| Age | Commit message (Collapse) | Author |
|---|
|
This brings us back in conformance with POSIX rmdir(2) and rmdirat(2).
OK kettenis@
|
|
is generated, and mprotect/mmap return ENOTSUP. If the sysctl(8) flag
kern.wxabort is set then a SIGABRT occurs instead, for gdb use or coredump
creation.
W^X violating programs can be permitted on a ffs/nfs filesystem-basis,
using the "wxallowed" mount option. One day far in the future
upstream software developers will understand that W^X violations are a
tremendously risky practice and that style of programming will be
banished outright. Until then, we recommend most users need to use the
wxallowed option on their /usr/local filesystem. At least your other
filesystems don't permit such programs.
ok jca kettenis mlarkin natano
|
|
please note that chrooted process are still possible with pledge(2), but only
if the chroot(2) is done *before* calling pledge(2). Once pledged, no more
chroot(2) call are permitted.
|
|
could end up in an inconsistent state. The fstype dependent
mp->mnt_data was NULL, but the general mp was still listed as a
valid mount point. Next access to the file system would crash with
a NULL pointer dereference.
If closing the device fails, the mount point must go away anyway.
There is nothing we can do about it. Remove the workaround for the
EIO error in the general unmount code, but do not generate any error
in the file system specific unmount functions.
OK natano@ beck@
|
|
torture tested on amd64, i386 and macppc
ok beck mpi stefan
"the change looks right" deraadt
|
|
|
|
oflags & 3 == 3 case. Therefore this depends on vn_open() blocking the
operation later. Probably this meant the ni_pledge request would be too
high, causing transient operation failure, rather than transient operation
passage). Instead of initializing based on the oflags value use the
result of FFLAGS(). I should have done this from the start.
ok semarie
[oflags & 3 == 3 is major dejavu for me]
|
|
enforce it for open(2) when used with O_CREAT and mode.
ok deraadt@
|
|
enforce it for mkfifo(2) and mknod(2) (with "dpath" promise).
ok deraadt@
|
|
|
|
This will be required to keep pax/tar/cpio at otherwise very high levels
of pledge (and we will see where else it is beneficial).
Allocate a bit for pledge "audio", which will be coming soon.
good discussions with semarie
|
|
/dev/console case, so go back to doing the direct D_TTY check.
signed over a few times with guenther
|
|
|
|
because that shows the /dev/console translated vnode.
You either already know the story, or you don't want to know.
|
|
ok millert semarie tedu guenther
|
|
ok millert semarie tedu guenther
|
|
|
|
pledgenote is used for annotate the policy for a namei context. So make it
tracking the nameidata.
It is expected for the caller to explicitly define the policy. It is a kernel
bug to not do so.
ok deraadt@
|
|
- rename _check function without suffix: a "pledge" function called from
anywhere is a "check" function.
- makes pledge_fail call the responsability to the _check function. remove it
from caller.
- make proper use of (potential) returned error of _check() functions.
- adds pledge_kill() and pledge_protexec()
with and OK deraadt@
|
|
ok semarie
|
|
- in sys_access() which call dofaccessat() and where the same note is already setted
- in sys_mkdir() which call domkdirat() and where the same note is already setted
- in sys_rmdir() which call dounlinkat() and where the same note is already setted
it makes the p_pledgenote affectation be near NDINIT/NDINITAT call.
|
|
the previous check in pledge_namei() was incomplete. For using SYS_chroot we
needed "id", and we could have passed pledge_namei() just with "rpath" (without
using the now removed whitelisted entry).
the check for "rpath id proc" is now done using p_pledgenote: pledge_namei()
will check that the pledgenote is permitted by your pledge.
"go ahead" deraadt@
|
|
noticed by semarie
|
|
used less than "stdio" -- include all the "self" operations. Instead of
different defines, use regular PLEDGE_* in the "p_pledgenote" variable
(which indicates the operation subtype a system call is performing). Many
checks before easier to understand. p_pledgenote can often be passed
directly to ktrace, so that kdump says:
15565 test CALL pledge(0xa9a3f804c51,0)
15565 test STRU pledge request="stdio"
15565 test RET pledge 0
15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>)
15565 test NAMI "/tmp/testfile"
15565 test PLDG open, "wpath", errno 1 Operation not permitted
with help from semarie, ok guenther
|
|
the following diff adds a clear view of whitelisted-paths in pledge.
before, whitelisting "/usr/local/bin" path would make only "/usr/local/bin"
VNODE was present and let "/usr/local", "/usr", and "/" been ENOENT. It was a
somehow odd filesystem hierarchy, and it breaks realpath(3).
with this diff, the directories that are one of the parents of a
whitelisted-directory become visible to stat(2) related syscalls, but only
with restricted permissions: stat(2) will lie a bit, and saying they owned by
root:wheel and mode is --x--x--x. Note that only stat(2) is affected by this
"view", and the owner/mode aren't effectively changed: it is just a "lie".
while here, refactor a bit pledge_namei() in order to avoid multiple for-loop
on whitelisted-path array.
ok deraadt@
|
|
use pledge and file locking. OK deraadt@
|
|
came out of a discussion regarding "sort foo -o foo".
ok semarie
|
|
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
|
|
|
cr_uid/cr_gid (effective ids). Thus, chown(, -1,-1) should work OK, so
should chown(, me, -1), etc. With this commited, more people can test.
|
|
those bits in the request and continue. This is a better posix-subset
to give to programs.
|
|
|
|
do about S_ISUID and SISGID... maybe we should mask them and allow
the operation to happen?
|
|
The pathlist is a whitelist of dirs and files; anything else returns ENOENT.
Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which
permits explicit change operations against "struct stat" fields. Some
other TAME_ flags are refined slightly.
Not cranking libc now, since nothing commited in base uses this and the
timing is uncomfortable for others. Discussed with many; thanks for a
few bug fixes from semarie, doug, guenther.
ok guenther
|
|
it also applies to sys_openat().
|
|
operating model". This is the kernel component; various changes should
proceed in-tree for a while before userland programs start using it.
ok miod, discussions and help from many
|
|
Input and ok millert@
|
|
followed by a mode check. This will simplify the ref/unref dance as
soon as fd_getfile() will increment fp's reference counter.
Idea from and ok guenther@, ok millert@
|
|
atime and mtime are UTIME_OMIT (at least for ufs, tmpfs, and ext2fs), and
to correctly handle a timestamp of -1.
ok millert@
|
|
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
|
objective: vnode.h doesn't include uvm_extern.h anymore.
followup changes: include uvm_extern.h or lock.h where necessary.
ok and help from deraadt
|
|
|
|
|
|
|
|
ok doug tedu
|
|
Both sys_mkfifo(2) and sys_mkfifoat(2) could be replace by libc wrappers
using mknodat(2) at a later date if we desire. OK guenther@
|
|
|
|
OK guenther@
|
|
after discussions with beck deraadt kettenis.
|
|
don't need to be married.
ok guenther miod beck jsing kettenis
|
