tame -> pledge conversion, in libc. I should crank libc, but am cheating

hoping things go well.  The old symbol is faked via a stupid stub function,
until next major crank when it can be removed.  I am expecting guenther
to scream at me.

4 files changed, 38 insertions, 19 deletions

diff --git a/lib/libc/Symbols.list b/lib/libc/Symbols.list
index 45f2cfb78f0..87186ac0f22 100644
--- a/lib/libc/Symbols.list
+++ b/lib/libc/Symbols.list
@@ -162,8 +162,9 @@ _thread_sys_nfssvc
 _thread_sys_open
 _thread_sys_openat
 _thread_sys_pathconf
-_thread_sys_pipe2
 _thread_sys_pipe
+_thread_sys_pipe2
+_thread_sys_pledge
 _thread_sys_poll
 _thread_sys_ppoll
 _thread_sys_pread
@@ -354,8 +355,9 @@ nfssvc
 open
 openat
 pathconf
-pipe2
 pipe
+pipe2
+pledge
 poll
 posix_madvise
 ppoll
diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc
index b3d83a013c3..50413efb932 100644
--- a/lib/libc/sys/Makefile.inc
+++ b/lib/libc/sys/Makefile.inc
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.130 2015/09/13 17:08:03 guenther Exp $
+#	$OpenBSD: Makefile.inc,v 1.131 2015/10/09 01:24:57 deraadt Exp $
 #	$NetBSD: Makefile.inc,v 1.35 1995/10/16 23:49:07 jtc Exp $
 #	@(#)Makefile.inc	8.1 (Berkeley) 6/17/93
 
@@ -17,7 +17,7 @@ SRCS+=	posix_madvise.c w_fork.c
 # with old syscall interfaces.
 SRCS+=	ftruncate.c lseek.c mquery.c mmap.c ptrace.c semctl.c truncate.c \
 	timer_create.c timer_delete.c timer_getoverrun.c timer_gettime.c \
-	timer_settime.c pread.c preadv.c pwrite.c pwritev.c
+	timer_settime.c pread.c preadv.c pwrite.c pwritev.c tame.c
 
 # stack protector helper functions
 SRCS+=	stack_protector.c
@@ -45,7 +45,7 @@ ASM=	__get_tcb.o __getcwd.o __semctl.o __set_tcb.o __syscall.o \
 	mknod.o mknodat.o mlock.o mlockall.o mount.o mprotect.o \
 	msgctl.o msgget.o msgrcv.o msgsnd.o msync.o munlock.o \
 	munlockall.o munmap.o nanosleep.o nfssvc.o \
-	open.o openat.o pathconf.o pipe.o pipe2.o \
+	open.o openat.o pathconf.o pipe.o pipe2.o pledge.o \
 	poll.o ppoll.o profil.o pselect.o \
 	quotactl.o read.o readlink.o readlinkat.o readv.o reboot.o \
 	recvfrom.o recvmsg.o rename.o renameat.o revoke.o rmdir.o \
@@ -56,7 +56,7 @@ ASM=	__get_tcb.o __getcwd.o __semctl.o __set_tcb.o __syscall.o \
 	settimeofday.o setuid.o shmat.o shmctl.o shmdt.o \
 	shmget.o shutdown.o sigaction.o sigaltstack.o socket.o \
 	socketpair.o stat.o statfs.o swapctl.o symlink.o symlinkat.o \
-	sync.o sysarch.o sysctl.o tame.o umask.o unlink.o unlinkat.o \
+	sync.o sysarch.o sysctl.o umask.o unlink.o unlinkat.o \
 	unmount.o utimensat.o utimes.o utrace.o wait4.o write.o writev.o
 
 SRCS+=	${SRCS_${MACHINE_CPU}}
@@ -142,7 +142,7 @@ MAN+=	__get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \
 	mincore.2 minherit.2 mkdir.2 mkfifo.2 mknod.2 mlock.2 \
 	mlockall.2 mmap.2 mount.2 mprotect.2 mquery.2 msgctl.2 \
 	msgget.2 msgrcv.2 msgsnd.2 msync.2 munmap.2 nanosleep.2 \
-	nfssvc.2 open.2 pathconf.2 pipe.2 poll.2 profil.2 \
+	nfssvc.2 open.2 pathconf.2 pipe.2 pledge.2 poll.2 profil.2 \
 	ptrace.2 quotactl.2 read.2 readlink.2 reboot.2 recv.2 \
 	rename.2 revoke.2 rmdir.2 sched_yield.2 select.2 semctl.2 semget.2 \
 	semop.2 send.2 setgroups.2 setpgid.2 setregid.2 \
@@ -150,7 +150,7 @@ MAN+=	__get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \
 	shmctl.2 shmget.2 shutdown.2 sigaction.2 sigaltstack.2 sigpending.2 \
 	sigprocmask.2 sigreturn.2 sigsuspend.2 socket.2 \
 	socketpair.2 stat.2 statfs.2 swapctl.2 symlink.2 \
-	sync.2 sysarch.2 syscall.2 tame.2 truncate.2 umask.2 unlink.2 \
+	sync.2 sysarch.2 syscall.2 truncate.2 umask.2 unlink.2 \
 	utimes.2 utrace.2 vfork.2 wait.2 write.2
 
 MLINKS+=__get_tcb.2 __set_tcb.2
diff --git a/lib/libc/sys/tame.2 b/lib/libc/sys/pledge.2
index 5357435c6c8..578f3e4a515 100644
--- a/lib/libc/sys/tame.2
+++ b/lib/libc/sys/pledge.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tame.2,v 1.31 2015/10/04 20:47:16 djm Exp $
+.\" $OpenBSD: pledge.2,v 1.1 2015/10/09 01:24:57 deraadt Exp $
 .\"
 .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 .\"
@@ -14,16 +14,16 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 4 2015 $
-.Dt TAME 2
+.Dd $Mdocdate: October 9 2015 $
+.Dt PLEDGE 2
 .Os
 .Sh NAME
-.Nm tame
+.Nm pledge
 .Nd restrict system operations
 .Sh SYNOPSIS
 .In unistd.h
 .Ft int
-.Fn tame "const char *request" "const char *paths[]"
+.Fn pledge "const char *request" "const char *paths[]"
 .Sh DESCRIPTION
 The current process is forced into a restricted-service operating mode.
 A few subsets are available, roughly described as computation, memory
@@ -36,11 +36,11 @@ or
 .Ar paths .
 .Pp
 Use of
-.Fn tame
+.Fn pledge
 in an application will require at least some study and understanding
 of the interfaces called.
 Subsequent calls to
-.Fn tame
+.Fn pledge
 can reduce the abilities further, but abilities can never be regained.
 .Pp
 A process which attempts a restricted operation is killed with
@@ -149,7 +149,7 @@ support:
 .Xr uname 3 ,
 system sensor readings.
 .Pp
-.It Xr tame 2
+.It Xr pledge 2
 Can only reduce permissions; can only set a list of
 .Pa paths
 once.
@@ -419,7 +419,7 @@ All other paths will return
 .Sh RETURN VALUES
 .Rv -std
 .Sh ERRORS
-.Fn tame
+.Fn pledge
 will fail if:
 .Bl -tag -width Er
 .It Bq Er EFAULT
@@ -445,12 +445,12 @@ The limit in the system as released is 262144 bytes
 .El
 .Sh HISTORY
 The
-.Fn tame
+.Fn pledge
 system call appeared in
 .Ox 5.8 .
 .Sh CAVEATS
 It is not possible to
 .Xr systrace 4
 a
-.Fn tame
+.Fn pledge
 program.
diff --git a/lib/libc/sys/tame.c b/lib/libc/sys/tame.c
new file mode 100644
index 00000000000..4774a17afeb
--- /dev/null
+++ b/lib/libc/sys/tame.c
@@ -0,0 +1,17 @@
+/*	$OpenBSD: tame.c,v 1.1 2015/10/09 01:24:57 deraadt Exp $	*/
+/*
+ *	Written by Artur Grabowski <art@openbsd.org> Public Domain
+ */
+
+#include <sys/types.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+int tame(const char *req, const char **paths);
+
+int
+tame(const char *req, const char **paths)
+{
+	return (pledge(req, paths));
+}
+DEF_WEAK(mquery);