summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-10-18syncTheo de Raadt
2015-10-18Add two new system calls: dnssocket() and dnsconnect(). This creates aTheo de Raadt
SS_DNS tagged socket which has limited functionality (for example, you cannot accept on them...) The libc resolver will switch to using these, therefore pledge can identify a DNS transaction better. ok tedu guenther kettenis beck and others
2015-10-17naddy asks me if __tfork should be allowed by "proc". yes!Theo de Raadt
We may need a better semantic later ("thread"?), but this allows progress, and people can report their experiences.
2015-10-17connect() to an AF_UNIX socket is really read/write, so tell pledge thisTheo de Raadt
is a RPATH|WPATH operation. Discussed with doug and millert
2015-10-17Allow the nasty ioctl TIOCSTI in "tty", but also require the "proc"Theo de Raadt
permission. For now, we'll tighten it down further later.
2015-10-17better wording in a commentTheo de Raadt
2015-10-17Unify TIOCGPGRP/TIOCGWINSZ/TIOCGWINSZ behaviour regarding ENOTTY return.Theo de Raadt
(both "tty" and "ioctl" allow these; they should behave the same)
2015-10-17Allow TIOCSCTTY on tty devices, if the pledge says "tty id"Theo de Raadt
worked out with nicm
2015-10-17whitespaceTheo de Raadt
2015-10-17Rename SYSEXIT() to SYSCALL_END() for consistency with most other archs.Philip Guenther
No change in resulting object files ok millert@
2015-10-17mailaddr_match() allows comparing two struct mailaddr taking into accountGilles Chehade
catchall and +-tags ok millert@ and jung@ for util.c
2015-10-17Move the last of the __DBINTERFACE_PRIVATE bits from <db.h> to libc's wrapperPhilip Guenther
and eliminate the now superfluous -D option ok kettenis@ millert@
2015-10-17Fix the code that sets up the MCH BAR on systems where the (buggy) BIOSMark Kettenis
doesn't do this for us. The code was poking registers on the wrong PCI device. We were just lucky that it worked on most systems. This should fix machines such as the Asus EeePC 701 and get rid of the error: [drm:pid0:i915_gem_detect_bit_6_swizzle] *ERROR* Couldn't read from MC HBAR. Disabling tiling. messages on that machine.
2015-10-17Tighten pledge: We only write to stdio and never to any files ifChristian Weisgerber
in cat mode (-c, zcat), or in test mode (-t), or if there are no file arguments and there is no -o outfile. Due to fts(3) we require rpath even for compress <in >out. "seems sound" deraadt@
2015-10-17Spell all "unexpected mode %u" panics in lower case, not just one of them.Stefan Sperling
2015-10-17remove some unneccessary macros; from michael reedJason McIntyre
2015-10-17add missing underscore; from theo buehlerJason McIntyre
2015-10-17Fix build with IFMEDIA_DEBUG defined; ok sthen@Stefan Sperling
2015-10-17PROTO_NORMAL for pledge(); ok guentherTheo de Raadt
2015-10-17login_token needs pledge "flock" now.Alexander Bluhm
OK millert@
2015-10-17makemap shout strip initial and trailing whitespaces using strip()Gilles Chehade
ok millert@, ok jung@
2015-10-17document handling of comments in makemapGilles Chehade
ok millert@, ok sunil@, ok jung@
2015-10-17Drop two useless defines.mmcc
ok nicm@
2015-10-17Add pledge "stdio unix sendfd proc exec tty" to tmux client process,Nicholas Marriott
"sendfd" is dropped after first message from the server.
2015-10-17Move a system header include from the global header (sh.h) into themmcc
files that need it. No binary change. "This looks fine" -nicm@
2015-10-17both of these are deprecatedGilles Chehade
2015-10-17Convert some fgetln to getline.Sunil Nimmagadda
tested and ok gilles@
2015-10-17Cleanup and simplify LMTP code.Sunil Nimmagadda
Ok millert@ gilles@
2015-10-17LMTP delivery requires "inet unix".Sunil Nimmagadda
Ok millert@ gilles@
2015-10-17make usage() less horribleFlorian Obser
2015-10-17Exit if a pledge call fails in non-interactive mode.Doug Hogan
ok semarie@
2015-10-17Pledge; OK millert@ tobias@Tim van der Molen
2015-10-17this file is deprecatedGilles Chehade
2015-10-17Change allocarray() to areallocarray(), a full reallocarray clone. Allmmcc
the logic is already in aresize(). "Sure" nicm@
2015-10-17remove unused variablesGilles Chehade
2015-10-17Copy alloc()'s overflow check to aresize().mmcc
Suggested by nicm@.
2015-10-17NUMBOOT is dead! Nuke the variables and abstractions that were usedKenneth R Westerback
to build boot blocks. ok miod@
2015-10-17Implement -w maxwait now that the -w flag is free in ping6. SameFlorian Obser
behaviour as ping(8).
2015-10-17Do no accept fds on the control socket; including the restricted socket.Reyk Floeter
OK gilles@ eric@
2015-10-17move -V option before -v and remove one spurious newline, now in syncFlorian Obser
with ping. No object change.
2015-10-17KNFGilles Chehade
2015-10-17our strip() function should use isspace()Gilles Chehade
ok jung@, ok millert@
2015-10-17Remove left over -N and -w. Adapt wording for the link local example.Florian Obser
Pointed out by, input & OK jmc
2015-10-17Tighten up snmpd's control socket: do not allow users to terminate theReyk Floeter
daemon by sending corrupted imsgs to snmpd. This is especially important for the optional world-writeable restricted socket that is used for AgentX. In particular, don't fatal() in the daemon when imsg size checks on control messages fail, do stricter validation of expected messages (even assert zero-length imsgs), don't continue and close the control socket on suspicious input, print a debug log message on error. OK gilles@ "the rationale behind it is quite clear"
2015-10-17Cleanup a bit.Robert Peichaer
OK krw@ halex@
2015-10-17add "tty" for several subcommands of opensslSebastien Marie
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal. passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC). problem reported by several with and ok doug@
2015-10-17The file(1) magic-parsing process was using pledge "stdio getpw proc recvfd"Theo de Raadt
early on, then a set of getpwnam/setresuid/... before quickly dropping to "stdio recvfd". It receives fd's and runs the magic code on them in a chroot'd "stdio" jail. We can do better than that. Before the recent change, "proc" contained both the concepts of "forking" and "setuid". "id" is now split out as a seperate request, and it is exactly what this process needs momentarily. So this loses another window of opportunity, in case we have a major bug in .... hmm, it'd have to be in getpwnam.... ok tedu doug semarie gilles
2015-10-17smtpd starts rather robustly with a gigantic pledge request group (keepTheo de Raadt
in mind that a gigantic group is already < ~50% of POSIX). It then grinds these down bit by bit as it sets up privsep for the various processes. At startup, smtpd will need the new "id" request as well. ok gilles tedu
2015-10-17Add pledge "id" support. This request permits setuid/seteuid/setresuid,Theo de Raadt
setgid/setegid/setresgid, setgroups, setlogin, and setpriority. setrlimit and getpriority are also allowed (they are also in "proc") some of these were previously permitted in "proc" but have been removed. this seperation is intentional. "proc" is intended for reasoning about the relationship of a process "with other processes", whereas "id" deals the powerful/dangerous concept of unix ids. "id" will see some action very soon. ok gilles tedu semarie doug
2015-10-17route6d pledges to use only "stdio rpath wpath cpath inet route mcast"Jeremie Courreges-Anglas
ok deraadt@