| Age | Commit message (Collapse) | Author |
|---|
|
"stdio rpath" this would fail to execve. pre-indicate exec actions to the
namei checker to allow them through.
ok semarie
|
|
and readpassphrase() in particular use this.
ok millert tedu semarie
|
|
by "getpw" because libc getpw*/getgr* use open() of /var/run/ypbind.lock plus
flock() to detect YP running. The kernel observes this dance to "open up" the
YP door (ugliness should drive us to rewrite this mechanism from SunOS later).
however, flock is also used independently. Current users are
htpasswd mail skeyinit tmux authpf pwd_mkdb ldapd smtpd ypbind
login_token mail.local lockspool
Let's enable flock() for "cpath", and see if that helps these programs,
otherwise we'll try "wpath" next.
|
|
|
|
|
|
be called against a non-tty fd, so as to test "is this a tty". Discovered
by sthen and rob pierce at the same time.
|
|
|
|
|
|
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
|
|
|
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
|
This will be used by a few daemons. If they lack this feature, then
they would need to operate without tame.
Discussed with renato
|
|
only in TAME_UNIX, stop trying after servicing SOL_SOCKET.
discussion with claudio
|
|
because many routing daemon processes with this attribute need to fetch
that information to work.
discussed with claudio and renato
|
|
is no point in keeping an unused level of abstraction.
ok mikeb@, claudio@
|
|
new tame "route" request. Now routing daemons and tools (such as arp),
can narrowly ask for either feature. One thing remains available in
both cases -- support for getifaddr()'s, since libc and programs often
use that in close association with socket creation.
ok benno sthen beck, some discussion with renato
|
|
|
|
|
|
The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.
This put the rtable* layer at the same level of the if* level. These
two subsystem are organized around the two global data structure used
in the network stack:
- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.
This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups. This allows us to keep, or move
towards, AF-free route and rtable layers.
While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().
ok claudio@, mikeb@
|
|
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc". Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose. But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls. Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve(). POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.
|
|
|
|
|
|
Also the combination of "proc tty" needs to permit TIOCSPGRP.
This is the start at minimum semantics required by processes which
work on process groups, sessions, ttys.
|
|
TIOCSBRK, TIOCCDTR, TIOCSETA, TIOCSETAW, and TIOCSETAF on tty
vnodes. This helps programs which call tcsetattr(), tcgetattr(), or
readpassphrase(). Especially the latter - tame's goal is to satisfy
the libc requirements of security-sensitive programs.
Remove TIOCSETAF from the basic "ioctl" request, because it is a "set"
option. "ioctl" is slowly turning into a "request information, cannot
set options" package.
Split the "cmsg" request into "sendfd" and "recvfd". Non-SCM_RIGHTS
messages are currently flowing through freely and we'll need to think
about that. This split lets us more strictly describe what our many
fd-passing programs will do.
|
|
mbuf blob with all the cmsgs inside while on send cmsgs in an mbuf chain,
one mbuf per message. Adjust the calls accordingly.
Putting it in so deraadt@ can move forward.
|
|
|
|
CMSG_SIZE(len) bytes of the mbuf.
|
|
|
|
|
|
for the stdio/libevent usage case. Further ioctl commands are narrowly
checked as before.
ok djm guenther semarie
|
|
it is RPATH|WPATH... nothing changes, just the new explanation.
|
|
find the ps buffer. Few programs want to do their first setproctitle()
rather late...
|
|
|
|
"every tool helps" deraadt@
|
|
what to free.
ok beck
|
|
can I figure out why I added this in the past...
|
|
|
|
|
|
as Theo is seeing vnode-related panics on several architectures in the
codepath that implements mmap(2).
|
|
|
|
dropping through to to the kill path. The best way to understand this
is id(1). It calls getpwuid, which tries /etc/spwd.db before
/etc/pwd.db ...
|
|
ok tedu@ deraadt@
|
|
|
|
|
|
under tame
|
|
ok deraadt@, semarie@
|
|
ok semarie@
|
|
- by default, a tamed-program don't have the possibility to use PROT_EXEC for
mmap(2) or mprotect(2)
- for that, use the request "prot_exec" (that could be dropped later)
initial idea from deraadt@ and kettenis@
"make complete sense" beck@
ok deraadt@
|
|
will take some time to fix it. Problem appears to be that the control mbuf
is not normalized into flat memory.
|
|
leak system path information. Should be reconsidered in the future.
|
