summaryrefslogtreecommitdiff
path: root/sys/kern
AgeCommit message (Collapse)Author
2015-10-25reorder some checks in pledge_namei() in order to properly work.Sebastien Marie
mainly move read/write whitelisted paths that should be *before* checking if you have PLEDGE_WPATH. with and ok deraadt@
2015-10-25ps(1) needs sysctl KERN_PROC_CWD exposed as well in the pledge "ps" set.Theo de Raadt
hit by czarkoff
2015-10-25For SYS_open let the /dev/null special case match if any TMN_RPATH,Todd C. Miller
TMN_WPATH or both are set in p_pledgenote. Matches the style used for /dev/tty special cases (among others). From deraadt@
2015-10-25Allow getsockopt(IP_OPTIONS) (with inet), needed by portmap (for RPC).Nicholas Marriott
ok deraadt
2015-10-23Allow SIOCGIFINFO_IN6Theo de Raadt
2015-10-23Introduce a new sysctl NET_RT_IFNAMES that returns only ifnames to ifindexClaudio Jeker
mappings. This will be used by if_nameindex(3), if_nametoindex(3) and if_indextoname(3) soon to fix the issues in pledge because of inet6 link local addressing. OK mpi@ benno@ deraadt@ The libc version will follow soon so better start updating your kernels
2015-10-23Add 3 new pledge requests. "ps" exposes enough sysctl information forTheo de Raadt
ps-style programs (there are quite a few in the tree, including tmux). "vminfo" exposes a bit more system operation information, which many observation programs want (such as top). settime allows setting the system time, and will be used to pledge-protect the last ntpd process.
2015-10-23Allow hw.ncpu sysctl (a few reasons showed up in my mailbox rapidly..)Theo de Raadt
2015-10-22Further study shows "route" should allow all address families in NET_RT_DUMPTheo de Raadt
With benno
2015-10-22After some consideration, simply allow TIOCSCTTY in the "tty" pledge.Theo de Raadt
Discussion with nicm.
2015-10-22rename ml_join to ml_enlist and expose it to the rest of the kernel.David Gwynne
2015-10-21Setting fcntl(F_SETOWN) for a pipe failed with inappropriate ioctlAlexander Bluhm
for device. In sys_fcntl() the ioctl(TIOCSPGRP) is called, but the pipe expects SIOCSPGRP. Sockets have a specal case for the same reason, so adapt the special code for pipes. OK millert@
2015-10-20At guenther's suggestion replace dnssocket() with a SOCK_DNS flag onTheo de Raadt
socket(). Without pledge, all other socket behaviours become permitted, except this one case: connect/send* only works to *:53. In pledge mode, a very few are further restricted. Some backwards compatibility for the dnssocket/dnsconnect calls will remain in the tree temporarily so that people can build through the transition. ok tedu guenther semarie
2015-10-20Add SIOCGIFGMEMB to "route" (returns a list of all interfaces who areReyk Floeter
member of the given group). This is used by some parse.y. OK deraadt@
2015-10-20clear whitelisted-paths view in pledge.Sebastien Marie
the following diff adds a clear view of whitelisted-paths in pledge. before, whitelisting "/usr/local/bin" path would make only "/usr/local/bin" VNODE was present and let "/usr/local", "/usr", and "/" been ENOENT. It was a somehow odd filesystem hierarchy, and it breaks realpath(3). with this diff, the directories that are one of the parents of a whitelisted-directory become visible to stat(2) related syscalls, but only with restricted permissions: stat(2) will lie a bit, and saying they owned by root:wheel and mode is --x--x--x. Note that only stat(2) is affected by this "view", and the owner/mode aren't effectively changed: it is just a "lie". while here, refactor a bit pledge_namei() in order to avoid multiple for-loop on whitelisted-path array. ok deraadt@
2015-10-20allow SO_ERROR all the timeTheo de Raadt
2015-10-20Always allow the setsockopt & getsockopt system calls... however, in theTheo de Raadt
default case only allows SOL_SOCKET SO_RCVBUF which is very common in network-facing daemons. Many of them manage this on a socket after dropping abilities which can get them _new_ sockets.. syslogd, bgpd, relayd, etc etc. Other sockopts still require specific pledges. Tested by bluhm.
2015-10-19Allow setpriority in "proc" as well, since a few shells have "nice"Theo de Raadt
builtin. make a note that setpriority() should be weakened, unless "id" is also present. pointed out by Theo Buehler
2015-10-19Print vnode type for sendfd/recvfd not file type, ok semarieNicholas Marriott
2015-10-18Instead of fragile CMSG parsing, control pledge "sendfd" and "recvfd"Theo de Raadt
in unp_internalize and unp_externalize. ok kettenis guenther
2015-10-18move SS_DNS socket check from kern_plegde.c to sys_generic.cSebastien Marie
this check has nothing to do with pledge(2). make it lives in sys_ioctl() call. while here, move the (fp == NULL) check early and remove duplicate check from pledge_ioctl_check(). ok guenther@ deraadt@
2015-10-18getting sloppy, lost a }Theo de Raadt
2015-10-18Move your drink further away... When a program pledged "getpw" fails toTheo de Raadt
get a response from a YP server, it will open "/dev/tty" and spit out: 'YP server for domain %s not responding, still trying' For now allow open of /dev/tty for "getpw". I hope to re-architect the libc:YP communication protocol (strategy similar to syslog->sendsyslog, isatty->fcntl, dnssocket/dnsconnect) and then we can reevaluate this.
2015-10-18TIOCSTI and TIOCSCTTY; oops got the condition backwards.Theo de Raadt
2015-10-18Allow read/write access to /dev/tty when using "tty" pledge.Doug Hogan
Without this change, you need "rpath" and "wpath" to open /dev/tty. Some applications explicitly open /dev/tty, but deraadt@ found the most common use is indirectly via readpassphrase(). tweak and ok deraadt@ pre-tweak ok millert@, semarie@
2015-10-18syncTheo de Raadt
2015-10-18Add two new system calls: dnssocket() and dnsconnect(). This creates aTheo de Raadt
SS_DNS tagged socket which has limited functionality (for example, you cannot accept on them...) The libc resolver will switch to using these, therefore pledge can identify a DNS transaction better. ok tedu guenther kettenis beck and others
2015-10-17naddy asks me if __tfork should be allowed by "proc". yes!Theo de Raadt
We may need a better semantic later ("thread"?), but this allows progress, and people can report their experiences.
2015-10-17connect() to an AF_UNIX socket is really read/write, so tell pledge thisTheo de Raadt
is a RPATH|WPATH operation. Discussed with doug and millert
2015-10-17Allow the nasty ioctl TIOCSTI in "tty", but also require the "proc"Theo de Raadt
permission. For now, we'll tighten it down further later.
2015-10-17better wording in a commentTheo de Raadt
2015-10-17Unify TIOCGPGRP/TIOCGWINSZ/TIOCGWINSZ behaviour regarding ENOTTY return.Theo de Raadt
(both "tty" and "ioctl" allow these; they should behave the same)
2015-10-17Allow TIOCSCTTY on tty devices, if the pledge says "tty id"Theo de Raadt
worked out with nicm
2015-10-17whitespaceTheo de Raadt
2015-10-17Add pledge "id" support. This request permits setuid/seteuid/setresuid,Theo de Raadt
setgid/setegid/setresgid, setgroups, setlogin, and setpriority. setrlimit and getpriority are also allowed (they are also in "proc") some of these were previously permitted in "proc" but have been removed. this seperation is intentional. "proc" is intended for reasoning about the relationship of a process "with other processes", whereas "id" deals the powerful/dangerous concept of unix ids. "id" will see some action very soon. ok gilles tedu semarie doug
2015-10-17Allow a few 'get' ioctls for pledge("route"). route6d will soon use this.Jeremie Courreges-Anglas
ok deraadt@
2015-10-16Also allow 6 as a miblen for NET_RT_DUMP, not all users specify a rtable.Jeremie Courreges-Anglas
ok deraadt@
2015-10-16Make sched_barrier() use its own task queue to avoid deadlocks.Martin Pieuchot
Prevent a deadlock from occuring when intr_barrier() is called from a non-primary CPU in the watchdog task, also enqueued on ``systq''. ok kettenis@
2015-10-16Repair the pty check for kernels without pty support.Theo de Raadt
2015-10-16Allow PTMGET with "tty rpath wpath" but restrict only to /dev/ptm byNicholas Marriott
checking cdevsw. ok deraadt
2015-10-16Always allow a r/w opening of /dev/null though the namei check. ThisTheo de Raadt
pattern is common, especially because of daemon(3) usage. Will probably help some daemons move their pledge() calls further upwards. ok doug,
2015-10-16delete pledge_bind_check() function and remove pledge_bind_check() call from ↵Sebastien Marie
sys_bind(). bind(2) still require PLEDGE_INET or PLEDGE_UNIX in order to be called, due to SYS_bind entry in pledge_syscalls array. The diff restores also the ability for PLEDGE_UNIX to call bind(2) (pledge_bind_check function missed that). problem spotted by doug@ OK deraadt@
2015-10-16Place TIOCSTI reminder block betterTheo de Raadt
2015-10-16For "tty" pledges, treat TIOCGPGRP and TIOCGWINSZ like TIOCGETA -Theo de Raadt
returning ENOTTY instead of killing the process.
2015-10-16Implement real "flock" request and add it to userland programs thatTodd C. Miller
use pledge and file locking. OK deraadt@
2015-10-16FIOSETOWN/FIOGETOWN were added to "ioctl", but study finds no programsTheo de Raadt
currently needing them. delete 'em for now. ok doug
2015-10-16Add TIOCCBRK and TIOCSDTR to the whitelist for pledge ioctl.Doug Hogan
cu(1) uses these. ok deraadt@
2015-10-15Add TIOCFLUSH to "tty" in support of tcflush()Theo de Raadt
2015-10-15Exposing FIOASYNC in pledge "ioctl" is a mistake; remove it, cannot find ↵Theo de Raadt
safe uses of it
2015-10-15FIOCLEX & FIONCLEX should be in base ioctl setTheo de Raadt