<feed xmlns='http://www.w3.org/2005/Atom'>
<title>wireguard-openbsd/libexec/spamd, branch master</title>
<subtitle>WireGuard implementation for the OpenBSD kernel</subtitle>
<id>https://git.zx2c4.com/wireguard-openbsd/atom/libexec/spamd?h=master</id>
<link rel='self' href='https://git.zx2c4.com/wireguard-openbsd/atom/libexec/spamd?h=master'/>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/'/>
<updated>2019-08-06T13:34:36Z</updated>
<entry>
<title>By now we are already confident that pledge(2) "just works(tm)" and that it can</title>
<updated>2019-08-06T13:34:36Z</updated>
<author>
<name>mestre</name>
<email>mestre@openbsd.org</email>
</author>
<published>2019-08-06T13:34:36Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=0256fee778570faca198e11b52d837cd2a1b1fa1'/>
<id>urn:sha1:0256fee778570faca198e11b52d837cd2a1b1fa1</id>
<content type='text'>
be used to effectively remove filesystem access.

That being said, in spamd(8) when I pledge(2)d it the main priv process got
"stdio inet" which means there's no fs access at all so calling
chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove
them.

OK deraadt@ and no objections from schwarze@
</content>
</entry>
<entry>
<title>Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if running</title>
<updated>2019-07-24T18:41:05Z</updated>
<author>
<name>mestre</name>
<email>mestre@openbsd.org</email>
</author>
<published>2019-07-24T18:41:05Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=fd9fa3ac1b409c700bd4b6768bfcd3ad46ac29e6'/>
<id>urn:sha1:fd9fa3ac1b409c700bd4b6768bfcd3ad46ac29e6</id>
<content type='text'>
in default, cannot get anywhere near the filesystem since its only promises are
"stdio inet". Furthermore, in blacklist mode this same codepath is not
chroot'ed but once again it gets the same pledge(2).

Therefore we can remove the BUGS section from spamd(8)'s manpage.

OK millert@ deraadt@
</content>
</entry>
<entry>
<title>When system calls indicate an error they return -1, not some arbitrary</title>
<updated>2019-06-28T13:32:41Z</updated>
<author>
<name>deraadt</name>
<email>deraadt@openbsd.org</email>
</author>
<published>2019-06-28T13:32:41Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=df69c215c7c66baf660f3f65414fd34796c96152'/>
<id>urn:sha1:df69c215c7c66baf660f3f65414fd34796c96152</id>
<content type='text'>
value &lt; 0.  errno is only updated in this case.  Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
</content>
</entry>
<entry>
<title>I am retiring my old email address;  replace it with my OpenBSD one.</title>
<updated>2019-01-25T00:19:25Z</updated>
<author>
<name>millert</name>
<email>millert@openbsd.org</email>
</author>
<published>2019-01-25T00:19:25Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=bf198cc6eba0ca1f6d79f71e8e2243d386241fa8'/>
<id>urn:sha1:bf198cc6eba0ca1f6d79f71e8e2243d386241fa8</id>
<content type='text'>
</content>
</entry>
<entry>
<title>When spamd(8) runs in greylist mode in the parent process (which runs</title>
<updated>2018-10-25T06:42:35Z</updated>
<author>
<name>mestre</name>
<email>mestre@openbsd.org</email>
</author>
<published>2018-10-25T06:42:35Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=800fd717b9e008c067e3c37eb1dcfc2cb098d902'/>
<id>urn:sha1:800fd717b9e008c067e3c37eb1dcfc2cb098d902</id>
<content type='text'>
greywatcher()) we know that the only files that it will ever access are
PATH_SPAMD_DB in rw mode, alloweddomains_file in r and that it will need to
execute PATH_PFCTL so we can unveil(2) them with those permissions.

OK deraadt@ millert@ beck@
</content>
</entry>
<entry>
<title>More "explicitely" -&gt; "explicitly" in various comments.</title>
<updated>2018-10-22T17:31:24Z</updated>
<author>
<name>krw</name>
<email>krw@openbsd.org</email>
</author>
<published>2018-10-22T17:31:24Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=c43131ad7f420c8af6cee2cdfbcd3f96b0d6e971'/>
<id>urn:sha1:c43131ad7f420c8af6cee2cdfbcd3f96b0d6e971</id>
<content type='text'>
ok guenther@ tb@ deraadt@
</content>
</entry>
<entry>
<title>nuke trailing whitespace</title>
<updated>2018-04-26T08:57:07Z</updated>
<author>
<name>beck</name>
<email>beck@openbsd.org</email>
</author>
<published>2018-04-26T08:57:07Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=673dbe7e918575ddfb992896dc67910cf5b87716'/>
<id>urn:sha1:673dbe7e918575ddfb992896dc67910cf5b87716</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Make blacklist entries override the whitelist.  When running spamd</title>
<updated>2017-10-18T17:31:01Z</updated>
<author>
<name>millert</name>
<email>millert@openbsd.org</email>
</author>
<published>2017-10-18T17:31:01Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=66baed91cf18d6f3802b9f268dbe4a071dfc25e8'/>
<id>urn:sha1:66baed91cf18d6f3802b9f268dbe4a071dfc25e8</id>
<content type='text'>
in greylisting mode, it is not uncommon for an IP to get whitelisted
before it shows up on a spam blacklist.  With this change, spamd
will check its blacklists before adding a WHITE entry to the
&lt;spamd-white&gt; pf table.  If the IP matches a blacklist, the WHITE
entry will be removed.  OK phessler@
</content>
</entry>
<entry>
<title>Use a binary search to speed up blacklist lookups.  OK phessler@</title>
<updated>2017-10-17T13:52:10Z</updated>
<author>
<name>millert</name>
<email>millert@openbsd.org</email>
</author>
<published>2017-10-17T13:52:10Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=b1aaf36b0b2ca9daa46666c58ab01a4feb53429d'/>
<id>urn:sha1:b1aaf36b0b2ca9daa46666c58ab01a4feb53429d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Check for asprintf() returning -1 instead of assuming that the</title>
<updated>2017-10-12T16:22:33Z</updated>
<author>
<name>millert</name>
<email>millert@openbsd.org</email>
</author>
<published>2017-10-12T16:22:33Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/wireguard-openbsd/commit/?id=962d6bb7f5ae606b36f26827283040b304622372'/>
<id>urn:sha1:962d6bb7f5ae606b36f26827283040b304622372</id>
<content type='text'>
pointer will remain unchanged when fails.  OK deraadt@
</content>
</entry>
</feed>
