| Age | Commit message (Collapse) | Author |
|---|
|
"route", which krw and mestre will be able to use in dhclient(8).
|
|
|
|
conversation with jsg
|
|
it makes PLEDGE_YPACTIVE enough for doing required networking with YP. It
should permit to bring YP internals into the light.
discuted with deraadt@
|
|
This will be required to keep pax/tar/cpio at otherwise very high levels
of pledge (and we will see where else it is beneficial).
Allocate a bit for pledge "audio", which will be coming soon.
good discussions with semarie
|
|
ps_pledge to become 64-bits over the next few days (things are getting
a bit tight; most newer pledges will be quite device-driver specific)
|
|
ok deraadt@
|
|
native language support was deleted a month ago at u2k15.
OK semarie@ deraadt@
|
|
ok deaadt@
|
|
|
|
discussed with jsg
|
|
the device node (since it does not exist...)
|
|
relayd and other programs manipulating the packet filter.
ok deraadt@
|
|
ok mpi@
|
|
then relayd's host check engine can be pledged.
ok reyk@, approach suggested by deraadt@ weeks ago.
|
|
Committing on behalf of tb@, problem reported by Rolf Sommerhalder on misc@.
|
|
|
|
LOG_CONS. If syslogd is not accepting messages, direct them to the console.
This allows us to remove the direct /dev/console opening code from the
bowels of libc. Of course, that forgotten code was exposed by pledge.
ok kettenis millert beck
|
|
|
|
passing LOG_CONS
ok millert kettenis beck
|
|
getpass(3), so don't specifically allow it for "rpath" (rpath will
accept it in the end, unless it is on the whitelist)
|
|
Prevent lazy developers, like David and I, to use atomic operations
without including <sys/atomic.h>.
ok dlg@
|
|
|
|
also, to satisfy midlayers that some fs/install tools need.
|
|
discovered by rpe
|
|
As Kenjiro Cho pointed out it is very hard to cancel a dequeue operation
for some queueing disciplines when such it keeps some internal states.
As you can see, APIs can also Live Fast & Die Young.
ok dlg@
|
|
with pledge_socket(p, -1, state) we only check for "dns" promise against SS_DNS
socket. But it isn't possible to pass a SS_DNS socket to listen(2) or accept(2)
(EINVAL). So this deeper check is a bit useless...
ok deraadt@
|
|
also. The idea is much like rpath is with files, you get an fd and then
you can play with it somewhat. In the socket space once you have a fd, you
can play with it somewhat. So you cannot bind, but you can accept. You
can listen, getpeername, getsockname, and of course set/getsockopt is
somewhat available.. yes, this makes pledge the anti-capsicum, kind of
like salt from Secovlje.. reasoning due to a conversation with tedu
|
|
to mmap, but thinking about it nothing feels risky
Long discussions with florian
|
|
few disklabel ioctls, and the DIOCMAP ioctl against /dev/diskmap used
to translate duid numbers into partitions.
This will allow pledging of at least 12 disk/filesystem aware
programs; due to the negative impact that diff will wait a bit so
everyone has a chance to update their kernels.
ok semarie
|
|
check. You cannot open a socket in a domain unless permitted -- but
you need to be able to accept one if the code flow asks for that to
happen. The most recent check is too tight. We may need to iterate the
policy here until we hit the right vibe...
|
|
/dev/console case, so go back to doing the direct D_TTY check.
signed over a few times with guenther
|
|
|
|
know there's only one thread in the taskq. wakeups are much more
expensive than a simple compare.
from haesbart
|
|
reported by Mateusz Guzik with a diff.
this one is a slightly modified version.
ok deraadt@
|
|
ok deraadt@
|
|
because that shows the /dev/console translated vnode.
You either already know the story, or you don't want to know.
|
|
ports using base gcc with PCH include: boost, keepassx, wxWidgets, jdk
|
|
and kern.posix1version. Enough to satisfy getconf, and I hope we
don't need to add much more after this.
Largely from jca
|
|
Discussed with millert
|
|
ok millert semarie tedu guenther
|
|
ok millert semarie tedu guenther
|
|
device is a D_TTY device. (Like spec_open, but this sets the flag to
satisfy pre-VOP_OPEN situations)
ok millert semarie tedu guenther
|
|
Since this only affects base gcc and the ports most in need of PCHs are
compiled with ports compilers anyway, let's see what happens if we break it.
discussed with and ok deraadt@
|
|
|
|
library routines. The manpage declares, in bold:
The brk() and sbrk() functions are historical curiosities left over from
earlier days before the advent of virtual memory management.
In our base tree, only one program uses these functions -- cc1 in the
gcc toolset. A historical curiosity using a historical curiosity, how
quaint. brk is used because precompiled c headers are not position
independent. Another program which relies upon brk is emacs. Other
uses of brk are EXCEEDINGLY RARE, because most software grew up and
use modern practices such as malloc and mmap, thereby gaining ASLR
benefits. Position independence has become an important part of
mitigations. These two programs fight such improvements.
Permitting brk/sbrk allows the large attack surface of cc1 to be pledged.
"I would rather have cc1 pledged than purity in pledge" guenther
|
|
|
|
ok dlg@
|
|
ok dlg@
|
|
only written to. (Will keep an eye out for NFS surprises)
ok guenther
|
