Track a per-fd flag UF_PLEDGED. This indicates the initial open was done by a

pledged process. dup(2) and recvmsg(2) retain UF_PLEDGED from the original fd.
In pledge "exec" circumstances, exceve clears UF_PLEDGED on all the process's
fds.

In a pledge'd process, ioctl(2) can use this additional information to grant
access to ioctl's which are more sensitive or dive deeply into the kernel.
Developers will be encouraged to open such sensitive resources before calling
pledge(2), rather than afterwards.  That matches the heading of privsep
development practices.

Future changes will introduce those ioctl(2) changes.

Lots of discussions with semarie guenther and benno.

1 files changed, 4 insertions, 1 deletions

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index ef14e79c4c2..4589f903a24 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_usrreq.c,v 1.110 2017/01/23 23:44:04 deraadt Exp $	*/
+/*	$OpenBSD: uipc_usrreq.c,v 1.111 2017/01/24 04:09:59 deraadt Exp $	*/
 /*	$NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $	*/
 
 /*
@@ -58,6 +58,7 @@ LIST_HEAD(unp_head, unpcb) unp_head = LIST_HEAD_INITIALIZER(unp_head);
 
 struct fdpass {
 	struct file	*fp;
+	int		flags;
 };
 
 /*
@@ -759,6 +760,7 @@ restart:
 		 * in the loop below.
 		 */
 		p->p_fd->fd_ofiles[fdp[i]] = rp->fp;
+		p->p_fd->fd_ofileflags[fdp[i]] = (rp->flags & UF_PLEDGED);
 		rp++;
 
 		if (flags & MSG_CMSG_CLOEXEC)
@@ -873,6 +875,7 @@ morespace:
 			goto fail;
 		}
 		rp->fp = fp;
+		rp->flags = fdp->fd_ofileflags[fd] & UF_PLEDGED;
 		rp--;
 		fp->f_count++;
 		if ((unp = fptounp(fp)) != NULL) {