Add an acct(5) flag for pledge violations. Then lastcomm(1) shows

when something went wrong.  This allows to monitor whether the
system is under attack and that the attack has been prevented by
OpenBSD pledge(2).
OK deraadt@ millert@ jmc@

2 files changed, 5 insertions, 2 deletions

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index d25eb9df103..a23b8d21d28 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.211 2017/06/03 04:34:41 tb Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.212 2017/06/07 20:53:59 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -32,6 +32,7 @@
 #include <sys/mman.h>
 #include <sys/sysctl.h>
 #include <sys/ktrace.h>
+#include <sys/acct.h>
 
 #include <sys/ioctl.h>
 #include <sys/termios.h>
@@ -581,6 +582,7 @@ pledge_fail(struct proc *p, int error, uint64_t code)
 		}
 	printf("%s(%d): syscall %d \"%s\"\n", p->p_p->ps_comm, p->p_p->ps_pid,
 	    p->p_pledge_syscall, codes);
+	p->p_p->ps_acflag |= APLEDGE;
 #ifdef KTRACE
 	if (KTRPOINT(p, KTR_PLEDGE))
 		ktrpledge(p, error, code, p->p_pledge_syscall);
diff --git a/sys/sys/acct.h b/sys/sys/acct.h
index d55b036fba8..efcb03e2411 100644
--- a/sys/sys/acct.h
+++ b/sys/sys/acct.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: acct.h,v 1.5 2012/07/16 15:20:38 deraadt Exp $	*/
+/*	$OpenBSD: acct.h,v 1.6 2017/06/07 20:53:59 bluhm Exp $	*/
 /*	$NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $	*/
 
 /*-
@@ -61,6 +61,7 @@ struct acct {
 #define	ACOMPAT	0x04		/* used compatibility mode */
 #define	ACORE	0x08		/* dumped core */
 #define	AXSIG	0x10		/* killed by a signal */
+#define	APLEDGE	0x20		/* killed due to pledge violation */
 	u_int8_t  ac_flag;	/* accounting flags */
 };