Age | Commit message (Collapse) | Author |
|
|
|
|
|
be used to effectively remove filesystem access.
That being said, in spamd(8) when I pledge(2)d it the main priv process got
"stdio inet" which means there's no fs access at all so calling
chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove
them.
OK deraadt@ and no objections from schwarze@
|
|
hiding the actual grotty bits in inline functions
ok mpi@
|
|
- the symbol it found, returned via the second argument
- the base offset of the the object it was found in, via the return value
- optionally: the object it was found in, returned via the last argument
Instead, return a struct with the symbol and object pointers and let the
caller get the base offset from the object's obj_base member. On at least
aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this
is passed in registers.
ok mpi@, kettenis@
|
|
ok kettenis@
|
|
ok deraadt@, kettenis@
|
|
|
|
|
|
Add an internal version of pcap_open_live that ensures bpf(4) devices
are opened read-only before locking. Neither pflogd(8) or spamlogd(8)
require write access to bpf(4). Inspired by similar solution in
OpenBSD tcpdump(8).
pflogd(8) was safe since being unveiled last year, but spamlogd(8)
was having /dev/bpf opened O_RDWR.
Issue discovered by bluhm@'s unveil(2) accounting commit.
ok deraadt@, mestre@ (thanks for testing spamlogd!)
|
|
in default, cannot get anywhere near the filesystem since its only promises are
"stdio inet". Furthermore, in blacklist mode this same codepath is not
chroot'ed but once again it gets the same pledge(2).
Therefore we can remove the BUGS section from spamd(8)'s manpage.
OK millert@ deraadt@
|
|
In 2013, I implemented the single-entry LRU cache that gets the maximal
symbol reuse from combreloc. Since then, the ld.so generic relocation
symcache has been a waste of CPU and memory with 0% hit-rate, so kill it.
ok mpi@
|
|
the change in __getcwd(2)'s return value. Fix it by switching to the
__realpath(2) syscall, eliminating the ld.so copy of realpath().
problem caught by regress and noted by bluhm@
ok deraadt@
|
|
|
|
building with clang.
ok deraadt@, visa@
|
|
ok deraadt@, visa@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
the unveil state of running processes.
ok deraadt@
|
|
make it to disk (discussion with tedu)
|
|
|
|
follows some pointer into the middle of it. Best to keep things working
while tracking down the wonkiness.
problem noted by naddy@
|
|
|
|
topological sort order, reducing it to O(n) from O(2^n) (ouch!)
diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com)
Much testing and pleading by robert@ and ajacoutot@
ok drahn@ mpi@
|
|
- put functions and data which are only used before calling the executable's
start function into their own page-aligned segments for unmapping
(only done on amd64, arm64, armv7, powerpc, and sparc64 so far)
- pass .init_array and .preinit_array functions an addition argument which
is a callback to get a structure which includes a function that frees
the boot text and data
- sometimes delay doing RELRO processing: for a shared-object marked
DF_1_INITFIRST do it after the object's .init_array, for the executable
do it after the .preinit_array
- improve test-ld.so to link against libpthread and trigger its initialization
late
libc changes to use this will come later
ok kettenis@
|
|
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt
|
|
functions because retguard uses hard-traps instead.
ok mortimer.
|
|
Pointed out by jsg, just fix it deraadt@
|
|
anywhere and can use Elf_Word instead.
ok guenther
|
|
previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h>
vary, but that doesn't match the spec and breaks libelf so it's gone away.
Implement the variation here by defining our own type locally for this.
ok deraadt@
|
|
on mips64. They need relocation and consequently cannot be used
in that function.
OK kettenis@
|
|
|
|
Instead of getting all filesystems with df(1), filter /usr/share/ and check
with mount(1) whether it's NFS, make df error out directly if the
filesystem type matches nfs.
OK sthen tb
|
|
based on a diff from miod@
|
|
the stubs
noted by miod@
|
|
line unless it is writable.
lld places read-only sections below the gap so this is needed
to be able to retain W^X with lld. Note however the read-only
sections below the W^X line are now executable on pre-NX
machines and a possible source of gadgets. This is a change
from Gnu ld where RO sections were ordered above the W^X line
and not executable.
okay drahn@ kettenis@ deraadt@
|
|
|
|
No functional change.
suggested by tb@; from Jan Klemkow
|
|
to avoid comparison of integers of different signs.
from Jan Klemkow; OK tb@
|
|
|
|
This fixes handling of lld-linked executables on mips64.
problem reported by visa@ and worked out with him
|
|
from Matt Dillon's implementation in DragonFlyBSD commit 7629c631.
One difference is that as long as DT_HASH is still present, ld.so
will use that to get the total number of symbols rather than walking
the GNU hash chains. Note that the GPLv2 binutils we have doesn't
support DT_GNU_HASH, so this only helps archs were lld is used.
ok kettenis@ mpi@
|
|
relocation of ld.so's GOT without using it, so _reloc_alpha_got()
merely made the call to _dl_boot_bind() from asm simpler...while
itself being a call that required special handling.
diff and muild baking by miod@
ok guenther@
|
|
ok visa@
|
|
'hung up'; some testing by Theodore Wynnychenko
|
|
__got_{start,end} to find a region to mark read-only. It was only used
for binaries that didn't have a GNU_RELRO segment, but all archs have
been using that for over a year. Since support for insecure-PLT layouts
on powerpc and alpha have been removed, all archs handle GNU_RELRO the
same way and the support can be moved from the MD code to the MI code.
ok mpi@
|
|
we're looking up?" logic from _dl_find_symbol_obj() into matched_symbol(), so
that the former is just the "iterate across the hash" logic.
matched_symbol() returns zero on "not found", one on "found strong
symbol", and negative one on "found weak symbol". The last of those lets
the caller give up on this object after finding a weak symbol, as there's
no point in continuing to search for a strong symbol in the same object.
ok mpi@
|
|
the return pointers into a structure and pass that to _dl_find_symbol_obj().
Set sl->sl_obj_out in _dl_find_symbol_obj() so that the callers don't
need to each record the object.
ok mpi@
|
|
anymore with unveil wired to /usr/bin/login. So let's parse gettytab a bit
earlier to learn which login path to unveil. Later in the loop gettytab is
re-parsed, if the login changes re-exec getty to reach the unveil from the top.
ok millert, also discussed with mestre
|
|
the default for years and ports doesn't appear to have anything patching
to use the old format.
ok deraadt@
|