make sys_chroot() only allowed to be used when pledged, with "rpath id proc".

the previous check in pledge_namei() was incomplete. For using SYS_chroot we
needed "id", and we could have passed pledge_namei() just with "rpath" (without
using the now removed whitelisted entry).

the check for "rpath id proc" is now done using p_pledgenote: pledge_namei()
will check that the pledgenote is permitted by your pledge.

"go ahead" deraadt@

2 files changed, 3 insertions, 8 deletions

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 6a50f2353cf..31a6b3e7ad6 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.87 2015/10/28 13:59:07 semarie Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.88 2015/10/28 14:07:58 semarie Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -657,11 +657,6 @@ pledge_namei(struct proc *p, char *origpath)
 		    strcmp(path, "/etc/resolv.conf") == 0)
 			return (0);
 		break;
-	case SYS_chroot:
-		/* Allowed for "proc id" */
-		if ((p->p_p->ps_pledge & PLEDGE_PROC))
-			return (0);
-		break;
 	}
 
 	/*
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 02a60c90e91..ebc165ef135 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.234 2015/10/28 11:18:58 deraadt Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.235 2015/10/28 14:07:58 semarie Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -760,7 +760,7 @@ sys_chroot(struct proc *p, void *v, register_t *retval)
 
 	if ((error = suser(p, 0)) != 0)
 		return (error);
-	p->p_pledgenote = PLEDGE_RPATH;
+	p->p_pledgenote = PLEDGE_ID | PLEDGE_PROC | PLEDGE_RPATH;
 	NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
 	    SCARG(uap, path), p);
 	if ((error = change_dir(&nd, p)) != 0)