| Age | Commit message (Collapse) | Author |
|---|
|
Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
messages/bytes in the TLS handshake and increases our attack surface,
since we request and then process client certificates.
ok gilles@
|
|
will end up doing a read and write of up to 7 bytes beyond the specified
length. This is effectively a non-issue since we read and write back the
same data and due to alignment it is within a page boundary.
Regardless, avoid this by removing the "special" handling for the remaining
length and allow the standard (non-chunk) code to process the remaining
bytes, which does not result in overrun.
Reported by Pascal Cuoq <cuoq at trust-in-soft.com> - thanks!
ok beck@ miod@
|
|
for device. In sys_fcntl() the ioctl(TIOCSPGRP) is called, but the
pipe expects SIOCSPGRP. Sockets have a specal case for the same
reason, so adapt the special code for pipes.
OK millert@
|
|
|
|
ok nicm@
|
|
ok nicm@
|
|
ok nicm@
|
|
ok nicm@
|
|
syslogd child calls fork(2) to delay blocked output.
OK benno@
|
|
|
|
ok djm@
|
|
ok renato@
|
|
into history (if the mouse is, on of course).
|
|
as it now must contain a proper linkback to its own state.
|
|
While here use C99 types in function definitions.
|
|
|
|
|
|
ok tedu@, deraadt@, miod@
|
|
OpenSSH requires a 2048 minimum for DH in the client and server.
input and ok sthen@
ok dtucker@, djm@
|
|
Working great but need more testing, especially with ipv6. For now
we don't validate if one configured summary is inside another or the
presence of duplicates. Will address these issues in a future commit.
|
|
|
|
ok djm@
|
|
|
|
|
|
this can be used as an alternative to sysctl net.inet.ip.ttl, in
programs that use pledge().
ok reyk@, "Like this" deraadt@
|
|
O_WRONLY, but without O_CREAT. So freopen(3) has to be replaced
with open(2) and dup2(2).
from deraadt@
|
|
SO_RCVBUF is permitted. It may even be possible to lose the "inet" a
bit later in the code. Anyone want to test?
|
|
ok guenther tedu semarie
|
|
socket(). Without pledge, all other socket behaviours become permitted,
except this one case: connect/send* only works to *:53. In pledge mode,
a very few are further restricted. Some backwards compatibility for
the dnssocket/dnsconnect calls will remain in the tree temporarily so
that people can build through the transition.
ok tedu guenther semarie
|
|
member of the given group). This is used by some parse.y.
OK deraadt@
|
|
Our in-kernel ether-vtag has a different layout to the vr TXSTAT register.
ok sthen@
|
|
Makefile, until it switches to MI installboot, too.
|
|
|
|
|
|
it needs to "forward" SIGWINCH to subprocesses.
ok deraadt@
|
|
server_client_handle_key.
|
|
has been added to it, the syslogd privsep parent does not need
pledge "inet" anymore.
discussed with deraadt@
|
|
avoiding division by zero when deciding whether it contains 2- or 4-byte ASNs.
Refactor TCHECK calls to ensure proper coverage.
From Kevin Reay, ok canacar with wording tweak (I used "malformed" rather
than canacar's suggested "invalid size" or Kevin's original "empty").
|
|
ok renato@
|
|
memory up to this point by using sbrk(2). This is of course wildly incorrect
for any mmap-based malloc(3).
This also makes it possible to bring pledge(2) to gnu/.
comments kettenis@, ok miod@
|
|
|
|
Confirmed by markus@ with an identical diff
|
|
the following diff adds a clear view of whitelisted-paths in pledge.
before, whitelisting "/usr/local/bin" path would make only "/usr/local/bin"
VNODE was present and let "/usr/local", "/usr", and "/" been ENOENT. It was a
somehow odd filesystem hierarchy, and it breaks realpath(3).
with this diff, the directories that are one of the parents of a
whitelisted-directory become visible to stat(2) related syscalls, but only
with restricted permissions: stat(2) will lie a bit, and saying they owned by
root:wheel and mode is --x--x--x. Note that only stat(2) is affected by this
"view", and the owner/mode aren't effectively changed: it is just a "lie".
while here, refactor a bit pledge_namei() in order to avoid multiple for-loop
on whitelisted-path array.
ok deraadt@
|
|
|
|
|
|
ok djm@
|
|
level, validation must be separated from parsing and rewinding.
This first big step moves calling of the mdoc(7) post_*() functions
out of the parser loop into their own mdoc_validate() pass, while
using a new mdoc_state() module to make syntax tree state handling
available to both the parser loop and the validation pass.
|
|
default case only allows SOL_SOCKET SO_RCVBUF which is very common in
network-facing daemons. Many of them manage this on a socket after
dropping abilities which can get them _new_ sockets.. syslogd, bgpd,
relayd, etc etc. Other sockopts still require specific pledges.
Tested by bluhm.
|
|
|
|
- radiusd: "stdio inet"
- radiusd_radius: "stdio inet"
- radiusd_bsdauth:
- "stdio proc" for the non-priviledged process
- "stdio getpw rpath proc exec" for the priviledged process
- radiusctl: "stdio dns inet"
"go ahead" deraadt
|
