diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2019-03-24 18:14:21 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2019-03-24 18:14:21 +0000 |
| commit | f477606d599d447fc34dc9aa847f6cb9944e7d2b (patch) | |
| tree | 00687ede34873982e69b8f0fff94702ef455ad36 /sys | |
| parent | 008e6dc1e5430c28d62ccf51165e4ac6879bf85b (diff) | |
Make stat(2) and access(2) need UNVEIL_READ instead of UNVEIL_INSPECT
UNVEIL_INSPECT is a hack we added to get chrome/glib working. It silently
adds permission for stat(2), access(2), and readlink(2) to be used on
all path components of any unveil'ed path. robert@ has sucessfully now
fixed chrome/glib to not require exessive TOC vs TOU stat(2) and access(2)
calls on the paths it uses, so that this no longer needed there.
readlink(2) is the sole call that is now permitted by UNVEIL_INSPECT,
and this is only needed so that realpath(3) can work. Going forward we will
likely make a realpath(2), after which we can completely deprecate
UNVEIL_INSPECT.
ok deraadt@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_unveil.c | 9 | ||||
| -rw-r--r-- | sys/kern/vfs_syscalls.c | 6 |
2 files changed, 10 insertions, 5 deletions
diff --git a/sys/kern/kern_unveil.c b/sys/kern/kern_unveil.c index e90d23e652a..ae994673694 100644 --- a/sys/kern/kern_unveil.c +++ b/sys/kern/kern_unveil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_unveil.c,v 1.23 2019/01/21 20:46:52 tedu Exp $ */ +/* $OpenBSD: kern_unveil.c,v 1.24 2019/03/24 18:14:20 beck Exp $ */ /* * Copyright (c) 2017-2019 Bob Beck <beck@openbsd.org> @@ -818,7 +818,11 @@ unveil_check_final(struct proc *p, struct nameidata *ni) " vnode %p\n", p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_vp); #endif - return EACCES; + if (uv->uv_flags & UNVEIL_USERSET) + return EACCES; + else + return ENOENT; + } /* directry and flags match, update match */ ni->ni_unveil_match = uv; @@ -872,6 +876,7 @@ unveil_check_final(struct proc *p, struct nameidata *ni) printf("unveil: %s(%d) flag mismatch for terminal '%s'\n", p->p_p->ps_comm, p->p_p->ps_pid, tname->un_name); #endif + KASSERT(tname->un_flags & UNVEIL_USERSET); return EACCES; } /* name and flags match in this dir. update match*/ diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 4d18d1dbef1..be31bc6229c 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_syscalls.c,v 1.313 2019/01/23 00:37:51 cheloha Exp $ */ +/* $OpenBSD: vfs_syscalls.c,v 1.314 2019/03/24 18:14:20 beck Exp $ */ /* $NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $ */ /* @@ -1817,7 +1817,7 @@ dofaccessat(struct proc *p, int fd, const char *path, int amode, int flag) NDINITAT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_RPATH; - nd.ni_unveil = UNVEIL_INSPECT; + nd.ni_unveil = UNVEIL_READ; if ((error = namei(&nd)) != 0) goto out; vp = nd.ni_vp; @@ -1888,7 +1888,7 @@ dofstatat(struct proc *p, int fd, const char *path, struct stat *buf, int flag) follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINITAT(&nd, LOOKUP, follow | LOCKLEAF, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_RPATH; - nd.ni_unveil = UNVEIL_INSPECT; + nd.ni_unveil = UNVEIL_READ; if ((error = namei(&nd)) != 0) return (error); error = vn_stat(nd.ni_vp, &sb, p); |