diff options
| -rw-r--r-- | sys/arch/alpha/alpha/mem.c | 15 | ||||
| -rw-r--r-- | sys/arch/amd64/amd64/mem.c | 7 | ||||
| -rw-r--r-- | sys/arch/arm/arm/mem.c | 21 | ||||
| -rw-r--r-- | sys/arch/hppa/hppa/mem.c | 16 | ||||
| -rw-r--r-- | sys/arch/i386/i386/mem.c | 6 | ||||
| -rw-r--r-- | sys/arch/m88k/m88k/mem.c | 21 | ||||
| -rw-r--r-- | sys/arch/macppc/macppc/mem.c | 18 | ||||
| -rw-r--r-- | sys/arch/mips64/mips64/mem.c | 9 | ||||
| -rw-r--r-- | sys/arch/sh/sh/mem.c | 8 | ||||
| -rw-r--r-- | sys/arch/socppc/socppc/mem.c | 18 | ||||
| -rw-r--r-- | sys/arch/sparc64/sparc64/mem.c | 15 | ||||
| -rw-r--r-- | sys/kern/kern_sysctl.c | 10 | ||||
| -rw-r--r-- | sys/sys/sysctl.h | 10 | ||||
| -rw-r--r-- | usr.sbin/acpidump/acpidump.8 | 11 | ||||
| -rw-r--r-- | usr.sbin/procmap/procmap.1 | 11 | ||||
| -rw-r--r-- | usr.sbin/pstat/pstat.8 | 20 |
16 files changed, 161 insertions, 55 deletions
diff --git a/sys/arch/alpha/alpha/mem.c b/sys/arch/alpha/alpha/mem.c index ad3812ae22c..9a971403c36 100644 --- a/sys/arch/alpha/alpha/mem.c +++ b/sys/arch/alpha/alpha/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.30 2016/08/15 22:01:59 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.31 2016/09/25 15:23:36 deraadt Exp $ */ /* $NetBSD: mem.c,v 1.26 2000/03/29 03:48:20 simonb Exp $ */ /* @@ -70,12 +70,18 @@ extern int allowaperture; int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; switch (minor(dev)) { case 0: case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); + } case 2: - return (0); + case 12: + break; #ifdef APERTURE case 4: if (suser(p, 0) != 0 || !allowaperture) @@ -86,13 +92,12 @@ mmopen(dev_t dev, int flag, int mode, struct proc *p) if (ap_open_count > 0 && allowaperture < 3) return (EPERM); ap_open_count++; - return (0); + break; #endif - case 12: - return (0); default: return (ENXIO); } + return (0); } int diff --git a/sys/arch/amd64/amd64/mem.c b/sys/arch/amd64/amd64/mem.c index 739dd29a4be..0dfe2300e08 100644 --- a/sys/arch/amd64/amd64/mem.c +++ b/sys/arch/amd64/amd64/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.30 2016/08/15 22:01:59 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.31 2016/09/25 15:23:36 deraadt Exp $ */ /* * Copyright (c) 1988 University of Utah. * Copyright (c) 1982, 1986, 1990, 1993 @@ -81,9 +81,14 @@ int mem_range_attr_set(struct mem_range_desc *, int *); int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; + switch (minor(dev)) { case 0: case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); case 2: case 12: break; diff --git a/sys/arch/arm/arm/mem.c b/sys/arch/arm/arm/mem.c index 2e76a251861..c05990f6c52 100644 --- a/sys/arch/arm/arm/mem.c +++ b/sys/arch/arm/arm/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.18 2016/08/16 18:21:54 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.19 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: mem.c,v 1.11 2003/10/16 12:02:58 jdolecek Exp $ */ /* @@ -101,15 +101,20 @@ extern int allowaperture; int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; + switch (minor(dev)) { - case 0: - case 1: - case 2: - case 12: + case 0: + case 1: + if (securelevel <= 0 || allowkmem) break; + return (EPERM); + case 2: + case 12: + break; #ifdef APERTURE case 4: - if (suser(p, 0) != 0 || !allowaperture) + if (suser(p, 0) != 0 || !allowaperture) return (EPERM); /* authorize only one simultaneous open() unless @@ -119,8 +124,8 @@ mmopen(dev_t dev, int flag, int mode, struct proc *p) ap_open_count++; break; #endif - default: - return (ENXIO); + default: + return (ENXIO); } return (0); } diff --git a/sys/arch/hppa/hppa/mem.c b/sys/arch/hppa/hppa/mem.c index 6b43cccb6e3..94984bdc47a 100644 --- a/sys/arch/hppa/hppa/mem.c +++ b/sys/arch/hppa/hppa/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.1 2016/08/19 20:48:36 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.2 2016/09/25 15:23:37 deraadt Exp $ */ /* * Copyright (c) 1998-2004 Michael Shalayeff @@ -302,6 +302,20 @@ viper_eisa_en(void) int mmopen(dev_t dev, int flag, int ioflag, struct proc *p) { + extern int allowkmem; + + switch (minor(dev)) { + case 0: + case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); + case 2: + case 12: + break; + default: + return (ENXIO); + } return (0); } diff --git a/sys/arch/i386/i386/mem.c b/sys/arch/i386/i386/mem.c index 5282cca2683..42c6282a608 100644 --- a/sys/arch/i386/i386/mem.c +++ b/sys/arch/i386/i386/mem.c @@ -1,5 +1,5 @@ /* $NetBSD: mem.c,v 1.31 1996/05/03 19:42:19 christos Exp $ */ -/* $OpenBSD: mem.c,v 1.50 2016/08/16 18:19:15 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.51 2016/09/25 15:23:37 deraadt Exp $ */ /* * Copyright (c) 1988 University of Utah. * Copyright (c) 1982, 1986, 1990, 1993 @@ -76,10 +76,14 @@ static int mem_ioctl(dev_t, u_long, caddr_t, int, struct proc *); int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; switch (minor(dev)) { case 0: case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); case 2: case 12: break; diff --git a/sys/arch/m88k/m88k/mem.c b/sys/arch/m88k/m88k/mem.c index ff057b58b04..93167c253ab 100644 --- a/sys/arch/m88k/m88k/mem.c +++ b/sys/arch/m88k/m88k/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.4 2016/08/01 15:58:22 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.5 2016/09/25 15:23:37 deraadt Exp $ */ /* * Copyright (c) 1988 University of Utah. @@ -58,16 +58,21 @@ extern void *etext; int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; switch (minor(dev)) { - case 0: - case 1: - case 2: - case 12: - return (0); - default: - return (ENXIO); + case 0: + case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); + case 2: + case 12: + break; + default: + return (ENXIO); } + return (0); } int diff --git a/sys/arch/macppc/macppc/mem.c b/sys/arch/macppc/macppc/mem.c index 81360d042a7..0404d92dad9 100644 --- a/sys/arch/macppc/macppc/mem.c +++ b/sys/arch/macppc/macppc/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.23 2016/08/15 22:01:59 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.24 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: mem.c,v 1.1 1996/09/30 16:34:50 ws Exp $ */ /* @@ -191,13 +191,17 @@ mem_i2c_exec(void *cookie, i2c_op_t op, i2c_addr_t addr, int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; switch (minor(dev)) { - case 0: - case 1: - case 2: - case 12: + case 0: + case 1: + if (securelevel <= 0 || allowkmem) break; + return (EPERM); + case 2: + case 12: + break; #ifdef APERTURE case 4: if (suser(p, 0) != 0 || !allowaperture) @@ -210,8 +214,8 @@ mmopen(dev_t dev, int flag, int mode, struct proc *p) ap_open_count++; break; #endif - default: - return (ENXIO); + default: + return (ENXIO); } return (0); } diff --git a/sys/arch/mips64/mips64/mem.c b/sys/arch/mips64/mips64/mem.c index bab2383934a..28706b9ba6d 100644 --- a/sys/arch/mips64/mips64/mem.c +++ b/sys/arch/mips64/mips64/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.21 2016/08/01 15:58:22 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.22 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: mem.c,v 1.6 1995/04/10 11:55:03 mycroft Exp $ */ /* @@ -71,16 +71,21 @@ cdev_decl(mm); int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; switch (minor(dev)) { case 0: case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); case 2: case 12: - return (0); + break; default: return (ENXIO); } + return (0); } int diff --git a/sys/arch/sh/sh/mem.c b/sys/arch/sh/sh/mem.c index fdbe75a5b71..596864a52ca 100644 --- a/sys/arch/sh/sh/mem.c +++ b/sys/arch/sh/sh/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.8 2016/08/16 18:21:54 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.9 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: mem.c,v 1.21 2006/07/23 22:06:07 ad Exp $ */ /* @@ -101,16 +101,20 @@ cdev_decl(mm); int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; + switch (minor(dev)) { case 0: case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); case 2: case 12: break; default: return (ENXIO); } - return (0); } diff --git a/sys/arch/socppc/socppc/mem.c b/sys/arch/socppc/socppc/mem.c index e17f055de68..54aaa6688ba 100644 --- a/sys/arch/socppc/socppc/mem.c +++ b/sys/arch/socppc/socppc/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.5 2016/08/15 22:01:59 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.6 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: mem.c,v 1.1 1996/09/30 16:34:50 ws Exp $ */ /* @@ -58,13 +58,17 @@ int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; switch (minor(dev)) { - case 0: - case 1: - case 2: - case 12: + case 0: + case 1: + if (securelevel <= 0 || allowkmem) break; + return (EPERM); + case 2: + case 12: + break; #ifdef xAPERTURE case 4: if (suser(p, 0) != 0 || !allowaperture) @@ -76,8 +80,8 @@ mmopen(dev_t dev, int flag, int mode, struct proc *p) ap_open_count++; break; #endif - default: - return (ENXIO); + default: + return (ENXIO); } return (0); } diff --git a/sys/arch/sparc64/sparc64/mem.c b/sys/arch/sparc64/sparc64/mem.c index 7e21614180f..d4780e51c4b 100644 --- a/sys/arch/sparc64/sparc64/mem.c +++ b/sys/arch/sparc64/sparc64/mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem.c,v 1.17 2016/08/16 18:17:36 tedu Exp $ */ +/* $OpenBSD: mem.c,v 1.18 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: mem.c,v 1.18 2001/04/24 04:31:12 thorpej Exp $ */ /* @@ -62,7 +62,20 @@ caddr_t zeropage; int mmopen(dev_t dev, int flag, int mode, struct proc *p) { + extern int allowkmem; + switch (minor(dev)) { + case 0: + case 1: + if (securelevel <= 0 || allowkmem) + break; + return (EPERM); + case 2: + case 12: + break; + default: + return (ENXIO); + } return (0); } diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index c0d9e1eabcc..c36988f0773 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sysctl.c,v 1.311 2016/09/21 14:06:50 deraadt Exp $ */ +/* $OpenBSD: kern_sysctl.c,v 1.312 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */ /*- @@ -118,6 +118,8 @@ extern fixpt_t ccpu; extern long numvnodes; extern u_int net_livelocks; +int allowkmem; + extern void nmbclust_update(void); int sysctl_diskinit(int, struct proc *); @@ -340,6 +342,12 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, return (EPERM); securelevel = level; return (0); + case KERN_ALLOWKMEM: + if (securelevel > 0) + return (sysctl_rdint(oldp, oldlenp, newp, + allowkmem)); + return (sysctl_int(oldp, oldlenp, newp, newlen, + &allowkmem)); case KERN_HOSTNAME: error = sysctl_tstring(oldp, oldlenp, newp, newlen, hostname, sizeof(hostname)); diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h index 506c6908cad..591f7bd0ad3 100644 --- a/sys/sys/sysctl.h +++ b/sys/sys/sysctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sysctl.h,v 1.166 2016/09/21 14:06:50 deraadt Exp $ */ +/* $OpenBSD: sysctl.h,v 1.167 2016/09/25 15:23:37 deraadt Exp $ */ /* $NetBSD: sysctl.h,v 1.16 1996/04/09 20:55:36 cgd Exp $ */ /* @@ -137,7 +137,7 @@ struct ctlname { #define KERN_SYSVMSG 34 /* int: SysV message queue suppoprt */ #define KERN_SYSVSEM 35 /* int: SysV semaphore support */ #define KERN_SYSVSHM 36 /* int: SysV shared memory support */ -/* was KERN_ARND 37 */ +/* was KERN_ARND 37 */ #define KERN_MSGBUFSIZE 38 /* int: size of message buffer */ #define KERN_MALLOCSTATS 39 /* node: malloc statistics */ #define KERN_CPTIME 40 /* array: cp_time */ @@ -152,7 +152,7 @@ struct ctlname { #define KERN_POOL 49 /* struct: pool information */ #define KERN_STACKGAPRANDOM 50 /* int: stackgap_random */ #define KERN_SYSVIPC_INFO 51 /* struct: SysV sem/shm/msg info */ -/* was KERN_USERCRYPTO 52 */ +#define KERN_ALLOWKMEM 52 /* int: allowkmem */ /* was KERN_CRYPTODEVALLOWSOFT 53 */ #define KERN_SPLASSERT 54 /* int: splassert */ #define KERN_PROC_ARGS 55 /* node: proc args and env */ @@ -224,7 +224,7 @@ struct ctlname { { "sysvmsg", CTLTYPE_INT }, \ { "sysvsem", CTLTYPE_INT }, \ { "sysvshm", CTLTYPE_INT }, \ - { "arandom", CTLTYPE_INT }, \ + { "gap", 0 }, \ { "msgbufsize", CTLTYPE_INT }, \ { "malloc", CTLTYPE_NODE }, \ { "cp_time", CTLTYPE_STRUCT }, \ @@ -239,7 +239,7 @@ struct ctlname { { "pool", CTLTYPE_NODE }, \ { "stackgap_random", CTLTYPE_INT }, \ { "sysvipc_info", CTLTYPE_INT }, \ - { "gap", 0 }, \ + { "allowkmem", CTLTYPE_INT }, \ { "gap", 0 }, \ { "splassert", CTLTYPE_INT }, \ { "procargs", CTLTYPE_NODE }, \ diff --git a/usr.sbin/acpidump/acpidump.8 b/usr.sbin/acpidump/acpidump.8 index 650c683acd1..ff8747898a2 100644 --- a/usr.sbin/acpidump/acpidump.8 +++ b/usr.sbin/acpidump/acpidump.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acpidump.8,v 1.15 2014/03/13 21:14:08 brynet Exp $ +.\" $OpenBSD: acpidump.8,v 1.16 2016/09/25 15:23:37 deraadt Exp $ .\" .\" Copyright (c) 1999 Doug Rabson <dfr@FreeBSD.org> .\" Copyright (c) 2000 Mitsuru IWASAKI <iwasaki@FreeBSD.org> @@ -29,7 +29,7 @@ .\" .\" $FreeBSD: src/usr.sbin/acpi/acpidump/acpidump.8,v 1.9 2001/09/05 19:21:25 dd Exp $ .\" -.Dd $Mdocdate: March 13 2014 $ +.Dd $Mdocdate: September 25 2016 $ .Dt ACPIDUMP 8 .Os .Sh NAME @@ -60,6 +60,13 @@ ports tree or package system: # pkg_add acpica $ iasl -d <prefix>.<sig>.<id> .Ed +.Pp +.Nm +requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . .Sh FILES .Bl -tag -width /dev/mem .It Pa /dev/mem diff --git a/usr.sbin/procmap/procmap.1 b/usr.sbin/procmap/procmap.1 index 850fb50be0a..c1edf188f83 100644 --- a/usr.sbin/procmap/procmap.1 +++ b/usr.sbin/procmap/procmap.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: procmap.1,v 1.21 2016/05/26 17:23:49 stefan Exp $ +.\" $OpenBSD: procmap.1,v 1.22 2016/09/25 15:23:37 deraadt Exp $ .\" $NetBSD: pmap.1,v 1.6 2003/01/19 21:25:43 atatat Exp $ .\" .\" Copyright (c) 2002 The NetBSD Foundation, Inc. @@ -28,7 +28,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 26 2016 $ +.Dd $Mdocdate: September 25 2016 $ .Dt PROCMAP 1 .Os .Sh NAME @@ -53,6 +53,13 @@ address, the underlying file's device and inode numbers, and various protection information will be displayed, along with the path to the file, if such data is available. .Pp +.Nm +requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . +.Pp By default, .Nm displays information for its parent process, so that when run from a diff --git a/usr.sbin/pstat/pstat.8 b/usr.sbin/pstat/pstat.8 index f0ed5fc1403..627ff32a8b4 100644 --- a/usr.sbin/pstat/pstat.8 +++ b/usr.sbin/pstat/pstat.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pstat.8,v 1.50 2016/06/03 20:38:48 deraadt Exp $ +.\" $OpenBSD: pstat.8,v 1.51 2016/09/25 15:23:37 deraadt Exp $ .\" $NetBSD: pstat.8,v 1.9.4.1 1996/06/02 09:08:17 mrg Exp $ .\" .\" Copyright (c) 1980, 1991, 1993, 1994 @@ -30,7 +30,7 @@ .\" .\" from: @(#)pstat.8 8.4 (Berkeley) 4/19/94 .\" -.Dd $Mdocdate: June 3 2016 $ +.Dd $Mdocdate: September 25 2016 $ .Dt PSTAT 8 .Os .Sh NAME @@ -72,6 +72,14 @@ or .Ar llx . Symbol names are read from the remaining command line arguments. Addresses may also be specified in hex. +.Pp +The +.Fl d +option requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . .It Fl f Print the open file table with these headings: .Bl -tag -width indent @@ -335,6 +343,14 @@ special file times changed Number of bytes in an ordinary file, or major and minor device of special file. .El +.Pp +The +.Fl v +option requires the ability to open +.Pa /dev/kmem +which may be restricted based upon the value of the +.Ar kern.allowkmem +.Xr sysctl 8 . .El .Sh ENVIRONMENT .Bl -tag -width BLOCKSIZE |