summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_pledge.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Allow TIOCEXT in pledge "tty"deraadt2015-11-161-1/+2
| | | | Discussed with millert
* Permit revoke(2) for a pledge "rpath tty"deraadt2015-11-161-1/+3
| | | | ok millert semarie tedu guenther
* brk/sbrk's use case is way too narrow to be a default stdio pledge.pascal2015-11-161-2/+1
| | | | | | | Since this only affects base gcc and the ports most in need of PCHs are compiled with ports compilers anyway, let's see what happens if we break it. discussed with and ok deraadt@
* Add pathconf() to pledge "rpath"; ok guentherderaadt2015-11-141-1/+2
|
* For pledge "stdio", allow the break(2) system call which backends the brk/sbrkderaadt2015-11-141-1/+2
| | | | | | | | | | | | | | | | | | | | library routines. The manpage declares, in bold: The brk() and sbrk() functions are historical curiosities left over from earlier days before the advent of virtual memory management. In our base tree, only one program uses these functions -- cc1 in the gcc toolset. A historical curiosity using a historical curiosity, how quaint. brk is used because precompiled c headers are not position independent. Another program which relies upon brk is emacs. Other uses of brk are EXCEEDINGLY RARE, because most software grew up and use modern practices such as malloc and mmap, thereby gaining ASLR benefits. Position independence has become an important part of mitigations. These two programs fight such improvements. Permitting brk/sbrk allows the large attack surface of cc1 to be pledged. "I would rather have cc1 pledged than purity in pledge" guenther
* All setsockopt IPPROTO_IPV6 IPV6_TCLASS (v4 calls this IP_TOS)deraadt2015-11-131-1/+2
|
* Split the intra-thread functionality from kill(2) into its own syscallguenther2015-11-101-2/+4
| | | | | | | | | | | | thrkill(2), rolling the kill(2) syscall number with the ABI change to avoid breaking binaries during during the transition. thrkill(2) includes a 'tcb' argument that eliminates the need for locking in pthread_kill() and simplifies pthread_cancel(). Switch __stack_smash_handler() to use thrkill(2) and explicitly unblock SIGABRT. Minor bump to both libc and libpthread: make sure you install a new kernel! ok semarie@
* revert sys/kern/kern_pledge.c 1.103 and reenable pledge in pwd_mkdbsemarie2015-11-051-13/+3
| | | | ok deraadt@
* pledge_ioctl only takes files, adjust prototype. ok semarietedu2015-11-041-4/+4
|
* move /etc/spwd.db blacklist outside PLEDGE_GETPW check.semarie2015-11-041-3/+13
| | | | | | so that all pledged programs would get it instead of only ones with PLEDGE_GETPW. ok deraadt@
* pledge_aftersyscall has been reduced to one case, "getpw", to open aderaadt2015-11-031-10/+11
| | | | | | window for chatting to ypserv. This can be done in pledge_namei, so improve system call performance by removing the pledge_aftersyscall hook. ok semarie
* some tweaks to the signal code.tedu2015-11-021-2/+2
| | | | | allow signals to any thread (they'll be checked within process later). guenther also notes the pid check should be process pid, not proc pid.
* use binary-search for pledge-requestsemarie2015-11-021-26/+40
| | | | | | (semblable diff proposed by Peter J. Philipp) "no problem" deraadt@
* move the pledgenote annotation from `struct proc' to `struct nameidata'semarie2015-11-021-30/+24
| | | | | | | | | | pledgenote is used for annotate the policy for a namei context. So make it tracking the nameidata. It is expected for the caller to explicitly define the policy. It is a kernel bug to not do so. ok deraadt@
* also handle the kill(self) case for threads; from Theo Buehlerderaadt2015-11-021-2/+2
|
* refactor pledge_*_check and pledge_fail functionssemarie2015-11-011-27/+52
| | | | | | | | | | | | | | - rename _check function without suffix: a "pledge" function called from anywhere is a "check" function. - makes pledge_fail call the responsability to the _check function. remove it from caller. - make proper use of (potential) returned error of _check() functions. - adds pledge_kill() and pledge_protexec() with and OK deraadt@
* Do not need to check the pledge control bits for system calls that arederaadt2015-11-011-2/+2
| | | | | PLEDGE_ALWAYS. ok semarie
* uniformize "always allowed syscalls" with pledgesemarie2015-11-011-8/+7
| | | | | | | - use a proper name PLEDGE_ALWAYS (suggested by derradt@) - unify the check for allowing it in order to allow all of them ok deraadt@
* oops, forgot pselect! crazy how many interface the kernel has here.deraadt2015-10-311-1/+2
| | | | It is just risk, risk, risk, risk. Is there anyway to unify them?
* expose the sysctl backing getloadavg(3) all the time, now that morederaadt2015-10-311-4/+4
| | | | consumers have been found. Spotted by Nathanael Rensen
* Add some setsockopt hacks for libisc, aka John Frumderaadt2015-10-291-1/+13
|
* Reorder system call table into sequential blocks of alike-functionalityderaadt2015-10-291-58/+105
| | | | | and similar usage cases. Should provide abit more clarity for those who read the kernel code.
* cleanup indentation and comments in sysctl whitelistderaadt2015-10-281-16/+15
|
* merge whitelisted r/w paths and rd paths switch to only one. It becomessemarie2015-10-281-13/+8
| | | | possible due to the move of failing case later.
* make sys_chroot() only allowed to be used when pledged, with "rpath id proc".semarie2015-10-281-6/+1
| | | | | | | | | | | the previous check in pledge_namei() was incomplete. For using SYS_chroot we needed "id", and we could have passed pledge_namei() just with "rpath" (without using the now removed whitelisted entry). the check for "rpath id proc" is now done using p_pledgenote: pledge_namei() will check that the pledgenote is permitted by your pledge. "go ahead" deraadt@
* refactor pledge_namei() a bitsemarie2015-10-281-29/+18
| | | | | | | | | | | | | - remove all explicit checks that ensure p_pledgenote have counterpart in ps_pledge by one unique check. It makes management of explicit whitelisted operations on some paths more simple to manage. And now, we can use p_pledgenote for more fined checking in namei usage. - add special case for unsetted p_pledgenote: the behaviour is the same as previously (we allow the operation with "rpath", "wpath" or "cpath" request) but it should be changed soon to be more strict. "go ahead" deraadt@
* canonpath() error isn't related to p_pledgenote requirement (only possiblesemarie2015-10-281-3/+3
| | | | error currently is ENAMETOOLONG), so don't use p_pledgenote when failing.
* in pledge_namei(), move PLEDGE_EXEC check sooner: it doesn't depend of pathsemarie2015-10-281-6/+6
| | | | processing.
* Prevent F_SETOWN, unless a "proc" pledge was made.deraadt2015-10-281-1/+12
|
* The short-lived dnssocket/dnsconnect calls are being required because wederaadt2015-10-281-5/+1
| | | | | suspect everyone has upgraded through the approx week-long window since SOCK_DNS became available and the libc resolver started using them.
* kern.cptime is length 2deraadt2015-10-281-2/+2
|
* support kern.cptime alsoderaadt2015-10-281-1/+4
|
* Add ppoll() to "stdio"deraadt2015-10-261-1/+2
|
* Allow NET_RT_IFLIST in pledge "dns" as wellderaadt2015-10-261-2/+2
|
* If the system call is entirely unpermitted, code will be 0, and there isderaadt2015-10-261-4/+7
| | | | no pledge to recommend.
* add setreuid/setregid to "id"deraadt2015-10-261-1/+3
|
* change some pledge_fail() error/codesemarie2015-10-261-4/+4
| | | | | | | | | | | | | - for PLEDGE_FATTR: the code is more accurate to be PLEDGE_FATTR, has p->p_pledgenote could have multiple bits inside, and it is the lake of PLEDGE_FATTR that make the check fail. - for PLEDGE_RECVFD and PLEDGE_SENDFD, change the error to be EINVAL: we fail, not because of lake of PLEDGE_RECVFD / PLEDGE_SENDFD permission, but because the value passed is invalid in pledged program (for example trying to send a VDIR). "go ahead" deraadt@
* make pledge_check(), used for syscall check with pledge, returns an error andsemarie2015-10-261-5/+12
| | | | | | provide the required pledge request for pledge_fail(). ok deraadt@
* Fold "malloc" into "stdio" and -- recognizing that no program so far hasderaadt2015-10-251-148/+160
| | | | | | | | | | | | | | | used less than "stdio" -- include all the "self" operations. Instead of different defines, use regular PLEDGE_* in the "p_pledgenote" variable (which indicates the operation subtype a system call is performing). Many checks before easier to understand. p_pledgenote can often be passed directly to ktrace, so that kdump says: 15565 test CALL pledge(0xa9a3f804c51,0) 15565 test STRU pledge request="stdio" 15565 test RET pledge 0 15565 test CALL open(0xa9a3f804c57,0x2<O_RDWR>) 15565 test NAMI "/tmp/testfile" 15565 test PLDG open, "wpath", errno 1 Operation not permitted with help from semarie, ok guenther
* pledge_sockopt_check is shared between setsockopt/getsockopt. nicmderaadt2015-10-251-13/+13
| | | | | found the first case of "get allowed, set not allowed". Tiny refactoring of that.
* reorder some checks in pledge_namei() in order to properly work.semarie2015-10-251-21/+21
| | | | | | | mainly move read/write whitelisted paths that should be *before* checking if you have PLEDGE_WPATH. with and ok deraadt@
* ps(1) needs sysctl KERN_PROC_CWD exposed as well in the pledge "ps" set.deraadt2015-10-251-1/+4
| | | | hit by czarkoff
* For SYS_open let the /dev/null special case match if any TMN_RPATH,millert2015-10-251-5/+4
| | | | | TMN_WPATH or both are set in p_pledgenote. Matches the style used for /dev/tty special cases (among others). From deraadt@
* Allow getsockopt(IP_OPTIONS) (with inet), needed by portmap (for RPC).nicm2015-10-251-1/+5
| | | | ok deraadt
* Allow SIOCGIFINFO_IN6deraadt2015-10-231-4/+5
|
* Introduce a new sysctl NET_RT_IFNAMES that returns only ifnames to ifindexclaudio2015-10-231-1/+5
| | | | | | | | mappings. This will be used by if_nameindex(3), if_nametoindex(3) and if_indextoname(3) soon to fix the issues in pledge because of inet6 link local addressing. OK mpi@ benno@ deraadt@ The libc version will follow soon so better start updating your kernels
* Add 3 new pledge requests. "ps" exposes enough sysctl information forderaadt2015-10-231-2/+73
| | | | | | | ps-style programs (there are quite a few in the tree, including tmux). "vminfo" exposes a bit more system operation information, which many observation programs want (such as top). settime allows setting the system time, and will be used to pledge-protect the last ntpd process.
* Allow hw.ncpu sysctl (a few reasons showed up in my mailbox rapidly..)deraadt2015-10-231-1/+4
|
* Further study shows "route" should allow all address families in NET_RT_DUMPderaadt2015-10-221-2/+1
| | | | With benno
* After some consideration, simply allow TIOCSCTTY in the "tty" pledge.deraadt2015-10-221-6/+2
| | | | Discussion with nicm.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.