diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2017-01-23 04:25:06 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2017-01-23 04:25:06 +0000 |
| commit | c79450c75979248fff1458d7acd1302286d44035 (patch) | |
| tree | c83a77c5ebcdf18c65fafeb0d7e22121efeafc5b /lib/libc/sys/pledge.2 | |
| parent | 8b744ded342c9a9dbcebe93b1337bd1f0a536685 (diff) | |
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.
Diffstat (limited to 'lib/libc/sys/pledge.2')
| -rw-r--r-- | lib/libc/sys/pledge.2 | 52 |
1 files changed, 28 insertions, 24 deletions
diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2 index a8fdb8e5c46..bd93d45aadd 100644 --- a/lib/libc/sys/pledge.2 +++ b/lib/libc/sys/pledge.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pledge.2,v 1.37 2016/10/27 10:48:25 schwarze Exp $ +.\" $OpenBSD: pledge.2,v 1.38 2017/01/23 04:25:05 deraadt Exp $ .\" .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 27 2016 $ +.Dd $Mdocdate: January 23 2017 $ .Dt PLEDGE 2 .Os .Sh NAME @@ -76,11 +76,25 @@ Read-only, for .Pp .It Xr ioctl 2 Only the -.Dv FIONREAD +.Dv FIONREAD , +.Dv FIONBIO , +.Dv FIOCLEX , and -.Dv FIONBIO +.Dv FIONCLEX operations are allowed by default. -Use of the "tty" and "ioctl" promises receive more ioctl requests. +Various ioctl requests are allowed against specific file descriptors +based upon the requests +.Va "audio" , +.Va "bpf" , +.Va "disklabel" , +.Va "drm" , +.Va "inet" , +.Va "pf" , +.Va "route" , +.Va "tape" , +.Va "tty" , +and +.Va "vmm". .Pp .It Xr chmod 2 .It Xr fchmod 2 @@ -386,26 +400,12 @@ File descriptors referring to directories may not be passed. Allows receiving of file descriptors using .Xr recvmsg 2 . File descriptors referring to directories may not be passed. -.It Va "ioctl" -Allows a subset of -.Xr ioctl 2 -operations: -.Pp -.Dv FIOCLEX , -.Dv FIONCLEX , -.Dv FIOASYNC , -.Dv FIOGETOWN , -and -.Dv FIOSETOWN . -On a tty device -.Dv TIOCGETA will succeed otherwise fail with -.Er EPERM . -On a tty device, -.Dv TIOCGPGRP +.It Va "tape" +Allow +.Dv MTIOCGET and -.Dv TIOCGWINSZ -are allowed. -A few other operations are allowed, but not listed here. +.Dv MTIOCTOP +operations against tape drives. .It Va "tty" In addition to allowing read-write operations on .Pa /dev/tty , @@ -528,6 +528,10 @@ devices: .Dv AUDIO_SETPAR , .Dv AUDIO_START , .Dv AUDIO_STOP . +.It Va "bpf" +Allow +.Dv BIOCGSTATS +operation for statistics collection from a bpf device. .Pp See .Xr sio_open 3 |