summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* A fork(2) is used in ttymsg() to delay the message to a tty if itbluhm2015-10-091-2/+2
| | | | | blocks. Fix the potential syslogd's death, add "proc" to pledge. OK deraadt@
* catch up to tame() -> pledge() renamederaadt2015-10-091-3/+3
|
* pare down the readme so as to not imply we are tracking upstream.tedu2015-10-091-144/+3
| | | | | nor do we much care about running this on dec ultrix anymore, etc... ok deraadt
* if an error occurs during offline enqueuing after we've dropped group, thengilles2015-10-091-1/+4
| | | | | | attempt to ftruncate() the fp back to 0. suggested and ok millert@, ok eric@
* turn our local enqueuer setgid _smtpq and restrict access to offline queue,gilles2015-10-096-52/+92
| | | | | | | | | the enqueuer will revoke group and regain real gid right after mkstemp. this would have prevented the symlink/hardlink attacks against offline, and it will avoid having to deal with new ways users can mess with it. ok eric@, ok millert@
* Remove evil hack. I've never seen the printf fire, and xenocara no longerkettenis2015-10-091-16/+2
| | | | | | contains any code that can manipulate the affected register directly. ok jsg@
* this cpp operates file using pledge "stdio rpath wpath cpath"deraadt2015-10-091-0/+6
|
* Tame syslogd privsep child with "stdio rpath unix inet recvfd".bluhm2015-10-091-1/+4
| | | | With and OK deraadt@
* oops, snuck into a syscalls sync; spotted by sthenderaadt2015-10-091-16/+16
|
* regress pledgesemarie2015-10-091-0/+1
| | | | add missing $OpenBSD$ header
* regress pledge: remove 'regenerate' targetsemarie2015-10-091-5/+1
|
* add "tty" regress for pledgesemarie2015-10-095-7/+93
|
* correct Xr; from theo buehlerjmc2015-10-091-3/+3
|
* if enhanced status class is not set, enhanced status code is never dumpedgilles2015-10-091-2/+2
| | | | in disk envelope.
* All commands seem to work fine with pledge "stdio" after the connect(),deraadt2015-10-091-1/+4
| | | | | | | direct source and symbol table inspection suggests it is good. The same principle will likely apply to most of our network daemon *ctl programs, since many are derived from ospfd. Still, each needs testing. discussion about network daemons and ctl's has been mostly with renato
* another tame(2), spotted by jmcderaadt2015-10-091-3/+3
|
* Fix line number bug when calling onlywind().lum2015-10-091-1/+5
|
* hook pledgesemarie2015-10-091-2/+2
|
* follow tame->pledge in regresssemarie2015-10-0915-141/+145
|
* do not use weak; plus this dies next weekderaadt2015-10-091-2/+1
|
* another stray )deraadt2015-10-091-2/+2
|
* shortcircuit TIOCGETA to directly return ENOTTY for non-ttys. It couldderaadt2015-10-092-3/+10
| | | | | be called against a non-tty fd, so as to test "is this a tty". Discovered by sthen and rob pierce at the same time.
* oops, typo spotted in temporary .c file, by semariederaadt2015-10-091-2/+2
|
* fix a gotcha in the connect refactoring, that could result in droppingderaadt2015-10-091-1/+5
| | | | | through and trying to bind failed v6 connects. ok guenther
* the ntp engine can run with "stdio inet proc". For many reasons,deraadt2015-10-091-1/+16
| | | | | | | including fork/exec cost, it would be better if constraints were forked from the master process, which would then tell the ntp engine. That would increase accuracy and security. Lots of conversations with reyk and bcook
* Once the constraint engine process is running, it only needsderaadt2015-10-091-1/+5
| | | | "stdio inet". It took weeks to get to this point...
* stardate 93370.16: a whitespace appears to have entered our quadrant...deraadt2015-10-091-2/+2
|
* multicast test backwards; noted by renatoderaadt2015-10-091-3/+3
|
* syncderaadt2015-10-0920-21/+21
|
* Change all tame callers to namechange to pledge(2).deraadt2015-10-09114-427/+427
|
* tame -> pledge.deraadt2015-10-091-2/+2
|
* tame -> pledge conversion, in libc. I should crank libc, but am cheatingderaadt2015-10-094-19/+38
| | | | | | hoping things go well. The old symbol is faked via a stupid stub function, until next major crank when it can be removed. I am expecting guenther to scream at me.
* Rename tame() to pledge(). This fairly interface has evolved to be morederaadt2015-10-094-16/+16
| | | | | | strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
* syncderaadt2015-10-095-31/+31
|
* Rename tame() to pledge(). This fairly interface has evolved to be morederaadt2015-10-0919-527/+527
| | | | | | strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
* After replacement alloca() with alloc(), out-of-heap happened when bootingyasuoka2015-10-082-4/+4
| | | | | | | on a large block size (32K) partition. Increase the HEAP_LIMIT from 0x90000 to 0xA0000. try this, deraadt
* If getaddrinfo() succeeds, then don't try look ups with other flags, evenguenther2015-10-081-41/+39
| | | | | | | | | | if the connect()s failed. In concert with some resolver fixes in libc, this lets ntpd be tame()ed problem isolated by theo, who had fun untangling the libc and libtls behaviors to place blame for not being able to tame ntpd ok beck@ deraadt@ jsing@
* Expose a small set of multicast join operators under the request "mcast".deraadt2015-10-082-3/+20
| | | | | | This will be used by a few daemons. If they lack this feature, then they would need to operate without tame. Discussed with renato
* add some tame calls. we may need a bunch of permissions to create filestedu2015-10-081-1/+27
| | | | | | | and manipulate the tty for readpassphrase, but once we've parsed options and have some idea of what's going to happen next, we can reduce down quite a bit more. particular use case of "signify | patch" is limited to feeding garbage to patch.
* stop trying to gift history files to the original owner. instead, don'ttedu2015-10-081-7/+6
| | | | | open history files that don't belong to us. probably much safer. ok deraadt
* Lock the page queues by turning uvm_lock_pageq() and uvm_unlock_pageq() intokettenis2015-10-084-6/+10
| | | | | | | | mtx_enter() and mtx_leave() operations. Not 100% this won't blow up but there is only one way to find out, and we need this to make progress on further unlocking uvm. prodded by deraadt@
* little cleanup from Michael McConville, mostly related to stale comments.tedu2015-10-081-20/+12
|
* Refactor fileprefix() and filecopy() to use warn() instead of err()krw2015-10-086-43/+92
| | | | | | | | | to display error message, and to return error indications (NULL and -1 respectively). Use the error indications in write_efisystem() to unwind in the face of more error conditions. In other cases just exit(1) to emulation current behaviour. ok deraadt@
* tame "stdio rpath wpath cpath proc exec". make is a shell, and appearsderaadt2015-10-081-1/+4
| | | | | | to only need these operations. Take note that "exec" is a 2-day old tame request, so do get a new kernel before you update or risk getting trapped.
* 16 years after E801 memprobe was disabled, probably safe to delete it.tedu2015-10-082-130/+4
| | | | ok deraadt jung kettenis ratchov
* Remove the sc_soft_req_cnt field because the number of tx requests isvisa2015-10-082-41/+9
| | | | | | | already tracked in sc_sendq. Replace the sc_flush logic with a simple Fetch-and-Add store that avoids an unnecessary IOBDMA transaction. ok uebayasi@
* tweak previous;jmc2015-10-081-4/+4
|
* fix conditionalseric2015-10-082-4/+4
| | | | ok deraadt@
* portmap's main process can be tame "stdio rpath inet proc"; proc isderaadt2015-10-081-1/+8
| | | | | | | | | for the callit interface needing to fork, and parent needing to wait. that child can drop to "stdio rpath inet". It is possible some libc/rpc codepath has not yet been figured out, but commiting it is the best way to get it tested. Tested what I could myself, but noone answered my call for testing...
* Make sure that when trunk_port_ioctl is called to set a newmikeb2015-10-081-5/+5
| | | | | | lladdr the trunk port is already on the list. OK mpi
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.