ioctl_check() */
- [SYS_ioctl] = TAME_RW | TAME_IOCTL,
+ [SYS_ioctl] = TAME_RW | TAME_IOCTL | TAME_TTY,
[SYS_getentropy] = TAME_MALLOC,
[SYS_madvise] = TAME_MALLOC,
@@ -226,10 +226,13 @@ static const struct {
{ "tmppath", TAME_SELF | TAME_RW | TAME_TMPPATH },
{ "inet", TAME_SELF | TAME_RW | TAME_INET },
{ "unix", TAME_SELF | TAME_RW | TAME_UNIX },
- { "cmsg", TAME_SELF | TAME_RW | TAME_UNIX | TAME_CMSG },
{ "dns", TAME_SELF | TAME_MALLOC | TAME_DNSPATH },
- { "ioctl", TAME_IOCTL },
{ "getpw", TAME_SELF | TAME_MALLOC | TAME_RW | TAME_GETPW },
+/*X*/ { "cmsg", TAME_UNIX | TAME_INET | TAME_SENDFD | TAME_RECVFD },
+ { "sendfd", TAME_RW | TAME_SENDFD },
+ { "recvfd", TAME_RW | TAME_RECVFD },
+ { "ioctl", TAME_IOCTL },
+ { "tty", TAME_TTY },
{ "proc", TAME_PROC },
{ "cpath", TAME_CPATH },
{ "abort", TAME_ABORT },
@@ -671,7 +674,7 @@ tame_aftersyscall(struct proc *p, int code, int error)
* By default, only the advisory cmsg's can be received from the kernel,
* such as TIMESTAMP ntpd.
*
- * If TAME_CMSG is set SCM_RIGHTS is also allowed through for a carefully
+ * If TAME_RECVFD is set SCM_RIGHTS is also allowed in for a carefully
* selected set of descriptors (specifically to exclude directories).
*
* This results in a kill upon recv, if some other process on the system
@@ -707,8 +710,8 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control)
if (cmsg == NULL)
return (0);
- if ((p->p_p->ps_tame & TAME_CMSG) == 0)
- return tame_fail(p, EPERM, TAME_CMSG);
+ if ((p->p_p->ps_tame & TAME_RECVFD) == 0)
+ return tame_fail(p, EPERM, TAME_RECVFD);
/* In OpenBSD, a CMSG only contains one SCM_RIGHTS. Check it. */
fdp = (int *)CMSG_DATA(cmsg);
@@ -720,7 +723,7 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control)
fd = *fdp++;
fp = fd_getfile(p->p_fd, fd);
if (fp == NULL)
- return tame_fail(p, EBADF, TAME_CMSG);
+ return tame_fail(p, EBADF, TAME_RECVFD);
/* Only allow passing of sockets, pipes, and pure files */
switch (fp->f_type) {
@@ -735,7 +738,7 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control)
default:
break;
}
- return tame_fail(p, EPERM, TAME_CMSG);
+ return tame_fail(p, EPERM, TAME_RECVFD);
}
return (0);
}
@@ -757,8 +760,8 @@ tame_cmsg_send(struct proc *p, struct mbuf *control)
if ((p->p_p->ps_flags & PS_TAMED) == 0)
return (0);
- if ((p->p_p->ps_tame & TAME_CMSG) == 0)
- return tame_fail(p, EPERM, TAME_CMSG);
+ if ((p->p_p->ps_tame & TAME_SENDFD) == 0)
+ return tame_fail(p, EPERM, TAME_SENDFD);
/* Scan the cmsg */
cmsg = mtod(control, struct cmsghdr *);
@@ -778,7 +781,7 @@ tame_cmsg_send(struct proc *p, struct mbuf *control)
fd = *fdp++;
fp = fd_getfile(p->p_fd, fd);
if (fp == NULL)
- return tame_fail(p, EBADF, TAME_CMSG);
+ return tame_fail(p, EBADF, TAME_SENDFD);
/* Only allow passing of sockets, pipes, and pure files */
switch (fp->f_type) {
@@ -794,7 +797,7 @@ tame_cmsg_send(struct proc *p, struct mbuf *control)
break;
}
/* Not allowed to send a bad fd type */
- return tame_fail(p, EPERM, TAME_CMSG);
+ return tame_fail(p, EPERM, TAME_SENDFD);
}
return (0);
}
@@ -996,9 +999,6 @@ tame_ioctl_check(struct proc *p, long com, void *v)
case TIOCGETA:
case TIOCGPGRP:
case TIOCGWINSZ: /* various programs */
- case TIOCSTI: /* ksh? csh? */
- case TIOCSBRK: /* cu */
- case TIOCCDTR: /* cu */
if (fp->f_type == DTYPE_VNODE && (vp->v_flag & VISTTY))
return (0);
break;
@@ -1007,10 +1007,6 @@ tame_ioctl_check(struct proc *p, long com, void *v)
fp->f_ops->fo_ioctl == vn_ioctl)
return (0);
break;
- case TIOCSETAF: /* tcsetattr TCSAFLUSH, script */
- if (fp->f_type == DTYPE_VNODE && (vp->v_flag & VISTTY))
- return (0);
- break;
case MTIOCGET:
case MTIOCTOP:
/* for pax(1) and such, checking tapes... */
@@ -1026,8 +1022,26 @@ tame_ioctl_check(struct proc *p, long com, void *v)
}
}
- printf("tame: ioctl %lx\n", com);
- return (EPERM);
+ if ((p->p_p->ps_tame & TAME_TTY)) {
+ switch (com) {
+ case TIOCGETA:
+ case TIOCGPGRP:
+ case TIOCGWINSZ: /* various programs */
+#if notyet
+ case TIOCSTI: /* ksh? csh? */
+#endif
+ case TIOCSBRK: /* cu */
+ case TIOCCDTR: /* cu */
+ case TIOCSETA: /* cu, ... */
+ case TIOCSETAW: /* cu, ... */
+ case TIOCSETAF: /* tcsetattr TCSAFLUSH, script */
+ if (fp->f_type == DTYPE_VNODE && (vp->v_flag & VISTTY))
+ return (0);
+ break;
+ }
+ }
+
+ return tame_fail(p, EPERM, TAME_IOCTL);
}
int
diff --git a/sys/sys/param.h b/sys/sys/param.h
index 68c3ef4c117..8d7a7c32c2d 100644
--- a/sys/sys/param.h
+++ b/sys/sys/param.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: param.h,v 1.118 2015/07/02 01:34:00 dlg Exp $ */
+/* $OpenBSD: param.h,v 1.119 2015/10/06 15:21:26 deraadt Exp $ */
/*-
* Copyright (c) 1982, 1986, 1989, 1993
@@ -38,8 +38,6 @@
#define _SYS_PARAM_H_
#define BSD 199306 /* System version (year & month). */
-#define BSD4_3 1
-#define BSD4_4 1
#define OpenBSD 201510 /* OpenBSD version (year & month). */
#define OpenBSD5_8 1 /* OpenBSD 5.8 */
diff --git a/sys/sys/tame.h b/sys/sys/tame.h
index c553729ce02..8cfbd036b6a 100644
--- a/sys/sys/tame.h
+++ b/sys/sys/tame.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tame.h,v 1.9 2015/10/06 14:55:41 claudio Exp $ */
+/* $OpenBSD: tame.h,v 1.10 2015/10/06 15:21:26 deraadt Exp $ */
/*
* Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -33,13 +33,16 @@
#define TAME_TMPPATH 0x00000040 /* for mk*temp() */
#define TAME_INET 0x00000080 /* AF_INET/AF_INET6 sockets */
#define TAME_UNIX 0x00000100 /* AF_UNIX sockets */
-#define TAME_CMSG 0x00000200 /* AF_UNIX CMSG fd passing */
-#define TAME_IOCTL 0x00000400 /* scary */
-#define TAME_GETPW 0x00000800 /* enough to enable YP */
+// reuse, old CMSG 0x00000200
+#define TAME_IOCTL 0x00000400 /* Select ioctl */
+#define TAME_GETPW 0x00000800 /* YP enables if ypbind.lock */
#define TAME_PROC 0x00001000 /* fork, waitpid, etc */
#define TAME_CPATH 0x00002000 /* allow creat, mkdir, path creations */
#define TAME_FATTR 0x00004000 /* allow explicit file st_* mods */
#define TAME_PROTEXEC 0x00008000 /* allow use of PROT_EXEC */
+#define TAME_TTY 0x00010000 /* tty setting */
+#define TAME_SENDFD 0x00020000 /* AF_UNIX CMSG fd sending */
+#define TAME_RECVFD 0x00040000 /* AF_UNIX CMSG fd receiving */
#define TAME_ABORT 0x08000000 /* SIGABRT instead of SIGKILL */