diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2017-12-12 01:12:35 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2017-12-12 01:12:35 +0000 |
commit | 52c1fc97f7c1ade9cf0ebc1b5a041fed194d6e10 (patch) | |
tree | 50d1dbcc20f2803520428374fc6888b81a4bfcd0 /lib/libc | |
parent | 35baa3704589ea7646058be964552054fbd60816 (diff) |
pledge()'s 2nd argument becomes char *execpromises, which becomes the
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of killing the
program ("error" may not be handed to a setuid/setgid program, which
may be missing/ignoring syscall return values and would continue with
inconsistant state)
Discussion with many
florian has used this to improve the strictness of a daemon
Diffstat (limited to 'lib/libc')
-rw-r--r-- | lib/libc/sys/execve.2 | 10 | ||||
-rw-r--r-- | lib/libc/sys/pledge.2 | 82 |
2 files changed, 48 insertions, 44 deletions
diff --git a/lib/libc/sys/execve.2 b/lib/libc/sys/execve.2 index 5deb91919ee..7a5ab854249 100644 --- a/lib/libc/sys/execve.2 +++ b/lib/libc/sys/execve.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: execve.2,v 1.50 2017/04/13 21:49:11 millert Exp $ +.\" $OpenBSD: execve.2,v 1.51 2017/12/12 01:12:34 deraadt Exp $ .\" $NetBSD: execve.2,v 1.9 1995/02/27 12:32:25 cgd Exp $ .\" .\" Copyright (c) 1980, 1991, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)execve.2 8.3 (Berkeley) 1/24/94 .\" -.Dd $Mdocdate: April 13 2017 $ +.Dd $Mdocdate: December 12 2017 $ .Dt EXECVE 2 .Os .Sh NAME @@ -273,6 +273,12 @@ system not allowing such operations, being mounted without the .Xr mount 8 .Fl o Cm wxallowed flag. +.It Bq Er EACCESS +The parent used +.Xr pledge 2 +to declare an +.Va execpromise , +and that is not permitted for setuid or setgid images. .It Bq Er ENOEXEC The new process file has the appropriate access permission, but has an invalid magic number in its header. diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2 index e568d3d7ce5..ed80121e5fd 100644 --- a/lib/libc/sys/pledge.2 +++ b/lib/libc/sys/pledge.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pledge.2,v 1.46 2017/10/22 18:26:46 tobias Exp $ +.\" $OpenBSD: pledge.2,v 1.47 2017/12/12 01:12:34 deraadt Exp $ .\" .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 22 2017 $ +.Dd $Mdocdate: December 12 2017 $ .Dt PLEDGE 2 .Os .Sh NAME @@ -23,7 +23,7 @@ .Sh SYNOPSIS .In unistd.h .Ft int -.Fn pledge "const char *promises" "const char *paths[]" +.Fn pledge "const char *promises" "const char *execpromises" .Sh DESCRIPTION The current process is forced into a restricted-service operating mode. A few subsets are available, roughly described as computation, memory @@ -33,7 +33,7 @@ In general, these modes were selected by studying the operation of many programs using libc and other such interfaces, and setting .Ar promises or -.Ar paths . +.Ar execpromises . .Pp Use of .Fn pledge @@ -58,7 +58,7 @@ with the flag. .Pp A -.Fa promises +.Ar promises value of "" restricts the process to the .Xr _exit 2 system call. @@ -68,9 +68,9 @@ with another process. Passing .Dv NULL to -.Fa promises +.Ar promises or -.Fa paths +.Ar execpromises specifies to not change the current value. .Pp Some system calls, when allowed, have restrictions applied to them: @@ -143,9 +143,10 @@ support: system sensor readings. .Pp .It Fn pledge -Can only reduce permissions; can only set a list of -.Pa paths -once. +Can only reduce permissions for +.Ar promises +and +.Ar execpromises. .El .Pp The @@ -466,9 +467,15 @@ Allows a process to call Coupled with the .Va proc promise, this allows a process to fork and execute another program. -The new program starts running without pledge active and hopefully -makes a new -.Fn pledge . +If +.Ar execpromises +has been previously set the new program begins with those promises, +unless setuid/setgid bits are set in which case execution is blocked with +.Er EACCESS . +Otherwise the new program starts running without pledge active, +and hopefully makes a new +.Fn pledge +soon. .It Va prot_exec Allows the use of .Dv PROT_EXEC @@ -552,14 +559,24 @@ for more information on using the sndio API in combination with .It Va bpf Allow .Dv BIOCGSTATS -operation for statistics collection from a bpf device. +operation for statistics collection from a +.Xr bpf 4 +device. +.It Va error +Rather than killing the process upon violation, indicate error with +.Er ENOSYS . +.Pp +Also when +.Fn pledge +is called with higher +.Ar promises +or +.Ar execpromises , +those changes will be ignored and return success. +This is useful when a parent enforces +.Ar execpromises +but an execve'd child has a different idea. .El -.Pp -A whitelist of permitted paths may be provided in -.Ar paths . -All other paths will return -.Er ENOENT . -At least one promise is required to be pledged in order to activate a whitelist. .Sh RETURN VALUES .Rv -std .Sh ERRORS @@ -567,37 +584,18 @@ At least one promise is required to be pledged in order to activate a whitelist. will fail if: .Bl -tag -width Er .It Bq Er EFAULT -.Fa paths -or one of its elements, or -.Fa promises +.Ar promises +or +.Ar execpromises points outside the process's allocated address space. .It Bq Er EINVAL .Ar promises is malformed or contains invalid keywords. -.It Bq Er ENAMETOOLONG -An element of -.Fa paths -is too large, prepending -.Fa cwd -to it would exceed -.Dv PATH_MAX -bytes, or -.Fa promises -is too long. .It Bq Er EPERM This process is attempting to increase permissions. -.It Bq Er E2BIG -The -.Ar paths -array is too large, or the total number of bytes exceeds a -system-imposed limit. -The limit in the system as released is 262144 bytes -.Pf ( Dv ARG_MAX ) . .El .Sh HISTORY The .Fn pledge system call first appeared in .Ox 5.9 . -.Sh BUGS -The path whitelist feature is not available at this time. |