diff options
| author |   schwarze <schwarze@openbsd.org> | 2015-07-20 18:04:05 +0000 |
|---|---|---|
| committer | schwarze <schwarze@openbsd.org> | 2015-07-20 18:04:05 +0000 |
| commit | 8bb88288e3c7eb8c2a2208dfdc0a8e9328aacd53 (patch) | |
| tree | 88308800e9f2dc8ea2fa21828cef8b0a5ed60abf | |
| parent | Test what happens when syslogd reaches its file descriptor limit (diff) | |
| download | wireguard-openbsd-8bb88288e3c7eb8c2a2208dfdc0a8e9328aacd53.tar.xz wireguard-openbsd-8bb88288e3c7eb8c2a2208dfdc0a8e9328aacd53.zip | |
In _TM_SELF, permit uname(3); OK deraadt@.
| -rw-r--r-- | lib/libc/sys/tame.2 | 5 | ||||
| -rw-r--r-- | sys/kern/kern_tame.c | 21 |
2 files changed, 21 insertions, 5 deletions
diff --git a/lib/libc/sys/tame.2 b/lib/libc/sys/tame.2 index 90ce900bcc7..4c84f75f526 100644 --- a/lib/libc/sys/tame.2 +++ b/lib/libc/sys/tame.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tame.2,v 1.10 2015/07/20 15:26:28 nicm Exp $ +.\" $OpenBSD: tame.2,v 1.11 2015/07/20 18:04:05 schwarze Exp $ .\" .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> .\" @@ -121,9 +121,10 @@ May operate on .It Xr sysctl 3 A small set of read-only operations are allowed, sufficient to support: -.Xr getifaddrs 3 , .Xr getdomainname 3 , .Xr gethostname 3 , +.Xr getifaddrs 3 , +.Xr uname 3 , system sensor readings. .It Xr tame 2 Can only reduce permissions. diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c index b366d84a8ac..3ef4b117af7 100644 --- a/sys/kern/kern_tame.c +++ b/sys/kern/kern_tame.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_tame.c,v 1.8 2015/07/20 17:01:26 nicm Exp $ */ +/* $OpenBSD: kern_tame.c,v 1.9 2015/07/20 18:04:05 schwarze Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -569,12 +569,27 @@ tame_sysctl_check(struct proc *p, int namelen, int *name, void *new) name[0] == CTL_HW && name[1] == HW_SENSORS) return (0); - /* gethostname(), getdomainname(), getpagesize() */ + /* getdomainname(), gethostname(), getpagesize(), uname() */ + if (namelen == 2 && + name[0] == CTL_KERN && name[1] == KERN_DOMAINNAME) + return (0); if (namelen == 2 && name[0] == CTL_KERN && name[1] == KERN_HOSTNAME) return (0); if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_DOMAINNAME) + name[0] == CTL_KERN && name[1] == KERN_OSTYPE) + return (0); + if (namelen == 2 && + name[0] == CTL_KERN && name[1] == KERN_OSRELEASE) + return (0); + if (namelen == 2 && + name[0] == CTL_KERN && name[1] == KERN_OSVERSION) + return (0); + if (namelen == 2 && + name[0] == CTL_KERN && name[1] == KERN_VERSION) + return (0); + if (namelen == 2 && + name[0] == CTL_HW && name[1] == HW_MACHINE) return (0); if (namelen == 2 && name[0] == CTL_HW && name[1] == HW_PAGESIZE) |