summaryrefslogtreecommitdiff
path: root/sys
AgeCommit message (Collapse)Author
2015-10-28mkdir is PLEDGE_CPATH, not PLEDGE_CPATH | PLEDGE_RPATH...Theo de Raadt
ok semarie
2015-10-28cleanup indentation and comments in sysctl whitelistTheo de Raadt
2015-10-28more accurate pledge_fail() error and code for sys_socketSebastien Marie
- use the error returned by pledge_socket_check() - make the code to reflect the socket request (set code to PLEDGE_DNS for dns-scoket, and to PLEDGE_INET else)
2015-10-28merge whitelisted r/w paths and rd paths switch to only one. It becomesSebastien Marie
possible due to the move of failing case later.
2015-10-28remove duplicate setting of p_pledgenote:Sebastien Marie
- in sys_access() which call dofaccessat() and where the same note is already setted - in sys_mkdir() which call domkdirat() and where the same note is already setted - in sys_rmdir() which call dounlinkat() and where the same note is already setted it makes the p_pledgenote affectation be near NDINIT/NDINITAT call.
2015-10-28make sys_chroot() only allowed to be used when pledged, with "rpath id proc".Sebastien Marie
the previous check in pledge_namei() was incomplete. For using SYS_chroot we needed "id", and we could have passed pledge_namei() just with "rpath" (without using the now removed whitelisted entry). the check for "rpath id proc" is now done using p_pledgenote: pledge_namei() will check that the pledgenote is permitted by your pledge. "go ahead" deraadt@
2015-10-28Enable TCP/UDP checksum offloading on packet transmission.Visa Hankala
ok mpi@
2015-10-28Add proper padding to packets that the hardware does not recognize asVisa Hankala
IP, to avoid memory alignment issues in the IP stack. ok miod@, mpi@
2015-10-28refactor pledge_namei() a bitSebastien Marie
- remove all explicit checks that ensure p_pledgenote have counterpart in ps_pledge by one unique check. It makes management of explicit whitelisted operations on some paths more simple to manage. And now, we can use p_pledgenote for more fined checking in namei usage. - add special case for unsetted p_pledgenote: the behaviour is the same as previously (we allow the operation with "rpath", "wpath" or "cpath" request) but it should be changed soon to be more strict. "go ahead" deraadt@
2015-10-28canonpath() error isn't related to p_pledgenote requirement (only possibleSebastien Marie
error currently is ENAMETOOLONG), so don't use p_pledgenote when failing.
2015-10-28in pledge_namei(), move PLEDGE_EXEC check sooner: it doesn't depend of pathSebastien Marie
processing.
2015-10-28Support backspace in softraid boot passphrase prompt.Joel Sing
From uwe@
2015-10-28Add a missing splx for a return path introduced in rev 1.163Jonathan Gray
ok mpi@ bluhm@
2015-10-28Prevent F_SETOWN, unless a "proc" pledge was made.Theo de Raadt
2015-10-28Remove linkmtu and maxmtu from struct nd_ifinfo. IN6_LINKMTU can nowFlorian Obser
die and ifp->if_mtu is the one true mtu. Suggested by and OK mpi@
2015-10-28syncTheo de Raadt
2015-10-28The short-lived dnssocket/dnsconnect calls are being required because weTheo de Raadt
suspect everyone has upgraded through the approx week-long window since SOCK_DNS became available and the libc resolver started using them.
2015-10-28Paranoa: p_pledgenote the NAMEI for ld.so loadingTheo de Raadt
2015-10-28The short-lived dnssocket/dnsconnect calls are being required because weTheo de Raadt
suspect everyone has upgraded through the approx week-long window since SOCK_DNS became available and the libc resolver started using them.
2015-10-28There are three situations where pty ioctl's result in a NDINIT.Theo de Raadt
NDINIT should be preceded by setting pledgenote to indicate what the operation is for.
2015-10-28Set pledgenote to PLEDGE_RPATH in chdir & chrootTheo de Raadt
noticed by semarie
2015-10-28TIOCCONS will probably never be permitted, but it is good style to setTheo de Raadt
p_pledgenote before NDINIT()
2015-10-28Though sys_ktrace is not yet pledge allowed, prepare by settingTheo de Raadt
p_pledgenote as required. XXX open question to guenther regarding FREAD to vnopen() / vnclose()
2015-10-28move p_pledgenote setting next to NDINIT()Theo de Raadt
2015-10-28kern.cptime is length 2Theo de Raadt
2015-10-28missing splx in error pathJonathan Gray
same change made in the sparc equivalent a while ago
2015-10-28support kern.cptime alsoTheo de Raadt
2015-10-27RIP arp_ifinit().Martin Pieuchot
2015-10-27arp_ifinit() is no longer needed.Martin Pieuchot
2015-10-27arp_ifinit() is no longer needed.Martin Pieuchot
2015-10-27Rewrite in_ouraddr() to not use ``rt_ifa'' since it is not obvious thatMartin Pieuchot
the lifetime of an ``ifa'' is tied to a route entry, so it might no longer be valid after calling rtfree(9). While here put a KERNEL_LOCK() around the per-ifp address list iteration. ok bluhm@
2015-10-27Use verbose defines instead of hardcoded values for clarity whenMike Belopuhov
initializing hash objects. No binary or functional change.
2015-10-27Sync chacha_ivsetup to the version in ssh so that we couldMike Belopuhov
specify custom counter value when setting up Chacha context. ok reyk djm
2015-10-27Move code around for clarity, no functional change.Martin Pieuchot
ok bluhm@
2015-10-27Use rt_ifidx rather than rt_ifp.Martin Pieuchot
ok bluhm@
2015-10-26Add ppoll() to "stdio"Theo de Raadt
2015-10-26Use axf's hashsize as a block size in the authenticated encryption routine.Mike Belopuhov
No change for GCM, however upcoming changes will rely on this.
2015-10-26Use rt_ifidx rather than rt_ifp.Martin Pieuchot
ok bluhm@
2015-10-26(char *)0 -> NULLmmcc
ok tedu@
2015-10-26Let SLIST_REMOVE invalidate the pointer in more cases.Alexander Bluhm
OK jsing@
2015-10-26dns check needs to be done on the kernel address after copyinTed Unangst
2015-10-26Allow NET_RT_IFLIST in pledge "dns" as wellTheo de Raadt
2015-10-26If the system call is entirely unpermitted, code will be 0, and there isTheo de Raadt
no pledge to recommend.
2015-10-26add setreuid/setregid to "id"Theo de Raadt
2015-10-26change some pledge_fail() error/codeSebastien Marie
- for PLEDGE_FATTR: the code is more accurate to be PLEDGE_FATTR, has p->p_pledgenote could have multiple bits inside, and it is the lake of PLEDGE_FATTR that make the check fail. - for PLEDGE_RECVFD and PLEDGE_SENDFD, change the error to be EINVAL: we fail, not because of lake of PLEDGE_RECVFD / PLEDGE_SENDFD permission, but because the value passed is invalid in pledged program (for example trying to send a VDIR). "go ahead" deraadt@
2015-10-26make pledge_check(), used for syscall check with pledge, returns an error andSebastien Marie
provide the required pledge request for pledge_fail(). ok deraadt@
2015-10-26Cast isdigit()'s argument to unsigned char.mmcc
ok guenther@
2015-10-25unbreak tree for ramdisks without INET6Theo de Raadt
2015-10-25Put some comments in how nd6_rs_attach() works.Florian Obser
Requested by stsp
2015-10-25Fold "malloc" into "stdio" and -- recognizing that no program so far hasTheo de Raadt
used less than "stdio" -- include all the "self" operations. Instead of different defines, use regular PLEDGE_* in the "p_pledgenote" variable (which indicates the operation subtype a system call is performing). Many checks before easier to understand. p_pledgenote can often be passed directly to ktrace, so that kdump says: 15565 test CALL pledge(0xa9a3f804c51,0) 15565 test STRU pledge request="stdio" 15565 test RET pledge 0 15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>) 15565 test NAMI "/tmp/testfile" 15565 test PLDG open, "wpath", errno 1 Operation not permitted with help from semarie, ok guenther
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-29 06:54:52 +0000