summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_pledge.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add getlogin_r syscall that checks and returns errors like userspaceguenther2016-03-301-2/+3
| | | | | | getlogin_r() API; keep existing syscall as getlogin59 for temporary compat. ok kettenis@ deraadt@
* Silences compiler warnings, about used uninitialized variables. These lengthssemarie2016-03-251-2/+2
| | | | | | | are passed uninitialized to free(9) only when pointers are NULL. found by jsg@ ok deraadt@
* allow fpathconf() in stdio mode, since it is an innocuous queryderaadt2016-03-221-1/+2
| | | | | system call. discussed with semarie and everyone else during the 5.9 lock.
* Rename the system call sendsyslog2 to sendsyslog. Keep the old onebluhm2016-03-211-2/+2
| | | | | | as osendsyslog for a while. The three argument variant is the only one that will stay. input kettenis@; OK deraadt@
* Expose new audio ioctls that do one thing only: start and stop DMA,ratchov2016-03-161-1/+5
| | | | | | set and get parameters. This is much simpler. ok semarie, armani, tweaks from jmc
* pledge: wl_paths: resolvpath() logic errorsemarie2016-03-151-64/+73
| | | | prepend chroot value *after* canonization and not before.
* pledge: wl_paths: corrects a memory leak in error code path and an evaluationsemarie2016-03-151-2/+4
| | | | | | order ("a += b > c" is the same as "a += (b > c)" which is wrong here) ok jca@
* keep disabled wl_paths for now. the expensiveness impact need to be bettersemarie2016-03-131-1/+5
| | | | | | considered. ok deraadt@
* reenable wl_paths (whitelisted-paths) in pledge(2)semarie2016-03-131-4/+1
|
* pledge: replace #if 0 printf with DNPRINTF macrosemarie2016-03-131-14/+29
|
* pledge: let wl_paths works well with chrootsemarie2016-03-131-113/+173
| | | | | | | it factorizes path resolution in resolvpath() function, and use it in sys_pledge() and pledge_namei(). please note that wl_paths is still disabled.
* corrects on off-by-one error in pledge_namei()semarie2016-03-131-47/+25
| | | | | | | - rewrite canonpath() to not require extra byte before shrinking - make canonpath() error not fatal for the caller (proposition from tedu@) ok millert@ tedu@ deraadt@
* pledge: define the meaning of passing NULL to one arguments of pledge(2) as "Isemarie2016-03-111-14/+17
| | | | | | | | | | don't want to change the current value" it changes only the `request' argument behaviour when NULL is passed: previously it was traited as "" was passed. with help from jmc@ for man-page OK tb@ on previous version
* Return ENOTTY for TIOCFLUSH when allowed by pledge but the fd ismillert2016-02-171-2/+2
| | | | | not a tty. Fixes a pledge failure in telnet when piping the output. OK deraadt@
* Check if the vnode type is VBAD (corresponds to disconnectedratchov2016-01-191-2/+5
| | | | | | | usb devices) and return ENOTTY rather than terminating the caller program. Found by Michael Reed <m.reed at mykolab.com> ok semarie, deraadt
* Add SYS_truncate as a "wpath" operation. Omission noticed by tb and sthen.deraadt2016-01-181-1/+2
|
* drop "abort" promise, and make it the default behaviour.semarie2016-01-091-17/+9
| | | | | | | | | The current code has already setted it by default since 1.74 any pledge failure tries to make a coredump (default rules for coredump still applies: so setuid binaries don't create them locally). ok deraadt@
* Add "vmm" pledge to allow restricted ioctl access to /dev/vmm.reyk2016-01-081-1/+21
| | | | | | | | | | This will allow to pledge vmd(8)'s vmm and vm processes, so that VMs themselves run "sandboxed", including their host-side virtio layer. It will remain disabled for now (in userland) to not get into the way of ongoing development and upcoming changes in vmd and the ioctl interface. OK mlarkin@ deraadt@ "kernel side in, but not the callers in userland"
* turn off the whitepath code for now; we're not sure it's ready for releasetedu2016-01-061-1/+4
| | | | ok deraadt
* remove unnecessary casts where the incoming type is void *.tedu2016-01-061-4/+4
|
* Add pledge "drm", which allows a subset of the drm(4) ioctls. These arekettenis2016-01-061-2/+21
| | | | | | | | | | | | | basically only the ioctls that Linux allows on the so-called "render nodes". For now, it also allows DRM_IOCTL_GET_MAGIC and DRM_IOCTL_GEM_OPEN, as we don't implement prime/dma-buf yet in OpenBSD. That still leaves a big gaping hole, so they will be removed as soon as we can. Based on a diff by robert@, who did all the heavy lifting by studying the behaviour of the chromium GPU process, with some further suggestions by deraadt@. ok jsg@, deraadt@, robert@
* annoying whitespacederaadt2016-01-051-3/+3
|
* Add missing #include "audio.h". Fixes sndiod pledge issue reported bytb2015-12-271-2/+2
| | | | | | | timo.myyra () wickedbsd ! net, thanks! While there, remove extraneous "pty.h". ok deraadt@
* wrap "audio" pledge code in NAUDIO > 0, because there are a fewderaadt2015-12-271-3/+4
| | | | GENERIC kernels which lack audio drivers.
* pledge "audio" code block must be !SMALL_KERNELderaadt2015-12-231-1/+3
|
* If PLEDGE_AUDIO is set, allow audio(4) ioctls necessaryratchov2015-12-231-1/+17
| | | | | | to use raw audio devices. ok deraadt, semarie
* Change kernel internal pledge variables to 64bit (to prepare for morederaadt2015-12-061-4/+4
| | | | | extensions). This change is exposed in ktrace.out files ok semarie
* Study of kernel code complete. Permit ioctl SIOCGIFMEDIA for pledgederaadt2015-12-051-1/+2
| | | | "route", which krw and mestre will be able to use in dhclient(8).
* allow utrace(2) by default.deraadt2015-12-041-1/+2
| | | | conversation with jsg
* remove PLEDGE_INET granting when using "getpw" in YP environnmentsemarie2015-12-041-7/+25
| | | | | | | it makes PLEDGE_YPACTIVE enough for doing required networking with YP. It should permit to bring YP internals into the light. discuted with deraadt@
* Add pledge "dpath", which provides access to mknod(2) and mkfifo(2).deraadt2015-12-041-1/+6
| | | | | | | This will be required to keep pax/tar/cpio at otherwise very high levels of pledge (and we will see where else it is beneficial). Allocate a bit for pledge "audio", which will be coming soon. good discussions with semarie
* Do not think atomicity is required here. In any case, prepare forderaadt2015-12-041-3/+3
| | | | | ps_pledge to become 64-bits over the next few days (things are getting a bit tight; most newer pledges will be quite device-driver specific)
* Remove the /usr/share/nls/ exception from pledge(2). The libcbluhm2015-12-031-8/+1
| | | | | native language support was deleted a month ago at u2k15. OK semarie@ deraadt@
* pledge(pf) needs to allow DIOCKILLSRCNODES, used in relayd.benno2015-12-031-1/+2
| | | | ok deaadt@
* On a SMALL_KERNEL, pledge "pf" has to be a no-op. We cannot matchderaadt2015-11-291-1/+3
| | | | the device node (since it does not exist...)
* Add pledge "pf" which allows ioctls on pf(4). This will be used bybenno2015-11-291-3/+26
| | | | | relayd and other programs manipulating the packet filter. ok deraadt@
* pledge: allow getsockopt IP_IPDEFTTL with promise inetbenno2015-11-281-1/+2
| | | | | then relayd's host check engine can be pledged. ok reyk@, approach suggested by deraadt@ weeks ago.
* Two additional ioctls for pledge("disklabel"), needed by installboot.jca2015-11-271-1/+3
| | | | Committing on behalf of tb@, problem reported by Rolf Sommerhalder on misc@.
* permit kern.maxpartitionsderaadt2015-11-251-1/+5
|
* Add sendsyslog2(), which accepts the syslog/openlog "logopt" flagderaadt2015-11-241-1/+11
| | | | | | | LOG_CONS. If syslogd is not accepting messages, direct them to the console. This allows us to remove the direct /dev/console opening code from the bowels of libc. Of course, that forgotten code was exposed by pledge. ok kettenis millert beck
* the "getpw" test for /dev/tty is only needed for readpassphrase(3),deraadt2015-11-231-3/+3
| | | | | getpass(3), so don't specifically allow it for "rpath" (rpath will accept it in the end, unless it is on the whitelist)
* need sys/device.hderaadt2015-11-231-1/+2
|
* For "disklabel", allow sysctl mach.chr2kblk and ioctl BIOCINQ/BIOCVOLderaadt2015-11-221-1/+12
| | | | also, to satisfy midlayers that some fs/install tools need.
* "getpw" should also allow access to /etc/netidderaadt2015-11-221-1/+3
| | | | discovered by rpe
* Permit msync(2) in the "stdio" set; only a few programs use it relatedderaadt2015-11-201-1/+2
| | | | | to mmap, but thinking about it nothing feels risky Long discussions with florian
* Add pledge "disklabel", which allows sysctl kern.rawpartition, aderaadt2015-11-201-1/+33
| | | | | | | | | few disklabel ioctls, and the DIOCMAP ioctl against /dev/diskmap used to translate duid numbers into partitions. This will allow pledging of at least 12 disk/filesystem aware programs; due to the negative impact that diff will wait a bit so everyone has a chance to update their kernels. ok semarie
* Exempt accept(2) from the pledge_socket() check part of the "domain"deraadt2015-11-201-1/+3
| | | | | | | check. You cannot open a socket in a domain unless permitted -- but you need to be able to accept one if the code flow asks for that to happen. The most recent check is too tight. We may need to iterate the policy here until we hit the right vibe...
* check domain and state of socket against pledge promise.semarie2015-11-181-9/+25
| | | | ok deraadt@
* backout removal of SYS_break from stdio, suggested by deraadt@sthen2015-11-171-1/+2
| | | | ports using base gcc with PCH include: boost, keepassx, wxWidgets, jdk
* Allow sysctl kern.clockrate, kern.argmax, kern.ngroups, kern.sysvshm,deraadt2015-11-171-12/+24
| | | | | | and kern.posix1version. Enough to satisfy getconf, and I hope we don't need to add much more after this. Largely from jca
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.