summaryrefslogtreecommitdiff
path: root/libexec
AgeCommit message (Collapse)Author
2019-08-09Use NULL for second gettimeofday(2) argument; ok deraadt@ kettenis@cheloha
2019-08-09Fix pointless cast: (struct timezone *)0 -> NULLcheloha
2019-08-06By now we are already confident that pledge(2) "just works(tm)" and that it canRicardo Mestre
be used to effectively remove filesystem access. That being said, in spamd(8) when I pledge(2)d it the main priv process got "stdio inet" which means there's no fs access at all so calling chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove them. OK deraadt@ and no objections from schwarze@
2019-08-06Factor out TEXTREL mprotecting from the per-arch files into _dl_rtld(),Philip Guenther
hiding the actual grotty bits in inline functions ok mpi@
2019-08-04Simplify _dl_find_symbol(). Currently, it returns three values:Philip Guenther
- the symbol it found, returned via the second argument - the base offset of the the object it was found in, via the return value - optionally: the object it was found in, returned via the last argument Instead, return a struct with the symbol and object pointers and let the caller get the base offset from the object's obj_base member. On at least aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this is passed in registers. ok mpi@, kettenis@
2019-08-03The ABI says JUMP_SLOT relocations don't have an addend, so don't add it inPhilip Guenther
ok kettenis@
2019-08-03Suppress DWARF2 warnings on clang archs by building with -gdwarf-4Philip Guenther
ok deraadt@, kettenis@
2019-07-30shorten the failure message, it should not wrap a line.Theo de Raadt
2019-07-25Fix copy pasto, re-add missing goto in error path.Bryan Steele
2019-07-25Yet another workaround for crappy libpcap API designBryan Steele
Add an internal version of pcap_open_live that ensures bpf(4) devices are opened read-only before locking. Neither pflogd(8) or spamlogd(8) require write access to bpf(4). Inspired by similar solution in OpenBSD tcpdump(8). pflogd(8) was safe since being unveiled last year, but spamlogd(8) was having /dev/bpf opened O_RDWR. Issue discovered by bluhm@'s unveil(2) accounting commit. ok deraadt@, mestre@ (thanks for testing spamlogd!)
2019-07-24Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if runningRicardo Mestre
in default, cannot get anywhere near the filesystem since its only promises are "stdio inet". Furthermore, in blacklist mode this same codepath is not chroot'ed but once again it gets the same pledge(2). Therefore we can remove the BUGS section from spamd(8)'s manpage. OK millert@ deraadt@
2019-07-21In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default.Philip Guenther
In 2013, I implemented the single-entry LRU cache that gets the maximal symbol reuse from combreloc. Since then, the ld.so generic relocation symcache has been a waste of CPU and memory with 0% hit-rate, so kill it. ok mpi@
2019-07-14ld.so's $ORIGIN handling when argv[0] is a relative path was broken byPhilip Guenther
the change in __getcwd(2)'s return value. Fix it by switching to the __realpath(2) syscall, eliminating the ld.so copy of realpath(). problem caught by regress and noted by bluhm@ ok deraadt@
2019-07-03snprintf/vsnprintf return < 0 on error, rather than -1.Theo de Raadt
2019-07-01Compile with -fno-jump-tables to avoid relocations in _dl_boot_bind() whenMark Kettenis
building with clang. ok deraadt@, visa@
2019-07-01Remove stray comma.Mark Kettenis
ok deraadt@, visa@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-23Explicitly lock unveil. Noticed when testing the recent ps(1) commit exposingrob
the unveil state of running processes. ok deraadt@
2019-06-20after installing new kernel, do a sync(8) to encourage lazy buffers toTheo de Raadt
make it to disk (discussion with tedu)
2019-06-07make gc workaround compile on non-clangTheo de Raadt
2019-06-04Disable the unmapping of ld.so's boot data for now, as boehm-gc apparentlyPhilip Guenther
follows some pointer into the middle of it. Best to keep things working while tracking down the wonkiness. problem noted by naddy@
2019-05-12Indentation fixPhilip Guenther
2019-05-11Prune visited leaves when walking dependencies to call init functions inPhilip Guenther
topological sort order, reducing it to O(n) from O(2^n) (ouch!) diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com) Much testing and pleading by robert@ and ajacoutot@ ok drahn@ mpi@
2019-05-10ld.so boot cleanup support:Philip Guenther
- put functions and data which are only used before calling the executable's start function into their own page-aligned segments for unmapping (only done on amd64, arm64, armv7, powerpc, and sparc64 so far) - pass .init_array and .preinit_array functions an addition argument which is a callback to get a structure which includes a function that frees the boot text and data - sometimes delay doing RELRO processing: for a shared-object marked DF_1_INITFIRST do it after the object's .init_array, for the executable do it after the .preinit_array - improve test-ld.so to link against libpthread and trigger its initialization late libc changes to use this will come later ok kettenis@
2019-05-08rm dead code and simplify ftpd_popen. this code has only calledTed Unangst
its statically linked ls_main for some time now. from Jan Klemkow ok deraadt
2019-05-08On retguard systems, remove the ld.so-local stack-protector handlingTheo de Raadt
functions because retguard uses hard-traps instead. ok mortimer.
2019-05-01Pull tname initialization up since it's used in an error path.Florian Obser
Pointed out by jsg, just fix it deraadt@
2019-04-21Now that all Elf_foo types are correct, we don't need to use Elf32_WordTheo de Raadt
anywhere and can use Elf_Word instead. ok guenther
2019-04-21On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes. This wasPhilip Guenther
previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h> vary, but that doesn't match the spec and breaks libelf so it's gone away. Implement the variation here by defining our own type locally for this. ok deraadt@
2019-04-19Prevent clang from using builtins and jump tables in _dl_boot_bind()Visa Hankala
on mips64. They need relocation and consequently cannot be used in that function. OK kettenis@
2019-02-14spelling/consistency fix; from nam nguyenJason McIntyre
2019-02-10Simplify NFS checkkn
Instead of getting all filesystems with df(1), filter /usr/share/ and check with mount(1) whether it's NFS, make df error out directly if the filesystem type matches nfs. OK sthen tb
2019-02-03_dl_cerror is trivial on powerpc; just inline the handling into the stubsPhilip Guenther
based on a diff from miod@
2019-02-03_dl_cerror is trivial on alpha and m88k; just inline the hanlding intoPhilip Guenther
the stubs noted by miod@
2019-01-25On i386, ensure that the first PT_LOAD segment is below the W^XKurt Miller
line unless it is writable. lld places read-only sections below the gap so this is needed to be able to retain W^X with lld. Note however the read-only sections below the W^X line are now executable on pre-NX machines and a possible source of gadgets. This is a change from Gnu ld where RO sections were ordered above the W^X line and not executable. okay drahn@ kettenis@ deraadt@
2019-01-25I am retiring my old email address; replace it with my OpenBSD one.Todd C. Miller
2018-12-11Flip snprintf(3) error check to align it with the man page example.Alexander Bluhm
No functional change. suggested by tb@; from Jan Klemkow
2018-12-11Convert some variables with non-negative values to unsigned typeAlexander Bluhm
to avoid comparison of integers of different signs. from Jan Klemkow; OK tb@
2018-12-05Delete an unused struct member that has hid out here for 17 yearsPhilip Guenther
2018-12-03DT_MIPS_RLD_MAP is an offset, so relocate it when present.Philip Guenther
This fixes handling of lld-linked executables on mips64. problem reported by visa@ and worked out with him
2018-11-28Implement support for DT_GNU_HASH, taking all the interesting bitsPhilip Guenther
from Matt Dillon's implementation in DragonFlyBSD commit 7629c631. One difference is that as long as DT_HASH is still present, ld.so will use that to get the total number of symbols rather than walking the GNU hash chains. Note that the GPLv2 binutils we have doesn't support DT_GNU_HASH, so this only helps archs were lld is used. ok kettenis@ mpi@
2018-11-22Make alpha less special: _dl_boot_bind() is written to completePhilip Guenther
relocation of ld.so's GOT without using it, so _reloc_alpha_got() merely made the call to _dl_boot_bind() from asm simpler...while itself being a call that required special handling. diff and muild baking by miod@ ok guenther@
2018-11-20On mips64, DT_DEBUG doesn't need mprotecting if it's in the GNU_RELRO segmentPhilip Guenther
ok visa@
2018-11-17need to closefrom(0) before execve(), otherwise tty isn't properlyTheo de Raadt
'hung up'; some testing by Theodore Wynnychenko
2018-11-16Finish ld.so's transition to GNU_RELRO: eliminate support for usingPhilip Guenther
__got_{start,end} to find a region to mark read-only. It was only used for binaries that didn't have a GNU_RELRO segment, but all archs have been using that for over a year. Since support for insecure-PLT layouts on powerpc and alpha have been removed, all archs handle GNU_RELRO the same way and the support can be moved from the MD code to the MI code. ok mpi@
2018-11-16Borrow an idea from DragonFly BSD: factor out the "does this symbol match whatPhilip Guenther
we're looking up?" logic from _dl_find_symbol_obj() into matched_symbol(), so that the former is just the "iterate across the hash" logic. matched_symbol() returns zero on "not found", one on "found strong symbol", and negative one on "found weak symbol". The last of those lets the caller give up on this object after finding a weak symbol, as there's no point in continuing to search for a strong symbol in the same object. ok mpi@
2018-11-15Put all the symbol lookup parameters (except the object being searched) andPhilip Guenther
the return pointers into a structure and pass that to _dl_find_symbol_obj(). Set sl->sl_obj_out in _dl_find_symbol_obj() so that the callers don't need to each record the object. ok mpi@
2018-11-15Theodore Wynnychenko discovered the gettytab "lo=path" feature didn't workTheo de Raadt
anymore with unveil wired to /usr/bin/login. So let's parse gettytab a bit earlier to learn which login path to unveil. Later in the loop gettytab is re-parsed, if the login changes re-exec getty to reach the unveil from the top. ok millert, also discussed with mestre
2018-11-12Delete support for non-secureplt binaries. The secure PLT format has beenPhilip Guenther
the default for years and ports doesn't appear to have anything patching to use the old format. ok deraadt@