Age | Commit message (Collapse) | Author |
|
Changes the way printf debug is done in kern_unveil.c
Currently, each printf() is enclosed in #ifdef DEBUG_UNVEIL. It moves
to using DPRINTF(), and reduces the number of #ifdef inside the file.
Also changes some strings to use __func__ instead of using the
function name verbatim.
ok visa@
|
|
unveil(2). It is not set for nodes that are added as a result of a file
being added via unveil(2). Use this flag to test if backtracking should
be done or not. Also introduce UNVEIL_MASK which checks if any user flags
are set and is used to properly return EACCES vs ENOENT.
This fixes a problem where unveil("/", "r") & unveil("/usr/bin/id", "rx")
cause an error when read accessing "/usr/bin". It also makes sure that
unveil(path, "") will return ENOENT for any access of anything under path.
Reported by and OK semarie@
|
|
|
|
possible violation during the traversal of the path do the check at the
end. Make the code a bit easier to grok.
OK beck@ semarie@
|
|
parent just called unveil(NULL, NULL) and nothing else.
With and OK beck@
|
|
pass in the vnode to unveil_start_relative() like it is done for *at()
syscalls. This fixes an issue with fchdir() that actually did not correctly
reset this pointer when changing the working directory.
OK beck@
|
|
OK semarie@
|
|
These traversed vnodes are a leftover from early times where realpath(3)
was still all done in userland.
OK semarie@
|
|
This helps unveil_add_vnode() to properly re-evaluate unveils when
"/" is added to the list.
Because of this adjust unveil_covered() to check for the root as well
so that in that case the unveil uv is returned instead of NULL. Traversing
up from the root returns the root. This check is not really needed since
namei has its own root check and shortcuts for root vnodes.
OK semarie@
|
|
return early for simple conditions instead of using navigating inside
if-branches.
with and ok claudio@
|
|
place the wrong index is used resulting in re-evaluating all unveil nodes.
Also loop over over all but the last (just added vnode) -- again there is
no need to re-evaluate the cover of the just added unveil.
OK anton@ semarie@
|
|
unveil_lookup() is now doing a dumb linear search. The problem with the
uvshrink logic was that ps_uvpcwd was a pointer into this array and after
compation it pointed to the wrong element. Also future unveil caches would
suffer from the same issue.
OK semarie@
|
|
remove two leftover checks which were used when ni_unveil was used with UNVEIL_INSPECT.
it was used by:
- readlink(2) - removed 2019-08-31
- stat(2) and access(2) - removed 2019-03-24
ok claudio@
|
|
ok gnezdo@ semarie@ mpi@
|
|
|
|
Requested by mpi@
|
|
implementation file. Pushing the assignment of ps_uvpcwd down to
unveil_add() is required but it doesn't introduce any functional change.
ok mpi@ semarie@
|
|
ok tedu
|
|
take a struct proc* instead of a struct process*, and vice versa making
unveil_lookup() take a process* instead of a proc*.
ok beck@
|
|
to the corresponding red-black tree; meaning the path was not already
present in the tree. This prevents an assertion to trigger in
unveil_destroy() later on when the process exits.
ok beck@
Reported-by: syzbot+db66362e1ffdc72e5aeb@syzkaller.appspotmail.com
|
|
Issue spotted by Benjamin Baier <programmer@netzbasis.de> with relative
path lookups from openat(2). Lacking a current working directory unveil,
operations using the *at functions could fail when not crossing an unveil,
since an initial covering unveil was not found.
This corrects this so we walk up from the directory vnode to find a
covering unveil at the start of non AT_FDCWD lookups, and adds regress
for this case.
ok bluhm@
|
|
|
|
files into the common namei.h header.
OK deraadt@
|
|
case even if *vpp == vdp. So in unveil_find_cover() it is wrong
to skip dereferencing if parent == vp. This fixes an umount(8)
device busy error when unveil(2) and chroot(2) are used together
on a file system.
reported by Matthias Pitzl; OK deraadt@
|
|
|
|
that are hidden by unveil(2).
OK deraadt@
|
|
parent's during fork()
witness reports from ajacoutot@ and Hrvoje Popovski (hrvoje (at) srce.hr)
ok visa@
|
|
it actually isn't reached...
|
|
added aggressively today. Hopefully post release a glorious
flensing will remove UNVEIL_INSPECT anyway
Reported-by: syzbot+3375ce307ac7909b907b@syzkaller.appspotmail.com
|
|
UNVEIL_INSPECT is a hack we added to get chrome/glib working. It silently
adds permission for stat(2), access(2), and readlink(2) to be used on
all path components of any unveil'ed path. robert@ has sucessfully now
fixed chrome/glib to not require exessive TOC vs TOU stat(2) and access(2)
calls on the paths it uses, so that this no longer needed there.
readlink(2) is the sole call that is now permitted by UNVEIL_INSPECT,
and this is only needed so that realpath(3) can work. Going forward we will
likely make a realpath(2), after which we can completely deprecate
UNVEIL_INSPECT.
ok deraadt@
|
|
doesn't get freed. move the free calls into the same function as namei.
fixed bug report from Dariusz Sendkowski
ok beck
|
|
1) Correctly notice covering unveil when using .. - fix crash noticed by visa@
2) Notice when v_mount is NULL to not crash when unveil vnodes are on a
forcibly unmounted filesystem, noticed by yasuoka@
3) Add a flag to ni_data so that failures from unveil flag mismatches in covering
unveils return the correct EACCESS instead of ENOENT (noticed by brynet@)
ok deraadt@
|
|
|
|
unveil matches when .. is used correctly. Also adds regress based
upon his test program for the same issue.
|
|
where ps_uvpcwd obviously contains a dangling pointer.
ok deraadt@, krw@
|
|
level directories from working when you don't traverse into them starting
from /. Most found by brynet@ and a few others.
ok brynet@ deraadt@
|
|
|
|
unveil for each unveil in the process at unveil() time, and refactoring the
handling of current directory and ISDOTDOT to be much more sensible.
Worked out at ns2k18 with guenther@.
ok deraadt@
|
|
ok beck@
|
|
final directory in a name unveil was not being added with UNVEIL_INSPECT
if it was not already unveiled. Now passes just added regress test for
this case
|
|
We use UNVEIL_INSPECT instead in the unveil flags for the same
purpose, and now add traversed vnodes of a path with UNVEIL_INSPECT
instead of with 0 flags and voodoo in unveil_flagmatch. This
allows us to uncontort the logic of unveil_flagmatch a bunch.
helpful review and ok from semarie@
|
|
|
|
to the namei args. This fixes a bug where chmod would be allowed when
with only READ. This also allows some further cleanup of some awkward
things like PLEDGE_STAT that will follow
Lots of assistence from semarie@ - thanks!
ok semarie@
|
|
sane.
ok kettenis@
|
|
man page change will follow
|
|
|
|
|
|
the traversed vnodes - noticed and fixed by semarie@
|
|
as a descending match.
Noticed by Stuart Cassoff <3d0g@bell.net>
|
|
|