Fix vn_open to require an op of 0, and 0 or KERNELPATH only as flags.

sweep tree to correct NDIINT op and flags ahead of time. document
the requirement. This allows KERNELPATH to be used to bypass
unveil for crash dumps with nosuidcoredump=2 or 3

ok visa@ deraadt@ florian@

5 files changed, 26 insertions, 13 deletions

diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c
index 7cc5dfd2cbd..6d85501d26a 100644
--- a/sys/kern/kern_acct.c
+++ b/sys/kern/kern_acct.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_acct.c,v 1.40 2019/08/15 07:29:21 anton Exp $	*/
+/*	$OpenBSD: kern_acct.c,v 1.41 2019/10/06 16:24:14 beck Exp $	*/
 /*	$NetBSD: kern_acct.c,v 1.42 1996/02/04 02:15:12 christos Exp $	*/
 
 /*-
@@ -118,7 +118,7 @@ sys_acct(struct proc *p, void *v, register_t *retval)
 	 * writing and make sure it's 'normal'.
 	 */
 	if (SCARG(uap, path) != NULL) {
-		NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path),
+		NDINIT(&nd, 0, 0, UIO_USERSPACE, SCARG(uap, path),
 		    p);
 		if ((error = vn_open(&nd, FWRITE|O_APPEND, 0)) != 0)
 			return (error);
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 39249d4118c..39bd1183d5b 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_ktrace.c,v 1.99 2018/08/05 14:23:57 beck Exp $	*/
+/*	$OpenBSD: kern_ktrace.c,v 1.100 2019/10/06 16:24:14 beck Exp $	*/
 /*	$NetBSD: kern_ktrace.c,v 1.23 1996/02/09 18:59:36 christos Exp $	*/
 
 /*
@@ -511,7 +511,7 @@ sys_ktrace(struct proc *p, void *v, register_t *retval)
 		struct nameidata nd;
 
 		cred = p->p_ucred;
-		NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, fname, p);
+		NDINIT(&nd, 0, 0, UIO_USERSPACE, fname, p);
 		nd.ni_pledge = PLEDGE_CPATH | PLEDGE_WPATH;
 		nd.ni_unveil = UNVEIL_CREATE | UNVEIL_WRITE;
 		if ((error = vn_open(&nd, FWRITE|O_NOFOLLOW, 0)) != 0)
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index ccfec90fb38..2b93e41fac7 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.234 2019/10/03 13:58:59 deraadt Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.235 2019/10/06 16:24:14 beck Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/
 
 /*
@@ -1593,7 +1593,8 @@ coredump(struct proc *p)
 		cred->cr_gid = 0;
 	}
 
-	NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p);
+	/* incrash should be 0 or KERNELPATH only */
+	NDINIT(&nd, 0, incrash, UIO_SYSSPACE, name, p);
 
 	error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW | O_NONBLOCK,
 	    S_IRUSR | S_IWUSR);
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 975893a171e..23a96822126 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.335 2019/08/31 17:59:33 beck Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.336 2019/10/06 16:24:14 beck Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -1146,7 +1146,7 @@ doopenat(struct proc *p, int fd, const char *path, int oflags, mode_t mode,
 	cmode = ((mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
 	if ((p->p_p->ps_flags & PS_PLEDGE))
 		cmode &= ACCESSPERMS;
-	NDINITAT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, fd, path, p);
+	NDINITAT(&nd, 0, 0, UIO_USERSPACE, fd, path, p);
 	nd.ni_pledge = ni_pledge;
 	nd.ni_unveil = ni_unveil;
 	p->p_dupfd = -1;			/* XXX check for fdopen */
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index 353fc7a3feb..b4cdf2f06a3 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_vnops.c,v 1.107 2019/08/26 18:56:29 anton Exp $	*/
+/*	$OpenBSD: vfs_vnops.c,v 1.108 2019/10/06 16:24:14 beck Exp $	*/
 /*	$NetBSD: vfs_vnops.c,v 1.20 1996/02/04 02:18:41 christos Exp $	*/
 
 /*
@@ -91,13 +91,26 @@ vn_open(struct nameidata *ndp, int fmode, int cmode)
 	struct cloneinfo *cip;
 	int error;
 
-	if ((fmode & (FREAD|FWRITE)) == 0)
+	/*
+	 * The only valid flag to pass in here from NDINIT is
+	 * KERNELPATH, This function will override the nameiop based
+	 * on the fmode and cmode flags, So validate that our caller
+	 * has not set other flags or operations in the nameidata
+	 * structure.
+	 */
+	/* XXX consider changing to KASSERT after release */
+	if (!(ndp->ni_cnd.cn_flags == 0 || ndp->ni_cnd.cn_flags == KERNELPATH))
+		return EINVAL;
+	if (!(ndp->ni_cnd.cn_nameiop == 0))
+		return EINVAL;
+
+        if ((fmode & (FREAD|FWRITE)) == 0)
 		return (EINVAL);
 	if ((fmode & (O_TRUNC | FWRITE)) == O_TRUNC)
 		return (EINVAL);
 	if (fmode & O_CREAT) {
 		ndp->ni_cnd.cn_nameiop = CREATE;
-		ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF;
+		ndp->ni_cnd.cn_flags |= LOCKPARENT | LOCKLEAF;
 		if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0)
 			ndp->ni_cnd.cn_flags |= FOLLOW;
 		if ((error = namei(ndp)) != 0)
@@ -132,8 +145,7 @@ vn_open(struct nameidata *ndp, int fmode, int cmode)
 		}
 	} else {
 		ndp->ni_cnd.cn_nameiop = LOOKUP;
-		ndp->ni_cnd.cn_flags =
-		    ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF;
+		ndp->ni_cnd.cn_flags |= ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF;
 		if ((error = namei(ndp)) != 0)
 			return (error);
 		vp = ndp->ni_vp;