Age | Commit message (Collapse) | Author |
|
mainly move read/write whitelisted paths that should be *before* checking if
you have PLEDGE_WPATH.
with and ok deraadt@
|
|
hit by czarkoff
|
|
TMN_WPATH or both are set in p_pledgenote. Matches the style used
for /dev/tty special cases (among others). From deraadt@
|
|
ok deraadt
|
|
|
|
mappings. This will be used by if_nameindex(3), if_nametoindex(3) and
if_indextoname(3) soon to fix the issues in pledge because of inet6 link
local addressing.
OK mpi@ benno@ deraadt@
The libc version will follow soon so better start updating your kernels
|
|
ps-style programs (there are quite a few in the tree, including tmux).
"vminfo" exposes a bit more system operation information, which many
observation programs want (such as top). settime allows setting the system
time, and will be used to pledge-protect the last ntpd process.
|
|
|
|
With benno
|
|
Discussion with nicm.
|
|
|
|
for device. In sys_fcntl() the ioctl(TIOCSPGRP) is called, but the
pipe expects SIOCSPGRP. Sockets have a specal case for the same
reason, so adapt the special code for pipes.
OK millert@
|
|
socket(). Without pledge, all other socket behaviours become permitted,
except this one case: connect/send* only works to *:53. In pledge mode,
a very few are further restricted. Some backwards compatibility for
the dnssocket/dnsconnect calls will remain in the tree temporarily so
that people can build through the transition.
ok tedu guenther semarie
|
|
member of the given group). This is used by some parse.y.
OK deraadt@
|
|
the following diff adds a clear view of whitelisted-paths in pledge.
before, whitelisting "/usr/local/bin" path would make only "/usr/local/bin"
VNODE was present and let "/usr/local", "/usr", and "/" been ENOENT. It was a
somehow odd filesystem hierarchy, and it breaks realpath(3).
with this diff, the directories that are one of the parents of a
whitelisted-directory become visible to stat(2) related syscalls, but only
with restricted permissions: stat(2) will lie a bit, and saying they owned by
root:wheel and mode is --x--x--x. Note that only stat(2) is affected by this
"view", and the owner/mode aren't effectively changed: it is just a "lie".
while here, refactor a bit pledge_namei() in order to avoid multiple for-loop
on whitelisted-path array.
ok deraadt@
|
|
|
|
default case only allows SOL_SOCKET SO_RCVBUF which is very common in
network-facing daemons. Many of them manage this on a socket after
dropping abilities which can get them _new_ sockets.. syslogd, bgpd,
relayd, etc etc. Other sockopts still require specific pledges.
Tested by bluhm.
|
|
builtin. make a note that setpriority() should be weakened, unless "id"
is also present.
pointed out by Theo Buehler
|
|
|
|
in unp_internalize and unp_externalize.
ok kettenis guenther
|
|
this check has nothing to do with pledge(2). make it lives in sys_ioctl() call.
while here, move the (fp == NULL) check early and remove duplicate check from
pledge_ioctl_check().
ok guenther@ deraadt@
|
|
|
|
get a response from a YP server, it will open "/dev/tty" and spit out:
'YP server for domain %s not responding, still trying'
For now allow open of /dev/tty for "getpw". I hope to re-architect the
libc:YP communication protocol (strategy similar to syslog->sendsyslog,
isatty->fcntl, dnssocket/dnsconnect) and then we can reevaluate this.
|
|
|
|
Without this change, you need "rpath" and "wpath" to open /dev/tty. Some
applications explicitly open /dev/tty, but deraadt@ found the most
common use is indirectly via readpassphrase().
tweak and ok deraadt@
pre-tweak ok millert@, semarie@
|
|
|
|
SS_DNS tagged socket which has limited functionality (for example, you
cannot accept on them...) The libc resolver will switch to using these,
therefore pledge can identify a DNS transaction better.
ok tedu guenther kettenis beck and others
|
|
We may need a better semantic later ("thread"?), but this allows
progress, and people can report their experiences.
|
|
is a RPATH|WPATH operation.
Discussed with doug and millert
|
|
permission. For now, we'll tighten it down further later.
|
|
|
|
(both "tty" and "ioctl" allow these; they should behave the same)
|
|
worked out with nicm
|
|
|
|
setgid/setegid/setresgid, setgroups, setlogin, and setpriority.
setrlimit and getpriority are also allowed (they are also in "proc")
some of these were previously permitted in "proc" but have been removed.
this seperation is intentional. "proc" is intended for reasoning about
the relationship of a process "with other processes", whereas "id" deals
the powerful/dangerous concept of unix ids. "id" will see some action
very soon.
ok gilles tedu semarie doug
|
|
ok deraadt@
|
|
ok deraadt@
|
|
Prevent a deadlock from occuring when intr_barrier() is called from
a non-primary CPU in the watchdog task, also enqueued on ``systq''.
ok kettenis@
|
|
|
|
checking cdevsw. ok deraadt
|
|
pattern is common, especially because of daemon(3) usage. Will probably
help some daemons move their pledge() calls further upwards.
ok doug,
|
|
sys_bind().
bind(2) still require PLEDGE_INET or PLEDGE_UNIX in order to be called, due to
SYS_bind entry in pledge_syscalls array. The diff restores also the ability for
PLEDGE_UNIX to call bind(2) (pledge_bind_check function missed that).
problem spotted by doug@
OK deraadt@
|
|
|
|
returning ENOTTY instead of killing the process.
|
|
use pledge and file locking. OK deraadt@
|
|
currently needing them. delete 'em for now.
ok doug
|
|
cu(1) uses these.
ok deraadt@
|
|
|
|
safe uses of it
|
|
|