diff options
| author |   deraadt <deraadt@openbsd.org> | 2017-01-23 04:25:05 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2017-01-23 04:25:05 +0000 |
| commit | b90d0acdeb38df181fb359762561863e3131b7a4 (patch) | |
| tree | 0a1c9f00b6812acc167d4ac0908bee3a0d1845ed | |
| parent | add the mfii opcode for passthru commands (diff) | |
| download | wireguard-openbsd-b90d0acdeb38df181fb359762561863e3131b7a4.tar.xz wireguard-openbsd-b90d0acdeb38df181fb359762561863e3131b7a4.zip | |
Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.
| -rw-r--r-- | bin/pax/ar_io.c | 4 | ||||
| -rw-r--r-- | bin/pax/pax.c | 6 | ||||
| -rw-r--r-- | lib/libc/sys/pledge.2 | 52 | ||||
| -rw-r--r-- | sbin/pflogd/privsep.c | 4 | ||||
| -rw-r--r-- | sys/kern/kern_pledge.c | 39 | ||||
| -rw-r--r-- | sys/sys/pledge.h | 8 | ||||
| -rw-r--r-- | usr.sbin/httpd/httpd.c | 5 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/privsep.c | 4 |
8 files changed, 63 insertions, 59 deletions
diff --git a/bin/pax/ar_io.c b/bin/pax/ar_io.c index adc6dca02d7..a4340d912e5 100644 --- a/bin/pax/ar_io.c +++ b/bin/pax/ar_io.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ar_io.c,v 1.59 2016/08/26 04:31:35 guenther Exp $ */ +/* $OpenBSD: ar_io.c,v 1.60 2017/01/23 04:25:05 deraadt Exp $ */ /* $NetBSD: ar_io.c,v 1.5 1996/03/26 23:54:13 mrg Exp $ */ /*- @@ -1261,7 +1261,7 @@ ar_start_gzip(int fd, const char *path, int wr) close(fds[1]); if (pmode == 0 || (act != EXTRACT && act != COPY)) { - if (pledge("stdio rpath wpath cpath fattr dpath getpw ioctl proc", + if (pledge("stdio rpath wpath cpath fattr dpath getpw proc tape", NULL) == -1) err(1, "pledge"); } diff --git a/bin/pax/pax.c b/bin/pax/pax.c index 6745f560fce..a5b86db6eb0 100644 --- a/bin/pax/pax.c +++ b/bin/pax/pax.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pax.c,v 1.47 2016/08/26 04:11:16 guenther Exp $ */ +/* $OpenBSD: pax.c,v 1.48 2017/01/23 04:25:05 deraadt Exp $ */ /* $NetBSD: pax.c,v 1.5 1996/03/26 23:54:20 mrg Exp $ */ /*- @@ -261,13 +261,13 @@ main(int argc, char **argv) * so can't pledge at all then. */ if (pmode == 0 || (act != EXTRACT && act != COPY)) { - if (pledge("stdio rpath wpath cpath fattr dpath getpw ioctl proc exec", + if (pledge("stdio rpath wpath cpath fattr dpath getpw proc exec tape", NULL) == -1) err(1, "pledge"); /* Copy mode, or no gzip -- don't need to fork/exec. */ if (gzip_program == NULL || act == COPY) { - if (pledge("stdio rpath wpath cpath fattr dpath getpw ioctl", + if (pledge("stdio rpath wpath cpath fattr dpath getpw tape", NULL) == -1) err(1, "pledge"); } diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2 index a8fdb8e5c46..bd93d45aadd 100644 --- a/lib/libc/sys/pledge.2 +++ b/lib/libc/sys/pledge.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pledge.2,v 1.37 2016/10/27 10:48:25 schwarze Exp $ +.\" $OpenBSD: pledge.2,v 1.38 2017/01/23 04:25:05 deraadt Exp $ .\" .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 27 2016 $ +.Dd $Mdocdate: January 23 2017 $ .Dt PLEDGE 2 .Os .Sh NAME @@ -76,11 +76,25 @@ Read-only, for .Pp .It Xr ioctl 2 Only the -.Dv FIONREAD +.Dv FIONREAD , +.Dv FIONBIO , +.Dv FIOCLEX , and -.Dv FIONBIO +.Dv FIONCLEX operations are allowed by default. -Use of the "tty" and "ioctl" promises receive more ioctl requests. +Various ioctl requests are allowed against specific file descriptors +based upon the requests +.Va "audio" , +.Va "bpf" , +.Va "disklabel" , +.Va "drm" , +.Va "inet" , +.Va "pf" , +.Va "route" , +.Va "tape" , +.Va "tty" , +and +.Va "vmm". .Pp .It Xr chmod 2 .It Xr fchmod 2 @@ -386,26 +400,12 @@ File descriptors referring to directories may not be passed. Allows receiving of file descriptors using .Xr recvmsg 2 . File descriptors referring to directories may not be passed. -.It Va "ioctl" -Allows a subset of -.Xr ioctl 2 -operations: -.Pp -.Dv FIOCLEX , -.Dv FIONCLEX , -.Dv FIOASYNC , -.Dv FIOGETOWN , -and -.Dv FIOSETOWN . -On a tty device -.Dv TIOCGETA will succeed otherwise fail with -.Er EPERM . -On a tty device, -.Dv TIOCGPGRP +.It Va "tape" +Allow +.Dv MTIOCGET and -.Dv TIOCGWINSZ -are allowed. -A few other operations are allowed, but not listed here. +.Dv MTIOCTOP +operations against tape drives. .It Va "tty" In addition to allowing read-write operations on .Pa /dev/tty , @@ -528,6 +528,10 @@ devices: .Dv AUDIO_SETPAR , .Dv AUDIO_START , .Dv AUDIO_STOP . +.It Va "bpf" +Allow +.Dv BIOCGSTATS +operation for statistics collection from a bpf device. .Pp See .Xr sio_open 3 diff --git a/sbin/pflogd/privsep.c b/sbin/pflogd/privsep.c index 2d217a867e9..9bef398a5e9 100644 --- a/sbin/pflogd/privsep.c +++ b/sbin/pflogd/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.23 2017/01/23 03:47:37 benno Exp $ */ +/* $OpenBSD: privsep.c,v 1.24 2017/01/23 04:25:05 deraadt Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -121,7 +121,7 @@ priv_init(void) #if notyet /* This needs to do bpf ioctl */ - if (pledge("stdio rpath wpath cpath ioctl sendfd proc", NULL) == -1) + if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1) err(1, "pledge"); #endif while (!gotsig_chld) { diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index c0e1fdc658b..e227a1d846d 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.190 2017/01/23 03:17:55 deraadt Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.191 2017/01/23 04:25:05 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -235,8 +235,7 @@ const uint64_t pledge_syscalls[SYS_MAXSYSCALL] = { /* * FIONREAD/FIONBIO for "stdio" - * A few non-tty ioctl available using "ioctl" - * tty-centric ioctl available using "tty" + * Other ioctl are selectively allowed based upon other pledges. */ [SYS_ioctl] = PLEDGE_STDIO, @@ -360,6 +359,7 @@ static const struct { uint64_t flags; } pledgereq[] = { { "audio", PLEDGE_AUDIO }, + { "bpf", PLEDGE_BPF }, { "chown", PLEDGE_CHOWN | PLEDGE_CHOWNUID }, { "cpath", PLEDGE_CPATH }, { "disklabel", PLEDGE_DISKLABEL }, @@ -372,7 +372,6 @@ static const struct { { "getpw", PLEDGE_GETPW }, { "id", PLEDGE_ID }, { "inet", PLEDGE_INET }, - { "ioctl", PLEDGE_IOCTL }, { "mcast", PLEDGE_MCAST }, { "pf", PLEDGE_PF }, { "proc", PLEDGE_PROC }, @@ -384,6 +383,7 @@ static const struct { { "sendfd", PLEDGE_SENDFD }, { "settime", PLEDGE_SETTIME }, { "stdio", PLEDGE_STDIO }, + { "tape", PLEDGE_TAPE }, { "tmppath", PLEDGE_TMPPATH }, { "tty", PLEDGE_TTY }, { "unix", PLEDGE_UNIX }, @@ -1127,23 +1127,27 @@ pledge_ioctl(struct proc *p, long com, struct file *fp) return (ENOTTY); } - /* - * Further sets of ioctl become available, but are checked a - * bit more carefully against the vnode. - */ - if ((p->p_p->ps_pledge & PLEDGE_IOCTL)) { + if ((p->p_p->ps_pledge & PLEDGE_INET)) { switch (com) { - case TIOCGETA: - case TIOCGPGRP: - case TIOCGWINSZ: /* ENOTTY return for non-tty */ - if (fp->f_type == DTYPE_VNODE && (vp->v_flag & VISTTY)) + case SIOCGIFGROUP: + if (fp->f_type == DTYPE_SOCKET) return (0); - return (ENOTTY); + break; + } + } + + if ((p->p_p->ps_pledge & PLEDGE_BPF)) { + switch (com) { case BIOCGSTATS: /* bpf: tcpdump privsep on ^C */ if (fp->f_type == DTYPE_VNODE && fp->f_ops->fo_ioctl == vn_ioctl) return (0); break; + } + } + + if ((p->p_p->ps_pledge & PLEDGE_TAPE)) { + switch (com) { case MTIOCGET: case MTIOCTOP: /* for pax(1) and such, checking tapes... */ @@ -1151,11 +1155,6 @@ pledge_ioctl(struct proc *p, long com, struct file *fp) (vp->v_type == VCHR || vp->v_type == VBLK)) return (0); break; - case SIOCGIFGROUP: - if ((p->p_p->ps_pledge & PLEDGE_INET) && - fp->f_type == DTYPE_SOCKET) - return (0); - break; } } @@ -1314,7 +1313,7 @@ pledge_ioctl(struct proc *p, long com, struct file *fp) #endif } - return pledge_fail(p, error, PLEDGE_IOCTL); + return pledge_fail(p, error, PLEDGE_TTY); } int diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h index 586da853ceb..ca815f316e1 100644 --- a/sys/sys/pledge.h +++ b/sys/sys/pledge.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pledge.h,v 1.29 2016/07/03 04:36:08 semarie Exp $ */ +/* $OpenBSD: pledge.h,v 1.30 2017/01/23 04:25:05 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -36,7 +36,7 @@ #define PLEDGE_FLOCK 0x0000000000000080ULL /* file locking */ #define PLEDGE_UNIX 0x0000000000000100ULL /* AF_UNIX sockets */ #define PLEDGE_ID 0x0000000000000200ULL /* allow setuid, setgid, etc */ -#define PLEDGE_IOCTL 0x0000000000000400ULL /* Select ioctl */ +#define PLEDGE_TAPE 0x0000000000000400ULL /* Tape ioctl */ #define PLEDGE_GETPW 0x0000000000000800ULL /* YP enables if ypbind.lock */ #define PLEDGE_PROC 0x0000000000001000ULL /* fork, waitpid, etc */ #define PLEDGE_SETTIME 0x0000000000002000ULL /* able to set/adj time/freq */ @@ -58,6 +58,7 @@ #define PLEDGE_VMM 0x0000000040000000ULL /* vmm ioctls */ #define PLEDGE_CHOWN 0x0000000080000000ULL /* chown(2) family */ #define PLEDGE_CHOWNUID 0x0000000100000000ULL /* allow owner/group changes */ +#define PLEDGE_BPF 0x0000000200000000ULL /* bpf ioctl */ /* * Bits outside PLEDGE_USERSET are used by the kernel itself @@ -82,7 +83,7 @@ static struct { { PLEDGE_FLOCK, "flock" }, { PLEDGE_UNIX, "unix" }, { PLEDGE_ID, "id" }, - { PLEDGE_IOCTL, "ioctl" }, + { PLEDGE_TAPE, "tape" }, { PLEDGE_GETPW, "getpw" }, { PLEDGE_PROC, "proc" }, { PLEDGE_SETTIME, "settime" }, @@ -103,6 +104,7 @@ static struct { { PLEDGE_DRM, "drm" }, { PLEDGE_VMM, "vmm" }, { PLEDGE_CHOWNUID, "chown" }, + { PLEDGE_BPF, "bpf" }, { 0, NULL }, }; #endif diff --git a/usr.sbin/httpd/httpd.c b/usr.sbin/httpd/httpd.c index 47d6676444b..6daccdf52ad 100644 --- a/usr.sbin/httpd/httpd.c +++ b/usr.sbin/httpd/httpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.c,v 1.63 2017/01/09 14:49:22 reyk Exp $ */ +/* $OpenBSD: httpd.c,v 1.64 2017/01/23 04:25:05 deraadt Exp $ */ /* * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org> @@ -222,8 +222,7 @@ main(int argc, char *argv[]) if (ps->ps_noaction == 0) log_info("startup"); - if (pledge("stdio rpath wpath cpath inet dns ioctl sendfd", - NULL) == -1) + if (pledge("stdio rpath wpath cpath inet dns sendfd", NULL) == -1) fatal("pledge"); event_init(); diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c index ba7aa82a15a..596822b4355 100644 --- a/usr.sbin/tcpdump/privsep.c +++ b/usr.sbin/tcpdump/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.43 2016/07/25 02:35:26 deraadt Exp $ */ +/* $OpenBSD: privsep.c,v 1.44 2017/01/23 04:25:05 deraadt Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -272,7 +272,7 @@ priv_init(int argc, char **argv) test_state(cmd, STATE_RUN); impl_init_done(socks[0], &bpfd); - if (pledge("stdio rpath inet unix ioctl dns recvfd", NULL) == -1) + if (pledge("stdio rpath inet unix dns recvfd bpf", NULL) == -1) err(1, "pledge"); break; |