summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2017-12-12 01:12:35 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2017-12-12 01:12:35 +0000
commit52c1fc97f7c1ade9cf0ebc1b5a041fed194d6e10 (patch)
tree50d1dbcc20f2803520428374fc6888b81a4bfcd0 /lib
parent35baa3704589ea7646058be964552054fbd60816 (diff)
pledge()'s 2nd argument becomes char *execpromises, which becomes the
pledge for a new execve image immediately upon start. Also introduces "error" which makes violations return -1 ENOSYS instead of killing the program ("error" may not be handed to a setuid/setgid program, which may be missing/ignoring syscall return values and would continue with inconsistant state) Discussion with many florian has used this to improve the strictness of a daemon
Diffstat (limited to 'lib')
-rw-r--r--lib/libc/sys/execve.210
-rw-r--r--lib/libc/sys/pledge.282
2 files changed, 48 insertions, 44 deletions
diff --git a/lib/libc/sys/execve.2 b/lib/libc/sys/execve.2
index 5deb91919ee..7a5ab854249 100644
--- a/lib/libc/sys/execve.2
+++ b/lib/libc/sys/execve.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: execve.2,v 1.50 2017/04/13 21:49:11 millert Exp $
+.\" $OpenBSD: execve.2,v 1.51 2017/12/12 01:12:34 deraadt Exp $
.\" $NetBSD: execve.2,v 1.9 1995/02/27 12:32:25 cgd Exp $
.\"
.\" Copyright (c) 1980, 1991, 1993
@@ -30,7 +30,7 @@
.\"
.\" @(#)execve.2 8.3 (Berkeley) 1/24/94
.\"
-.Dd $Mdocdate: April 13 2017 $
+.Dd $Mdocdate: December 12 2017 $
.Dt EXECVE 2
.Os
.Sh NAME
@@ -273,6 +273,12 @@ system not allowing such operations, being mounted without the
.Xr mount 8
.Fl o Cm wxallowed
flag.
+.It Bq Er EACCESS
+The parent used
+.Xr pledge 2
+to declare an
+.Va execpromise ,
+and that is not permitted for setuid or setgid images.
.It Bq Er ENOEXEC
The new process file has the appropriate access
permission, but has an invalid magic number in its header.
diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2
index e568d3d7ce5..ed80121e5fd 100644
--- a/lib/libc/sys/pledge.2
+++ b/lib/libc/sys/pledge.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pledge.2,v 1.46 2017/10/22 18:26:46 tobias Exp $
+.\" $OpenBSD: pledge.2,v 1.47 2017/12/12 01:12:34 deraadt Exp $
.\"
.\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: October 22 2017 $
+.Dd $Mdocdate: December 12 2017 $
.Dt PLEDGE 2
.Os
.Sh NAME
@@ -23,7 +23,7 @@
.Sh SYNOPSIS
.In unistd.h
.Ft int
-.Fn pledge "const char *promises" "const char *paths[]"
+.Fn pledge "const char *promises" "const char *execpromises"
.Sh DESCRIPTION
The current process is forced into a restricted-service operating mode.
A few subsets are available, roughly described as computation, memory
@@ -33,7 +33,7 @@ In general, these modes were selected by studying the operation
of many programs using libc and other such interfaces, and setting
.Ar promises
or
-.Ar paths .
+.Ar execpromises .
.Pp
Use of
.Fn pledge
@@ -58,7 +58,7 @@ with the
flag.
.Pp
A
-.Fa promises
+.Ar promises
value of "" restricts the process to the
.Xr _exit 2
system call.
@@ -68,9 +68,9 @@ with another process.
Passing
.Dv NULL
to
-.Fa promises
+.Ar promises
or
-.Fa paths
+.Ar execpromises
specifies to not change the current value.
.Pp
Some system calls, when allowed, have restrictions applied to them:
@@ -143,9 +143,10 @@ support:
system sensor readings.
.Pp
.It Fn pledge
-Can only reduce permissions; can only set a list of
-.Pa paths
-once.
+Can only reduce permissions for
+.Ar promises
+and
+.Ar execpromises.
.El
.Pp
The
@@ -466,9 +467,15 @@ Allows a process to call
Coupled with the
.Va proc
promise, this allows a process to fork and execute another program.
-The new program starts running without pledge active and hopefully
-makes a new
-.Fn pledge .
+If
+.Ar execpromises
+has been previously set the new program begins with those promises,
+unless setuid/setgid bits are set in which case execution is blocked with
+.Er EACCESS .
+Otherwise the new program starts running without pledge active,
+and hopefully makes a new
+.Fn pledge
+soon.
.It Va prot_exec
Allows the use of
.Dv PROT_EXEC
@@ -552,14 +559,24 @@ for more information on using the sndio API in combination with
.It Va bpf
Allow
.Dv BIOCGSTATS
-operation for statistics collection from a bpf device.
+operation for statistics collection from a
+.Xr bpf 4
+device.
+.It Va error
+Rather than killing the process upon violation, indicate error with
+.Er ENOSYS .
+.Pp
+Also when
+.Fn pledge
+is called with higher
+.Ar promises
+or
+.Ar execpromises ,
+those changes will be ignored and return success.
+This is useful when a parent enforces
+.Ar execpromises
+but an execve'd child has a different idea.
.El
-.Pp
-A whitelist of permitted paths may be provided in
-.Ar paths .
-All other paths will return
-.Er ENOENT .
-At least one promise is required to be pledged in order to activate a whitelist.
.Sh RETURN VALUES
.Rv -std
.Sh ERRORS
@@ -567,37 +584,18 @@ At least one promise is required to be pledged in order to activate a whitelist.
will fail if:
.Bl -tag -width Er
.It Bq Er EFAULT
-.Fa paths
-or one of its elements, or
-.Fa promises
+.Ar promises
+or
+.Ar execpromises
points outside the process's allocated address space.
.It Bq Er EINVAL
.Ar promises
is malformed or contains invalid keywords.
-.It Bq Er ENAMETOOLONG
-An element of
-.Fa paths
-is too large, prepending
-.Fa cwd
-to it would exceed
-.Dv PATH_MAX
-bytes, or
-.Fa promises
-is too long.
.It Bq Er EPERM
This process is attempting to increase permissions.
-.It Bq Er E2BIG
-The
-.Ar paths
-array is too large, or the total number of bytes exceeds a
-system-imposed limit.
-The limit in the system as released is 262144 bytes
-.Pf ( Dv ARG_MAX ) .
.El
.Sh HISTORY
The
.Fn pledge
system call first appeared in
.Ox 5.9 .
-.Sh BUGS
-The path whitelist feature is not available at this time.