| Age | Commit message (Collapse) | Author |
|---|
|
ok semarie
|
|
off with tame "stdio rpath". Once the (optional) file is opened, a
further drop down to tame "stdio" works.
|
|
|
|
|
|
|
|
|
|
setuid/setgid bits.
|
|
|
|
tame "stdio rpath" works, right before calling getopt()
|
|
noticed by miod@
ok visa@
|
|
/bin/ed. This is RETARDED. Nothing learned from the last year?
Add tame "proc" until that is fixed, to allow fork+exec.
I beg for someone to cross-link the guts of ed directly into patch, or
write a ed-subset which can do the job.
|
|
MD installboot was moved to the attic. Put it into boot_sparc64(8),
which still pointed readers at installboot(8) for this information.
With some markup tweaks from schwarze@
|
|
- Replace arc4random with arc4random_uniform.
- Replace memset with explicit_bzero.
OK millert@
|
|
|
|
this program and see it does uname(3) and stdio printf. uname(3) is
backed by a cluster of sysctl() reads, all permitted by the kernel
in tame_sysctl_check()
|
|
Input deraadt@
Bug fix & OK benno@
|
|
|
|
ok jca@
|
|
lets do not suggest to provoke races and use -m option of mkdir(1).
ok guenther@, "don't care" deraadt@ :)
|
|
This one should be an unsigned long in theory, but the formatter function
argument we're printing from is already an int (being casted from register_t
at the formatter call time). So lets fix one bug at a time.
authoritative okay from guenther@
|
|
interface whose tunnel destination corresponded to the incoming packets'
source address.
ok reyk
|
|
Rather than a half-hearted attempt to free up resources and fix
ref counting at the SSL_CTX level, let SSL_free() do its job.
This diff got lost in the shuffle somewhere. It's from last year.
Ref counting error reported by Parakleta in github ticket #51. Thanks!
ok jsing@, beck@
|
|
computation, and outputs result to stdout. (note: in the tame model,
malloc is implicit because stdio needs it, and mmap is implicit since
malloc needs it; libz is satisfied by this environment also).
this tame change consists of 1 line, setting "stdio rpath" before
getopt. this protection is fairly strict. grep could be improved
further by computing a wpathlist based on argv, keeping -R in mind.
feel free to take a shot at it.
grep was an early target of capsicum also. know anyone running capsicum grep?
ok doug
|
|
it might seem we can hoist the open above tame and then drop "rpath",
but guenther found getprotobynumber can be called much later.
ok guenther
|
|
tame "stdio proc" satisfies it.
ok doug
|
|
chown codepath obviously cannot use tame -- once tame is activated
the kernel prohibits changing uid/gid on a fd/file.
ok guenther
|
|
system behaviours such as forking, execve, sockets, etc.
in theory this extended by parsing the arguments first, and creating
the whitepathlist. the pathlist probably needs to be directory-oriented,
rather than exact path of files, because a gzip file may specify the
filename it wants (and that won't be available until it is opened, and
partially parsed). anyone want to give this a try?
gzip was an early goal for capsicum. who is running a capsicum gzip?
|
|
http://marc.info/?l=openssl-dev&m=144374015404899&w=2
ok doug
|
|
|
|
-h has handled write/creating a file, we can drop to tame "stdio rpath"
since md5 will only read files after that.
i believe i involved lteo for this.
|
|
there is that pesky usage message... We could tame "something" in the
non-usage codepath.. but pop quiz, anyone know what happens after main
returns or if exit(3) is called? atexit completion.. our atexit is
very paranoid with structure management and uses mprotect. So current
minimum a normal program needs is tame "malloc".
tame "stdio" done before the usage codepath splits is just as good;
tame placement before getopt provides a strong hint about program
behaviour.
I am still hoping someone comes up with a nice solution for atexit,
or a nice tame subset between "" (pure computation) and "malloc".
Ideas have been floated to expose "self", but it lacks mprotect also,
and should continue to lack it (see the ssh tame sandbox).
|
|
that's the case after kernel code got fixed to handle inet6 for dns...
|
|
since that is all it will do till termination.
|
|
discussed it at length with djm -- i think it is time to give this a
trial in snapshots.
|
|
in case of exploitation, no more network access, fork, execve, etc.
I wonder if we could use whitepath lists here - if it is reasonable to
limit operation in directories known early on?
|
|
the function to do that is called a number of times, but as needed.
hoist it upwards into initization, then tame "stdio dns inet" is
possible in most code paths. (there may be further work to do here here)
i believe florian helped me with this.
|
|
we can tame it substantially with "stdio inet", plus "dns" if the -n option
is missing. a successful exploit against it then cannot create files, or
perform a variety of other operations, as described in the tame(2) man page.
florian helped me a fair bit hoisting initization code upwards in ping,
ping6, and traceroute, to make tame work here.
|
|
can tame "stdio rpath wpath cpath"; all three paths abilities are needed
for it to setup the right files (worst case spotted by sthen). later
once the files are opened, the program is only looking at strings and
outputing via stdio functions, so we can tame "stdio".
|
|
tame "stdio" since all it does is move data back and forth, while the master
process needs "stdio ioctl" to use TCSAFLUSH at the very end. TCSAFLUSH is
included in the kernel's rather restrictive ioctl feature lists made
available with the "ioctl" ability.
|
|
still runs fingerd? not many places, it took a while to find a server)
tame "stdio getpw rpath inet" is possible early on, then later when
the network lookups list is consumed, tame "stddio getpw rpath"
|
|
it does not need to open any files, so we can tame with "stdio dns inet".
i think florian and i did this about 2 months ago.
|
|
talk to stdio. tame "stdio" is a no-brainer.
reviewed a while ago by doug
|
|
the AML tables. (If this offends you, feel free to submit a diff
with a better extraction mechanism).
After hoisting the /dev/mem-opening code earlier, we can tame this
nasty program with "stdio wpath cpath".
|
|
access in case it is exploited. tame with "stdio wpath rpath cpath"
seesms to covers all usage cases, except -i performs a fchmod() on the
in-place file, so conditionally also needs "fattr".
ok sthen
|
|
substantially with "stdio inet", plus "dns" if the -n option is missing.
a successful exploit against it then cannot create files, or perform a
variety of other operations, as described in the tame(2) man page.
ping6 is a bit trickier than ping, because it uses recvmsg() with CMSG
types of IPV6_HOPOPTS, IPV6_DSTOPTS, IPV6_RTHDRDSTOPTS, IPV6_RTHDR.
there is further work to do in the kernel, with claudio!
work with florian a while back, which involved hoisting lots of initization
code upwards.
ok doug
|
|
the packet processor pid is initialized on a socketpair, and then only
does byte analysis. it can be protected using a "stdio" tame request.
an successfull attack against it will find it cannot open files nor
sockets, and faces various other limitations described in the tame(2)
manual page.
the monitor process can be restricted to "malloc cmsg inet ioctl dns rpath".
that sounds like a large subset, but notice it cannot create or write files.
maybe this set can be wittled down by hoisting more initialization code
upwards?
with help from canacar a while back.
|
|
substantially with "stdio inet", plus "dns" if the -n option is missing.
a successful exploit against it then cannot create files, or perform a
variety of other operations, as described in the tame(2) man page.
work with florian a while back
ok doug
|
|
with Curve448). And we already support it. Mention it here to update
the Id when it was assigned by IANA.
|
|
discussed with otto
|
|
can I figure out why I added this in the past...
|
