| Age | Commit message (Collapse) | Author |
|---|
|
|
|
okay deraadt@
|
|
They don't work, they break other tags in weird ways, and even
if they could be made to work, they would be mostly useless.
Issue reported by naddy@, thanks.
|
|
makes no promises about compatibility nor the lack of compatibility.
suggestion & diff from micheal reed
|
|
That's more readable and less error-prone than fumbling around
with argv[0], fprintf(3), strerror(3), perror(3), and exit(3).
It also shortens the code by 50 lines.
It's a bad idea to boycott good interfaces merely because standards
committees ignore them. Instead, it's the job of the portable
distribution to provide compatibility modules for archaic systems
(like commercial Solaris) that still don't have them. Actually,
the compat code for the portable distribution already exists and
will be committed right after this.
|
|
the newfile() function used for create files open files in "w+"
(O_RDWR), and may occasionally do reading on the file (function
toomuch()).
ok deraadt@
|
|
okay millert@
|
|
gcr-3,gcr-base-3
|
|
arguments using kvm_getargs, after the pledge() has been made. someone
brave should refactor this, hoisting the argument fetching to between
kvm_getprocs() and pledge() - storing the argument data as neccessary.
the current situation is also a race -- it fetches the data twice.
|
|
sizeof(struct sockaddr_un), so do the simple, portable thing
ok beck@ deraadt@
|
|
openssl(1) has two mechanisms for operating: either a single execution
of one command (looking at argv[0] or argv[1]) or as an interactive
session than may execute any number of commands.
We already have a top level pledge that should cover all commands
and that's what interactive mode must continue using. However, we can
tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most
commands only need "stdio rpath wpath cpath". The pledges could be
further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
|
|
|
These should have been "stdio getpw" before, but they worked for non-YP
environments. With YP, it won't work without "getpw".
Reported by semarie@ and confirmed as a problem by miod@.
ok deraadt@
|
|
ok doug
|
|
does stdio, and it does a raw execve(). It is so obvious. It gets
only _exit(2), kbind(2), and 46 system calls -- over half of which
are deeply gutted in their functionality to only serve narrow libc
needs for "stdio (includes malloc)". the other 161 system calls kill it.
|
|
rpath is to access /etc/rpc, and inet to talk to portmap & local world.
ok beck
|
|
ok doug
|
|
|
|
which i have put in that order). this is not important, but helps look
for outliers which might be strange. it hints that "ioctl" should be
reassessed in a few places, to see if "tty" is better; that "unix" may
be used in some places where "route" could now work.
|
|
awk -safe was introduced back in 1997 to stop awk from doing file output,
execute commands or access the environment. The lexer rejected programs
when it saw awk commands that would write, exec or env. Beyond that,
it wasn't safe from write/exec/env during program execution.
With pledge "stdio rpath", the kernel is now enforcing the awk -safe
mode restrictions at runtime (other than env).
Based on a diff by deraadt@
ok deraadt@ beck@
|
|
code directly and use it as a subfunction. This refactoring allows use of
pledge "stdio rpath proc tty" in the main bc(1) process before fork, pledge
"stdio rpath tty" after fork, and fully reduced to "stdio" in the dc(1)
child.
This requires two recent to the kernel code (allowing sigsuspend(),
and kill() self as pid 0).
ok otto
|
|
potentially modify pledge() to permit /etc/protocols (/etc/rpc?
/etc/services? etc) without requiring a rpath attribute.. but where would
we draw the line for what /etc files libc functions need? At present, we
draw that line closer to the minimum.
issue found by theo@math.ethz.ch
|
|
ok doug
|
|
the need for getpw. Not sure if I see ways to improve this program.
ok doug
|
|
for dropping some path attributes in between, but i will let someone
else do that.
ok doug
|
|
ok beck doug
|
|
use, and fattr for chmod.
doug
|
|
getpass() opens /dev/tty RW so it can write the prompt.
ok deraadt@
|
|
login* subsystem, tty for readpassphase()
ok beck
|
|
ok doug
|
|
background.
ok doug
|
|
spawns subprocesses. rpath is only needed for the -o (open /dev/tty)
or no -o (open /dev/null) choice.
ok beck
|
|
ok doug
|
|
|
|
|
|
discussed with doug and semarie
|
|
pretty printing some addresses.
|
|
to maybe need "tty", but have not found a path which calls those kind
of curses functions.
ok doug
|
|
first. it can pledge to "stdio" (pgrep case) or "stdio proc" (pkill case)
before parsing and matching the expression.
ok doug
|
|
ok doug
|
|
|
|
in preparation for pledge(2); no functional change intended.
|
|
Except C-k which has a defined behaviour. In mg, C-t doesn't complete
n iterations if requested, but probably should, hence it has been
included in this diff.
|
|
|
|
ok doug
|
|
ok doug
|
|
This is a simple case of using "stdio rpath" until all files are opened and
then dropping down to "stdio" since it includes "rw" on open fds.
ok deraadt@
|
|
|
|
This pledges the superset of all requests for the various getent databases
and then drops to the minimum for the chosen database.
ok deraadt@
|
|
longer relevant.
OK millert@
|
