| Age | Commit message (Collapse) | Author |
|---|
|
|
|
The mode can now be or-ed with SINGLE_DEEP or SINGLE_NOWAIT to alter
the behaviour of single_thread_set(). This allows explicit control
of the SINGLE_DEEP behaviour.
If SINGLE_DEEP is set the deep flag is passed to the initial check call
and by that the check will error out instead of suspending (SINGLE_UNWIND)
or exiting (SINGLE_EXIT). The SINGLE_DEEP flag is required in calls to
single_thread_set() outside of userret. E.g. at the start of sys_execve
because the proc is not allowed to call exit1() in that location.
SINGLE_NOWAIT skips the wait at the end of single_thread_set() and therefor
returns BEFORE all threads have been parked. Currently this is only used by
the ptrace code and should not be used anywhere else. Not waiting for all
threads to settle is asking for trouble.
This solves an issue by using SINGLE_UNWIND in the coredump case where
the code should actually exit in case another thread crashed moments earlier.
Also the SINGLE_UNWIND in pledge_fail() is now marked SINGLE_DEEP since
the call to pledge_fail() is for sure not at the kernel boundary.
OK mpi@
|
|
SINGLE_UNWIND unwinds to the kernel boundary. On the other hand
SINGLE_SUSPEND will sleep inside tsleep(9) and other sleep functions.
Since the code will exit1() very soon after it is better to already unwind.
Now one could argue that for coredumps all threads should stop asap to
get a clean dump. Using SINGLE_UNWIND the sleep will fail with ERESTART
and no copyout should happen in that case.
This is a bit of a workaround since SINGLE_SUSPEND has a small race
where single_thread_wait() returns before all threads are really stopped.
When SINGLE_EXIT is called quickly after this can blow up inside
sleep_finish.
Reported-by: syzbot+3ef066fcfaf991f2ac2c@syzkaller.appspotmail.com
OK mpi@ kettenis@
|
|
kqueue1() takes the flags argument. This lets the kqueue file descriptor
be opened with O_CLOEXEC. Adapted from NetBSD.
OK guenther@
|
|
Currently, pledged '-pg' binaries get killed in _mcleanup() when they
try to disable profil(2) via moncontrol(3).
Disabling profil(2) is harmless. Add profil(2) to the "stdio"
pledge(2) promise and permit profil(2) calls when the scale argument
is zero. Enabling profil(2) remains forbidden in pledged processes.
This gets us one step closer to making '-pg' binaries compatible with
pledge(2). The next step is to decide how to exfiltrate the profiling
data from the process during _mcleanup().
Prompted by semarie@. Cleaned up by deraadt@. With input from
deraadt@, espie@, and semarie@.
"Looks good" deraadt@
pledge(2) pieces ok semarie@
|
|
non-trivial new information or code-paths over wait4(), include
it in pledge("stdio")
discussed with deraadt@
|
|
execpromises, as noted by regress/sys/kern/pledge/execpromise.
sure deraadt@
|
|
time to delete the backwards compat padded functions in the kernel.
|
|
exposed in a new field returned by sysctl(KERN_PROC). Update
pthread_{get,set}_name_np(3) to use the syscalls. Show them, when
set, in ps -H and top -H output.
libc and libpthread minor bumps
ok mpi@, mvs@, deraadt@
|
|
|
|
|
|
|
|
Also allow IPPROTO_TCP:TCP_NODELAY
It is very small kernel code, and will allow some software to drop "inet"
requested by djm
|
|
ok deraadt@
|
|
memory mappings so they cannot be changed by a later mmap(), mprotect(),
or munmap(), which will error with EPERM instead.
ok kettenis
|
|
counter parts. Input deraadt.
ok bluhm
|
|
ok mpi@ miod@
|
|
TCP_INFO provides a lot of information about the TCP session of this socket.
Many processes like to peek at the rtt of a connection but this also provides
a lot of more special info for use by e.g. tcpbench(1).
While the basic minimal info is available all the time the more specific
data is only populated for privileged processes. This is done to not share
data back to userland that may allow to attack a session.
TCP_INFO is available to pledge "inet" since pledged processes like chrome
tend to use TCP_INFO when available.
OK bluhm@
|
|
on libc trying to open /var/run/ypbind.lock, so pledge had to BYPASSUNVEIL
accesses to this file. We accepted the opening of that file for a small
period for build cross-over, but that waiting period ends now.
|
|
to the padded syscalls going away.
|
|
Those are the read-only operations allowed for non-root users:
SWAP_NSWAP and SWAP_STATS. Users of pledge("vminfo") in base which also
call swapctl(2) with said commands: top(1) and pstat(8).
No regression spotted with top(1) and pstat(8) -s/-T.
ok deraadt@
|
|
/var/run/ypbind.lock. "getpw" is now only allows ypconnect(2) and the minimum
unveil bypasses.
Still allow open/acesss to file for a little while, because getpwent/getgrent/etc
were opening it unconditionally to hint for YPACTIVE.
That code should be deleted before 7.2
|
|
new libc..
|
|
no longer does accesses /var/run/ypbind.lock to trigger extra permissions
for userland-opening of files & sockets to engage with ypserver for YP/LDAP
lookups. libc now uses the super secret special ypconnect() system call
to perform socket-setup.
Delete some other things which are no longer reached via libc/rpc
ok jmatthew, miod
|
|
Annotate two blocks relating to ypbind.lock that will be deleted once libc
switches over to the new mechanism.
|
|
This will be used for sysconf(3) and getconf(1) to handle _POSIX_IPV6
without opening a socket.
OK sthen@ deraadt@
|
|
Protect the ps_pledge/ps_execpledge fields with ps_mtx. Shuffle the
code to call unveil_destroy() outside the critical section. Only writes
to those fields are protected. Since we may only remove bits from those
fields, garbage values should do no harm even when a read crosses
a write on 32 bits systems.
Input claudio@ kettenis@ deraadt@, ok deraadt@
|
|
This prevents the compiler from reloading a possibly different value
from memory. Even if it doesn't matter in this code it's just better
practice. Discussed with kettenis@ and deraadt@, ok deraadt@
|
|
chromium loads vulkan when going to chrome://gpu
anv, the Intel vulkan driver in Mesa uses HW_USERMEM64
ok sthen@ deraadt@
|
|
libcrypto can access this sysctl on arm64 without restrictions to determine
cpu features
ok deraadt@, kettenis@
|
|
ok deraadt
|
|
ok deraadt
|
|
descriptors for explicit fencing
tested with libdrm's amdgpu_test syncobj timeline tests and vkcube on
intel broadwell with Mesa 21.3 (which hangs without sync file support
after the 'anv: Assume syncobj support' Mesa commit)
feedback and ok visa@
|
|
Switch libc and ld.so to the generic stubs for these calls.
WARNING: reboot to updated kernel before installing libc or ld.so!
Time for a story...
When gcc (back in 1.x days) first implemented long long, it didn't (always)
pass 64bit arguments in 'aligned' registers/stack slots, with the result that
argument offsets didn't match structure offsets. This affected the nine system
calls that pass off_t arguments:
ftruncate lseek mmap mquery pread preadv pwrite pwritev truncate
To avoid having to do custom ASM wrappers for those, BSD put an explicit pad
argument in so that the off_t argument would always start on a even slot and
thus be naturally aligned. Thus those odd wrappers in lib/libc/sys/ that use
__syscall() and pass an extra '0' argument.
The ABIs for different CPUs eventually settled how things should be passed on
each and gcc 2.x followed them. The only arch now where it helps is landisk,
which needs to skip the last argument register if it would be the first half of
a 64bit argument. So: add new syscalls without the pad argument and on landisk
do that skipping directly in the syscall handler in the kernel. Keep compat
support for the existing syscalls long enough for the transition.
ok deraadt@
|
|
which checks PLEDGE_* bits more than once. Some functions are called without
locking, and this avoids misinterpreting bits which have some coupled behaviour.
ok cheloha kettenis
|
|
ok deraadt@ kettenis@
|
|
ok matthieu@, deraadt@, jsg@
|
|
remove two leftover checks which were used when ni_unveil was used with UNVEIL_INSPECT.
it was used by:
- readlink(2) - removed 2019-08-31
- stat(2) and access(2) - removed 2019-03-24
ok claudio@
|
|
(delayed action) sigabort() and disabling all syscalls for this process
(ie. all threads). This resulted in multiple-threads crashing over top
of themselves, and a poor debugging experience. We keep using sigabort()
rather than sigexit(), to keep the debugging process good.
Diagnosed from a report from brynet, and followup discussion with many.
|
|
allowed when inet was used.
This lets Go programs use 'unix' without also including 'inet'.
from Josh Rickmar
ok / tree review from deraadt@, commit message cluestick from tb@
|
|
to allow setting and removing IPv4 addresses.
Needed for future iked(8) improvements.
Discussed with sthen@ and florian@
ok bluhm@ deraadt@
|
|
message "wroute" into dmesg. Since revision 1.263 pledge "wroute"
allows to change the routing table of a socket.
OK florian@ semarie@
|
|
moved option control into a sysctl.
reminder that we can delete this from benjamin baier
|
|
Based/previous work on an idea from deraadt@
Input from claudio@, djm@, deraadt@, sthen@
OK deraadt@
|
|
ok claudio@
|
|
Fixes previous. Problem spotted by kettenis@
|
|
in pledged programs that is unfortable. My snark levels are a bit drained,
but I must say I'm always dissapointed when programs operating on virtual
resources enquire about total physical resource availability, the only
reason to ask is so they can act unfair relative to others in the shared
environment. SIGH.
|
|
by slaacd(8).
"wroute" allows changes to the routing table so this is a good fit.
Nothing else in base is effected by this. dhclient might use
the wroute pledge in the future and might also want SO_RTABLE in a
more distant future.
OK deraadt
|
|
OK deraadt@
|
|
process.
ok bluhm@ claudio@ visa@
|
