| Age | Commit message (Collapse) | Author |
|---|
|
resolvd, slaacd, unwind.
The mitigation story is way better: syscalls are in a randomly located
libc, and every syscall stub is randomly located inside that due to
random relinking. As opposed to fixed offset inside a release binary.
There is one known consequence: /usr nfs mounting must use statically
configured IP addresses.
ok kettenis florian, others
|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
|
|
help/ok deraadt
|
|
|
|
Add an internal version of pcap_open_live that ensures bpf(4) devices
are opened read-only before locking. Neither pflogd(8) or spamlogd(8)
require write access to bpf(4). Inspired by similar solution in
OpenBSD tcpdump(8).
pflogd(8) was safe since being unveiled last year, but spamlogd(8)
was having /dev/bpf opened O_RDWR.
Issue discovered by bluhm@'s unveil(2) accounting commit.
ok deraadt@, mestre@ (thanks for testing spamlogd!)
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.
To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")
Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".
The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.
With feedback/testing from florian@, deraadt@
ok florian@ deraadt@
|
|
suspend logging until the log file has been moved out of the way, and
we have received either SIGHUP or SIGALRM.
ok florian@ deraadt@
|
|
privileged parent.
Based on feedback from deraadt@ and bluhm@ (worked on syslogd).
ok deraadt@
|
|
the LOG_CONS flag in openlog(3). This avoids output to the console
on shutdown. Discussed with benno@ who wants to see when a deamon
stops during normal system operation.
OK brynet@
|
|
race to die, so just stop logging pflogd exits.
This logging probably comes from the fact that pflogd was largely based
on syslogd.
Removes the annoying "pflogd[23954]: Exiting" messages pointed out by
deraadt@
Also cleanup some missed SIGCHLD handling code that is no longer needed.
"LGTM" mikeb@
|
|
parent and use 'legit' fdpassing primitives to send the bpf fd to the
unprivileged child process.
Also reduces the pledge(2) promises in the unpriv child to just
"stdio recvfd"
with help from deraadt, pcap feedback from canacar
ok deraadt@
|
|
input benno, deraadt, tedu
also standardize on #if 0 since it makes tedu's editor vomit.
OK benno, pirofti on a previous version
|
|
if_exists() can't be used after dropping privileges, since it uses
socket(2) and ioctl(SIOCGIFDATA). We're just trying to know whether an
interface exists, and if_nametoindex(3) is enough for that.
ok deraadt@
|
|
least not as is
Reported by tim@, OK deraadt@ to backout the pledge for now
|
|
it also for pflogd(8)'s priv proc.
OK deraadt@
|
|
is funny, but not useful, so say .Nm Op Fl \&Dx as required.
|
|
upon "inet". Adjust the 4 programs that care about this.
|
|
ok deraadt@
|
|
Remove it completely to simplify the code.
even better deraadt@
|
|
it can ioctl()'s against a bpf device node. Privsep that operation
via a message to the parent process. Unfortunately "rpath wpath cpath"
is still needed due to SIGHUP handling, but I have asked canacar the
expert to look into this.
|
|
missed one. This diff is only a spacing change.
|
|
Aq is not the same as <> in non-ASCII situations, so this caused
incorrect output in some places. And it provided no semantics besides.
ok schwarze@
|
|
ok tedu miod
|
|
ok deraadt guenther
|
|
ok espie@ deraadt@ millert@ tedu@
|
|
ok deraadt@, henning@
|
|
|
|
ok henning@
|
|
From Jan Stary <hans at stare dot cz>.
ok jmc@
|
|
header (pointed out by matthew@). Let only pflogd and tcpdump include
pcap-int.h directly since they need it for privilege separation.
"looks good" sthen
feedback/ok deraadt matthew millert
|
|
|
|
Also fix a bug where the return value of if_exists() was not checked
correctly if the interface disappears while pflogd is running.
ok beck henning
|
|
|
|
|
|
use %zu for size_t and %d for signed ints
first one triggered by a mail from joerg @ netbsd, thanks.
ok millert dlg
|
|
From: giovanni <qgiovanni at gmail dot com>
|
|
ok sthen henning
|
|
|
|
ok jmc@ millert@ henning@ kristaps@
|
|
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.
ok jmc@
|
|
- sync actions with PF changes (pass/block/match not just pass/block,
and remove some binat/nat/rdr entries)
- list all reason codes in tcpdump(8)
ok henning jmc
|
|
|
|
|
|
use pkill(1) in /etc/newsyslog.conf instead
together with otto and suggestions from tedu
|
|
From: Dave Harrison <dave@nullcube.com>
|
|
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis
|
|
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer
|
|
an extensive discussion with otto, kettenis, millert, and hshoexer
|
