implement new "prot_exec" tame(2) request:

- by default, a tamed-program don't have the possibility to use PROT_EXEC for
  mmap(2) or mprotect(2)
- for that, use the request "prot_exec" (that could be dropped later)

initial idea from deraadt@ and kettenis@

"make complete sense" beck@
ok deraadt@

1 files changed, 15 insertions, 3 deletions

diff --git a/lib/libc/sys/tame.2 b/lib/libc/sys/tame.2
index 24f27e5047d..0d72a168318 100644
--- a/lib/libc/sys/tame.2
+++ b/lib/libc/sys/tame.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tame.2,v 1.29 2015/09/26 17:16:10 jmc Exp $
+.\" $OpenBSD: tame.2,v 1.30 2015/09/30 11:36:07 semarie Exp $
 .\"
 .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2015 $
+.Dd $Mdocdate: September 30 2015 $
 .Dt TAME 2
 .Os
 .Sh NAME
@@ -121,6 +121,11 @@ Read-only, for
 Setuid/setgid/sticky bits are ignored.
 The user or group cannot be changed on a file.
 .Pp
+.It Xr mmap 2
+.It Xr mprotect 2
+.Dv PROT_EXEC
+isn't allowed.
+.Pp
 .It Xr open 2
 May open
 .Pa /etc/localtime ,
@@ -387,7 +392,14 @@ Allows the following process relationship operations:
 .Xr kill 2 ,
 .Xr setgroups 2 ,
 .Xr setresgid 2 ,
-.Xr setresuid 2 ,
+.Xr setresuid 2 .
+.It Va "prot_exec"
+Allows the use of
+.Dv PROT_EXEC
+with
+.Xr mmap 2
+and
+.Xr mprotect 2 .
 .It Va "abort"
 Deliver an unblockable
 .Dv SIGABRT