Move to next tame() API. The flags are now passed as a very simple string,

which results in tame() code placements being much more recognizeable.
tame() can be moved to unistd.h and does not need cpp symbols to turn the
bits on and off.  The resulting API is a bit unexpected, but simplifies the
mapping to enabling bits in the kernel substantially.
vague ok's from various including guenther doug semarie

5 files changed, 108 insertions, 50 deletions

diff --git a/include/unistd.h b/include/unistd.h
index 22a167ee66a..cf6653ce9a1 100644
--- a/include/unistd.h
+++ b/include/unistd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: unistd.h,v 1.98 2015/08/26 01:54:08 guenther Exp $ */
+/*	$OpenBSD: unistd.h,v 1.99 2015/09/09 17:56:59 deraadt Exp $ */
 /*	$NetBSD: unistd.h,v 1.26.4.1 1996/05/28 02:31:51 mrg Exp $	*/
 
 /*-
@@ -539,6 +539,7 @@ int	 strtofflags(char **, u_int32_t *, u_int32_t *);
 int	 swapctl(int cmd, const void *arg, int misc);
 int	 syscall(int, ...);
 int	 getentropy(void *, size_t);
+int	 tame(const char *, const char **paths);
 pid_t	 __tfork_thread(const struct __tfork *, size_t, void (*)(void *),
 	    void *);
 #endif /* __BSD_VISIBLE */
diff --git a/lib/libc/sys/tame.2 b/lib/libc/sys/tame.2
index 09cacd3bc67..b5a82b75d7a 100644
--- a/lib/libc/sys/tame.2
+++ b/lib/libc/sys/tame.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tame.2,v 1.24 2015/09/07 05:23:30 tim Exp $
+.\" $OpenBSD: tame.2,v 1.25 2015/09/09 17:56:59 deraadt Exp $
 .\"
 .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 .\"
@@ -14,16 +14,16 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 7 2015 $
+.Dd $Mdocdate: September 9 2015 $
 .Dt TAME 2
 .Os
 .Sh NAME
 .Nm tame
 .Nd restrict system operations
 .Sh SYNOPSIS
-.In sys/tame.h
+.In unistd.h
 .Ft int
-.Fn tame "int flags" "const char *paths[]"
+.Fn tame "const char *request" "const char *paths[]"
 .Sh DESCRIPTION
 The current process is forced into a restricted-service operating mode.
 A few subsets are available, roughly described as computation, memory
@@ -46,7 +46,7 @@ can reduce the abilities further, but abilities can never be regained.
 A process which attempts a restricted operation is killed with
 .Dv SIGKILL .
 If
-.Dv TAME_ABORT
+.Va "abort"
 is set, then a non-blockable
 .Dv SIGABRT
 is delivered instead, possibly resulting in a
@@ -62,9 +62,9 @@ This can be used for pure computation operating on memory shared
 with another process.
 .Pp
 All
-.Dv TAME_*
-options below (with the exception of
-.Dv TAME_ABORT )
+.Dv requests
+below (with the exception of
+.Va "abort" )
 permit the following system calls:
 .Bd -ragged -offset indent
 .Xr clock_getres 2 ,
@@ -102,7 +102,7 @@ permit the following system calls:
 .Pp
 Some system calls, when allowed, have restrictions applied to them:
 .Pp
-.Bl -tag -width TAME_TMPPATH -offset indent -compact
+.Bl -tag -width "tmppath" -offset indent -compact
 .It Xr access 2
 May check for existence of
 .Pa /etc/localtime .
@@ -116,8 +116,8 @@ Read-only, for
 .It Xr lchown 2
 .It Xr fchown 2
 .It Xr fchownat 2
-Setuid/setgid bits do not work, nor can the user or group be changed
-on a file.
+Setuid/setgid/sticky bits are ignored.
+The user or group cannot be changed on a file.
 .It Xr open 2
 May open
 .Pa /etc/localtime ,
@@ -145,10 +145,10 @@ once.
 .El
 .Pp
 The
-.Ar flags
-are specified as a bitwise OR of the following values:
-.Bl -tag -width TAME_TMPPATH -offset indent
-.It Dv TAME_MALLOC
+.Ar request
+is specified as a string, with space seperate keywords:
+.Bl -tag -width "tmppath" -offset indent
+.It Va "malloc"
 To allow use of the
 .Xr malloc 3
 family of functions, the following system calls are permitted:
@@ -160,7 +160,7 @@ family of functions, the following system calls are permitted:
 .Xr mprotect 2 ,
 .Xr mquery 2 ,
 .Xr munmap 2 .
-.It Dv TAME_RW
+.It Va "rw"
 The following system calls are permitted to allow most types of IO
 operations on previously allocated file descriptors, including
 libevent or handwritten async IO loops:
@@ -196,14 +196,14 @@ libevent or handwritten async IO loops:
 .Xr recvmsg 2 ,
 .Xr recvfrom 2 ,
 .Xr fstat 2 .
-.It Dv TAME_STDIO
+.It Va "stdio"
 This subset is simply the combination of
-.Dv TAME_MALLOC
+.Va "malloc"
 and
-.Dv TAME_RW .
+.Va "rw" .
 As a result, all the expected functionalities of libc
 stdio work.
-.It Dv TAME_RPATH
+.It Va "rpath"
 A number of system calls are allowed if they only cause
 read-only effects on the filesystem:
 .Pp
@@ -224,7 +224,7 @@ read-only effects on the filesystem:
 .Xr fchownat 2 ,
 .Xr fstat 2 ,
 .Xr getfsstat 2 .
-.It Dv TAME_WPATH
+.It Va "wpath"
 A number of system calls are allowed and may cause
 write-effects on the filesystem:
 .Pp
@@ -243,7 +243,7 @@ write-effects on the filesystem:
 .Xr fchown 2 ,
 .Xr fchownat 2 ,
 .Xr fstat 2 .
-.It Dv TAME_CPATH
+.It Va "cpath"
 A number of system calls and sub-modes are allowed, which may
 create new files or directories in the filesystem:
 .Pp
@@ -257,7 +257,7 @@ create new files or directories in the filesystem:
 .Xr unlinkat 2 ,
 .Xr mkdir 2 ,
 .Xr mkdirat 2 .
-.It Dv TAME_TMPPATH
+.It Va "tmppath"
 A number of system calls are allowed to do operations in the
 .Pa /tmp
 directory, including create, read, or write:
@@ -268,7 +268,7 @@ directory, including create, read, or write:
 .Xr chown 2 ,
 .Xr unlink 2 ,
 .Xr fstat 2 .
-.It Dv TAME_INET
+.It Va "inet"
 The following system calls are allowed to operate in the
 .Dv AF_INET
 and
@@ -288,7 +288,7 @@ domains:
 .Pp
 .Xr setsockopt 2
 has been reduced in functionality substantially.
-.It Dv TAME_FATTR
+.It Va "fattr"
 The following system calls are allowed to make explicit changes
 to fields in
 .Va struct stat
@@ -306,8 +306,9 @@ relating to a file:
 .Xr chown 2 ,
 .Xr fchownat 2 ,
 .Xr lchown 2 ,
-.Xr fchown 2 .
-.It Dv TAME_UNIX
+.Xr fchown 2 ,
+.Xr utimes 2 .
+.It Va "unix"
 The following system calls are allowed to operate in the
 .Dv AF_UNIX
 domain:
@@ -322,7 +323,7 @@ domain:
 .Xr getsockname 2 ,
 .Xr setsockopt 2 ,
 .Xr getsockopt 2 .
-.It Dv TAME_DNS
+.It Va "dns"
 Subsequent to a successful
 .Xr open 2
 of
@@ -333,7 +334,7 @@ a few system calls become able to allow DNS network transactions:
 .Xr recvfrom 2 ,
 .Xr socket 2 ,
 .Xr connect 2 .
-.It Dv TAME_GETPW
+.It Va "getpw"
 This allows read-only opening of files in
 .Pa /etc
 for the
@@ -350,15 +351,15 @@ environment, so a successful
 of
 .Pa /var/run/ypbind.lock
 enables the
-.Dv TAME_INET
+.Va "inet"
 flag.
-.It Dv TAME_CMSG
+.It Va "cmsg"
 Allows passing of file descriptors using the
 .Xr sendmsg 2
 and
 .Xr recvmsg 2
 functions.
-.It Dv TAME_IOCTL
+.It Va "ioctl"
 Allows a subset of
 .Xr ioctl 2
 operations:
@@ -372,7 +373,7 @@ operations:
 .Dv TIOCGPGRP ,
 .Dv TIOCGWINSZ ,
 .Dv TIOCSTI .
-.It Dv TAME_PROC
+.It Va "proc"
 Allows the following process relationship operations:
 .Pp
 .Xr fork 2 ,
@@ -381,7 +382,7 @@ Allows the following process relationship operations:
 .Xr setgroups 2 ,
 .Xr setresgid 2 ,
 .Xr setresuid 2 ,
-.It Dv TAME_ABORT
+.It Va "abort"
 Deliver an unblockable
 .Dv SIGABRT
 upon violation instead of
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index 42fb740e761..aec9c108325 100644
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_tame.c,v 1.37 2015/09/01 18:26:19 deraadt Exp $	*/
+/*	$OpenBSD: kern_tame.c,v 1.38 2015/09/09 17:56:59 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -205,14 +205,74 @@ const u_int tame_syscalls[SYS_MAXSYSCALL] = {
 	[SYS_flock] = _TM_GETPW,
 };
 
+static const struct {
+	char *name;
+	int flags;
+} tamereq[] = {
+	{ "malloc",		_TM_SELF | _TM_MALLOC },
+	{ "rw",			_TM_SELF | _TM_RW },
+	{ "stdio",		_TM_SELF | _TM_MALLOC | _TM_RW },
+	{ "rpath",		_TM_SELF | _TM_RW | _TM_RPATH },
+	{ "wpath",		_TM_SELF | _TM_RW | _TM_WPATH },
+	{ "tmppath",		_TM_SELF | _TM_RW | _TM_TMPPATH },
+	{ "inet",		_TM_SELF | _TM_RW | _TM_INET },
+	{ "unix",		_TM_SELF | _TM_RW | _TM_UNIX },
+	{ "cmsg",		TAME_UNIX | _TM_CMSG },
+	{ "dns",		TAME_MALLOC | _TM_DNSPATH },
+	{ "ioctl",		_TM_IOCTL },
+	{ "getpw",		TAME_STDIO | _TM_GETPW },
+	{ "proc",		_TM_PROC },
+	{ "cpath",		_TM_CPATH },
+	{ "abort",		_TM_ABORT },
+	{ "fattr",		_TM_FATTR }
+};
+
 int
 sys_tame(struct proc *p, void *v, register_t *retval)
 {
 	struct sys_tame_args /* {
-		syscallarg(int) flags;
+		syscallarg(const char *)request;
 		syscallarg(const char **)paths;
 	} */	*uap = v;
-	int	 flags = SCARG(uap, flags);
+	int flags = 0;
+	int error;
+
+	if (SCARG(uap, request)) {
+		size_t rbuflen;
+		char *rbuf, *rp, *pn;
+		int f, i;
+
+		rbuf = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
+		error = copyinstr(SCARG(uap, request), rbuf, MAXPATHLEN,
+		    &rbuflen);
+		if (error) {
+			free(rbuf, M_TEMP, MAXPATHLEN);
+			return (error);
+		}
+
+		for (rp = rbuf; rp && *rp && error == 0; rp = pn) {
+			pn = strchr(rp, ' ');	/* find terminator */
+			if (pn) {
+				while (*pn == ' ')
+					*pn++ = '\0';
+			}
+
+			for (f = i = 0; i < nitems(tamereq); i++) {
+				if (strcmp(rp, tamereq[i].name) == 0) {
+					f = tamereq[i].flags;
+					break;
+				}
+			}
+			if (f == 0) {
+				printf("%s(%d): unknown req %s\n",
+				    p->p_comm, p->p_pid, rp);
+				free(rbuf, M_TEMP, MAXPATHLEN);
+				return (EINVAL);
+			}
+			flags |= f;
+		}
+		free(rbuf, M_TEMP, MAXPATHLEN);
+	}
 
 	if (flags & ~_TM_USERSET)
 		return (EINVAL);
diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master
index 5c778538d76..9c29f9f0d59 100644
--- a/sys/kern/syscalls.master
+++ b/sys/kern/syscalls.master
@@ -1,4 +1,4 @@
-;	$OpenBSD: syscalls.master,v 1.157 2015/08/26 05:20:06 doug Exp $
+;	$OpenBSD: syscalls.master,v 1.158 2015/09/09 17:56:59 deraadt Exp $
 ;	$NetBSD: syscalls.master,v 1.32 1996/04/23 10:24:21 mycroft Exp $
 
 ;	@(#)syscalls.master	8.2 (Berkeley) 1/13/94
@@ -225,7 +225,7 @@
 106	STD		{ int sys_listen(int s, int backlog); }
 107	STD		{ int sys_chflagsat(int fd, const char *path, \
 			    u_int flags, int atflags); }
-108	STD 		{ int sys_tame(int flags, const char **paths); }
+108	STD 		{ int sys_tame(const char *request, const char **paths); }
 109	STD		{ int sys_ppoll(struct pollfd *fds, \
 			    u_int nfds, const struct timespec *ts, \
 			    const sigset_t *mask); }
diff --git a/sys/sys/tame.h b/sys/sys/tame.h
index 52866ce1d8c..83fccf2e49f 100644
--- a/sys/sys/tame.h
+++ b/sys/sys/tame.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tame.h,v 1.5 2015/08/26 05:20:06 doug Exp $	*/
+/*	$OpenBSD: tame.h,v 1.6 2015/09/09 17:56:59 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -20,6 +20,8 @@
 #ifndef _SYS_TAME_H_
 #define _SYS_TAME_H_
 
+#ifdef _KERNEL
+
 #include <sys/cdefs.h>
 
 #define _TM_SELF	0x00000001	/* operate on own pid */
@@ -54,17 +56,15 @@
 #define TAME_TMPPATH	(_TM_SELF | _TM_RW | _TM_TMPPATH)
 #define TAME_INET	(_TM_SELF | _TM_RW | _TM_INET)
 #define TAME_UNIX	(_TM_SELF | _TM_RW | _TM_UNIX)
-#define TAME_CMSG	(TAME_UNIX | _TM_CMSG)
-#define TAME_DNS	(TAME_MALLOC | _TM_DNSPATH)
+#define TAME_CMSG	(_TM_SELF | _TM_RW | _TM_UNIX | _TM_CMSG)
+#define TAME_DNS	(_TM_SELF | _TM_MALLOC | _TM_DNSPATH)
 #define TAME_IOCTL	(_TM_IOCTL)
-#define TAME_GETPW	(TAME_STDIO | _TM_GETPW)
+#define TAME_GETPW	(_TM_SELF | _TM_MALLOC | _TM_RW | _TM_GETPW)
 #define TAME_PROC	(_TM_PROC)
 #define TAME_CPATH	(_TM_CPATH)
 #define TAME_ABORT	(_TM_ABORT)
 #define TAME_FATTR	(_TM_FATTR)
 
-#ifdef _KERNEL
-
 int	tame_check(struct proc *, int);
 int	tame_fail(struct proc *, int, int);
 int	tame_namei(struct proc *, char *);
@@ -95,10 +95,6 @@ struct whitepaths {
 	} wl_paths[0];
 };
 
-#else /* _KERNEL */
-
-int	tame(int, const char **);
-
 #endif /* _KERNEL */
 
 #endif /* _SYS_TAME_H_ */