drop "abort" promise, and make it the default behaviour.

The current code has already setted it by default since 1.74 any pledge failure tries to make a coredump (default rules for coredump still applies: so setuid binaries don't create them locally). ok deraadt@
author: semarie <semarie@openbsd.org> 2016-01-09 06:13:43 +0000
committer: semarie <semarie@openbsd.org> 2016-01-09 06:13:43 +0000
commit: fbc2f996c792e4c85e8bdedfd02d928d379ead21 (patch)
tree: 8b6342ae7c140d1f7642474af42458c0045c5565
parent: Correct sensor threashold handling by properly checking response of Get Sensor (diff)
download: wireguard-openbsd-fbc2f996c792e4c85e8bdedfd02d928d379ead21.tar.xz
wireguard-openbsd-fbc2f996c792e4c85e8bdedfd02d928d379ead21.zip
7 files changed, 24 insertions, 36 deletions
diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2
index 27a5bae7bd3..26831153152 100644
--- a/lib/libc/sys/pledge.2
+++ b/lib/libc/sys/pledge.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pledge.2,v 1.22 2016/01/06 18:47:02 tedu Exp $
+.\" $OpenBSD: pledge.2,v 1.23 2016/01/09 06:13:43 semarie Exp $
 .\"
 .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 6 2016 $
+.Dd $Mdocdate: January 9 2016 $
 .Dt PLEDGE 2
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@ Subsequent calls to
 .Fn pledge
 can reduce the abilities further, but abilities can never be regained.
 .Pp
-A process which attempts a restricted operation is killed with
+A process which attempts a restricted operation is killed with an uncatchable
 .Dv SIGABRT ,
 delivering a core file if possible.
 .Pp
diff --git a/regress/sys/kern/pledge/Makefile b/regress/sys/kern/pledge/Makefile
index cd2ac4d4a8c..5ebe825459d 100644
--- a/regress/sys/kern/pledge/Makefile
+++ b/regress/sys/kern/pledge/Makefile
@@ -1,7 +1,6 @@
-#	$OpenBSD: Makefile,v 1.1 2015/10/09 06:44:13 semarie Exp $
+#	$OpenBSD: Makefile,v 1.2 2016/01/09 06:13:43 semarie Exp $
 
 SUBDIR +=	sigabrt
-SUBDIR +=	sigkill
 SUBDIR +=	generic
 
 .include <bsd.subdir.mk>
diff --git a/regress/sys/kern/pledge/generic/tests.out b/regress/sys/kern/pledge/generic/tests.out
index b70a320ffd2..6118824de9e 100644
--- a/regress/sys/kern/pledge/generic/tests.out
+++ b/regress/sys/kern/pledge/generic/tests.out
@@ -1,11 +1,11 @@
-#	$OpenBSD: tests.out,v 1.11 2015/11/14 07:45:56 semarie Exp $
+#	$OpenBSD: tests.out,v 1.12 2016/01/09 06:13:43 semarie Exp $
 test(test_nop): pledge=("",NULL) status=0 exit=0
-test(test_inet): pledge=("",NULL) status=9 signal=9 pledged_syscall=97
-test(test_inet): pledge=("abort",NULL) status=134 signal=6 coredump=present pledged_syscall=97
-test(test_inet): pledge=("stdio",NULL) status=9 signal=9 pledged_syscall=97
-test(test_inet): pledge=("inet",NULL) status=9 signal=9 pledged_syscall=6
+test(test_inet): pledge=("",NULL) status=134 signal=6 coredump=present pledged_syscall=97
+test(test_inet): pledge=("abort",NULL) status=5632 exit=22 (errno: "Invalid argument")
+test(test_inet): pledge=("stdio",NULL) status=134 signal=6 coredump=present pledged_syscall=97
+test(test_inet): pledge=("inet",NULL) status=134 signal=6 coredump=present pledged_syscall=6
 test(test_inet): pledge=("stdio inet",NULL) status=0 exit=0
-test(test_kill): pledge=("fattr",NULL) status=9 signal=9 pledged_syscall=122
+test(test_kill): pledge=("fattr",NULL) status=134 signal=6 coredump=present pledged_syscall=122
 test(test_kill): pledge=("stdio",NULL) status=2 signal=2 pledged_syscall=not_found
 test(test_rpath): pledge=("stdio rpath",NULL) status=0 exit=0
 test(test_wpath): pledge=("stdio wpath",NULL) status=0 exit=0
@@ -86,6 +86,6 @@ test(test_stat): pledge=("stdio rpath",{"/usr/share/man",NULL})
  stat("/usr/bin/gzip"): realpath=failed(2) errno=2
  status=0 exit=0
 test(test_mmap): pledge=("stdio rpath prot_exec",{"/dev/zero",NULL}) status=0 exit=0
-test(test_mmap): pledge=("stdio rpath",{"/dev/zero",NULL}) status=9 signal=9 pledged_syscall=197
+test(test_mmap): pledge=("stdio rpath",{"/dev/zero",NULL}) status=134 signal=6 coredump=present pledged_syscall=197
 test(test_request_stdio): pledge=skip status=0 exit=0
 test(test_request_tty): pledge=skip status=0 exit=0
diff --git a/regress/sys/kern/pledge/sigabrt/sigabrt.c b/regress/sys/kern/pledge/sigabrt/sigabrt.c
index ef7dc1db9a7..1cc5d69f3a3 100644
--- a/regress/sys/kern/pledge/sigabrt/sigabrt.c
+++ b/regress/sys/kern/pledge/sigabrt/sigabrt.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sigabrt.c,v 1.1 2015/10/09 06:44:13 semarie Exp $ */
+/*	$OpenBSD: sigabrt.c,v 1.2 2016/01/09 06:13:43 semarie Exp $ */
 /*
  * Copyright (c) 2015 Sebastien Marie <semarie@openbsd.org>
  *
@@ -37,7 +37,7 @@ main(int argc, char *argv[])
 	printf("permitted STDIO\n");
 	fflush(stdout);
 
-	if (pledge("abort", NULL) == -1)
+	if (pledge("", NULL) == -1)
 		err(EXIT_FAILURE, "pledge");
 
 	/* this will triggered pledge_fail() */
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 315b2c15074..f9b7267425d 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.145 2016/01/08 11:20:58 reyk Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.146 2016/01/09 06:13:43 semarie Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -344,7 +344,6 @@ static const struct {
 	char *name;
 	int flags;
 } pledgereq[] = {
-	{ "abort",		0 },	/* XXX reserve for later */
 	{ "audio",		PLEDGE_AUDIO },
 	{ "cpath",		PLEDGE_CPATH },
 	{ "disklabel",		PLEDGE_DISKLABEL },
@@ -557,7 +556,6 @@ sys_pledge(struct proc *p, void *v, register_t *retval)
 	}
 
 	p->p_p->ps_pledge = flags;
-	p->p_p->ps_pledge |= PLEDGE_COREDUMP;	/* XXX temporary */
 	p->p_p->ps_flags |= PS_PLEDGE;
 	return (0);
 }
@@ -586,6 +584,7 @@ pledge_fail(struct proc *p, int error, uint64_t code)
 {
 	char *codes = "";
 	int i;
+	struct sigaction sa;
 
 	/* Print first matching pledge */
 	for (i = 0; code && pledgenames[i].bits != 0; i++)
@@ -598,16 +597,11 @@ pledge_fail(struct proc *p, int error, uint64_t code)
 #ifdef KTRACE
 	ktrpledge(p, error, code, p->p_pledge_syscall);
 #endif
-	if (p->p_p->ps_pledge & PLEDGE_COREDUMP) {
-		/* Core dump requested */
-		struct sigaction sa;
-
-		memset(&sa, 0, sizeof sa);
-		sa.sa_handler = SIG_DFL;
-		setsigvec(p, SIGABRT, &sa);
-		psignal(p, SIGABRT);
-	} else
-		psignal(p, SIGKILL);
+	/* Send uncatchable SIGABRT for coredump */
+	memset(&sa, 0, sizeof sa);
+	sa.sa_handler = SIG_DFL;
+	setsigvec(p, SIGABRT, &sa);
+	psignal(p, SIGABRT);
 
 	p->p_p->ps_pledge = 0;		/* Disable all PLEDGE_ flags */
 	return (error);
@@ -623,15 +617,13 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath)
 	char path[PATH_MAX];
 	int error;
 
-	if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
+	if ((p->p_p->ps_flags & PS_PLEDGE) == 0 ||
+	    (p->p_p->ps_flags & PS_COREDUMP))
 		return (0);
 
 	if (!ni || (ni->ni_pledge == 0))
 		panic("ni_pledge");
 
-	if (ni->ni_pledge == PLEDGE_COREDUMP)
-		return (0);			/* Allow a coredump */
-
 	/* Doing a permitted execve() */
 	if ((ni->ni_pledge & PLEDGE_EXEC) &&
 	    (p->p_p->ps_pledge & PLEDGE_EXEC))
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index 3ed01a9c4bc..56b3af9558a 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.191 2015/12/05 10:11:53 tedu Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.192 2016/01/09 06:13:43 semarie Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/
 
 /*
@@ -1596,7 +1596,6 @@ coredump(struct proc *p)
 	}
 
 	NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p);
-	nd.ni_pledge = PLEDGE_COREDUMP;
 
 	error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR);
 
diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h
index 0c3a50a70f3..0193de41d6d 100644
--- a/sys/sys/pledge.h
+++ b/sys/sys/pledge.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pledge.h,v 1.26 2016/01/08 11:20:58 reyk Exp $	*/
+/*	$OpenBSD: pledge.h,v 1.27 2016/01/09 06:13:44 semarie Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -50,7 +50,6 @@
 #define PLEDGE_MCAST	0x0000000000200000ULL	/* multicast joins */
 #define PLEDGE_VMINFO	0x0000000000400000ULL	/* vminfo listings */
 #define PLEDGE_PS	0x0000000000800000ULL	/* ps listings */
-#define PLEDGE_COREDUMP	0x0000000001000000ULL	/* generates coredump (default) */
 #define PLEDGE_DISKLABEL 0x0000000002000000ULL	/* disklabels */
 #define PLEDGE_PF	0x0000000004000000ULL	/* pf ioctls */
 #define PLEDGE_AUDIO	0x0000000008000000ULL	/* audio ioctls */
@@ -95,7 +94,6 @@ static struct {
 	{ PLEDGE_MCAST,		"mcast" },
 	{ PLEDGE_VMINFO,	"vminfo" },
 	{ PLEDGE_PS,		"ps" },
-	{ PLEDGE_COREDUMP,	"coredump" },
 	{ PLEDGE_DISKLABEL,	"disklabel" },
 	{ PLEDGE_PF,		"pf" },
 	{ PLEDGE_AUDIO,		"audio" },
author	semarie <semarie@openbsd.org>	2016-01-09 06:13:43 +0000
committer	semarie <semarie@openbsd.org>	2016-01-09 06:13:43 +0000
commit	fbc2f996c792e4c85e8bdedfd02d928d379ead21 (patch)
tree	8b6342ae7c140d1f7642474af42458c0045c5565
parent	Correct sensor threashold handling by properly checking response of Get Sensor (diff)
download	wireguard-openbsd-fbc2f996c792e4c85e8bdedfd02d928d379ead21.tar.xz wireguard-openbsd-fbc2f996c792e4c85e8bdedfd02d928d379ead21.zip