summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_pledge.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* At guenther's suggestion replace dnssocket() with a SOCK_DNS flag onderaadt2015-10-201-26/+13
| | | | | | | | | socket(). Without pledge, all other socket behaviours become permitted, except this one case: connect/send* only works to *:53. In pledge mode, a very few are further restricted. Some backwards compatibility for the dnssocket/dnsconnect calls will remain in the tree temporarily so that people can build through the transition. ok tedu guenther semarie
* Add SIOCGIFGMEMB to "route" (returns a list of all interfaces who arereyk2015-10-201-1/+2
| | | | | | member of the given group). This is used by some parse.y. OK deraadt@
* clear whitelisted-paths view in pledge.semarie2015-10-201-5/+48
| | | | | | | | | | | | | | | | | | | the following diff adds a clear view of whitelisted-paths in pledge. before, whitelisting "/usr/local/bin" path would make only "/usr/local/bin" VNODE was present and let "/usr/local", "/usr", and "/" been ENOENT. It was a somehow odd filesystem hierarchy, and it breaks realpath(3). with this diff, the directories that are one of the parents of a whitelisted-directory become visible to stat(2) related syscalls, but only with restricted permissions: stat(2) will lie a bit, and saying they owned by root:wheel and mode is --x--x--x. Note that only stat(2) is affected by this "view", and the owner/mode aren't effectively changed: it is just a "lie". while here, refactor a bit pledge_namei() in order to avoid multiple for-loop on whitelisted-path array. ok deraadt@
* allow SO_ERROR all the timederaadt2015-10-201-1/+2
|
* Always allow the setsockopt & getsockopt system calls... however, in thederaadt2015-10-201-6/+29
| | | | | | | | default case only allows SOL_SOCKET SO_RCVBUF which is very common in network-facing daemons. Many of them manage this on a socket after dropping abilities which can get them _new_ sockets.. syslogd, bgpd, relayd, etc etc. Other sockopts still require specific pledges. Tested by bluhm.
* Allow setpriority in "proc" as well, since a few shells have "nice"deraadt2015-10-191-2/+4
| | | | | | builtin. make a note that setpriority() should be weakened, unless "id" is also present. pointed out by Theo Buehler
* Print vnode type for sendfd/recvfd not file type, ok semarienicm2015-10-191-6/+6
|
* Instead of fragile CMSG parsing, control pledge "sendfd" and "recvfd"deraadt2015-10-181-108/+39
| | | | | in unp_internalize and unp_externalize. ok kettenis guenther
* move SS_DNS socket check from kern_plegde.c to sys_generic.csemarie2015-10-181-10/+2
| | | | | | | | | this check has nothing to do with pledge(2). make it lives in sys_ioctl() call. while here, move the (fp == NULL) check early and remove duplicate check from pledge_ioctl_check(). ok guenther@ deraadt@
* getting sloppy, lost a }deraadt2015-10-181-1/+2
|
* Move your drink further away... When a program pledged "getpw" fails toderaadt2015-10-181-1/+9
| | | | | | | | get a response from a YP server, it will open "/dev/tty" and spit out: 'YP server for domain %s not responding, still trying' For now allow open of /dev/tty for "getpw". I hope to re-architect the libc:YP communication protocol (strategy similar to syslog->sendsyslog, isatty->fcntl, dnssocket/dnsconnect) and then we can reevaluate this.
* TIOCSTI and TIOCSCTTY; oops got the condition backwards.deraadt2015-10-181-3/+3
|
* Allow read/write access to /dev/tty when using "tty" pledge.doug2015-10-181-1/+8
| | | | | | | | | Without this change, you need "rpath" and "wpath" to open /dev/tty. Some applications explicitly open /dev/tty, but deraadt@ found the most common use is indirectly via readpassphrase(). tweak and ok deraadt@ pre-tweak ok millert@, semarie@
* Add two new system calls: dnssocket() and dnsconnect(). This creates aderaadt2015-10-181-65/+32
| | | | | | | SS_DNS tagged socket which has limited functionality (for example, you cannot accept on them...) The libc resolver will switch to using these, therefore pledge can identify a DNS transaction better. ok tedu guenther kettenis beck and others
* naddy asks me if __tfork should be allowed by "proc". yes!deraadt2015-10-171-1/+2
| | | | | We may need a better semantic later ("thread"?), but this allows progress, and people can report their experiences.
* Allow the nasty ioctl TIOCSTI in "tty", but also require the "proc"deraadt2015-10-171-4/+3
| | | | permission. For now, we'll tighten it down further later.
* better wording in a commentderaadt2015-10-171-3/+3
|
* Unify TIOCGPGRP/TIOCGWINSZ/TIOCGWINSZ behaviour regarding ENOTTY return.deraadt2015-10-171-7/+4
| | | | (both "tty" and "ioctl" allow these; they should behave the same)
* Allow TIOCSCTTY on tty devices, if the pledge says "tty id"deraadt2015-10-171-1/+6
| | | | worked out with nicm
* whitespacederaadt2015-10-171-4/+4
|
* Add pledge "id" support. This request permits setuid/seteuid/setresuid,deraadt2015-10-171-7/+16
| | | | | | | | | | | | | | setgid/setegid/setresgid, setgroups, setlogin, and setpriority. setrlimit and getpriority are also allowed (they are also in "proc") some of these were previously permitted in "proc" but have been removed. this seperation is intentional. "proc" is intended for reasoning about the relationship of a process "with other processes", whereas "id" deals the powerful/dangerous concept of unix ids. "id" will see some action very soon. ok gilles tedu semarie doug
* Allow a few 'get' ioctls for pledge("route"). route6d will soon use this.jca2015-10-171-1/+4
| | | | ok deraadt@
* Also allow 6 as a miblen for NET_RT_DUMP, not all users specify a rtable.jca2015-10-161-2/+2
| | | | ok deraadt@
* Repair the pty check for kernels without pty support.deraadt2015-10-161-1/+5
|
* Allow PTMGET with "tty rpath wpath" but restrict only to /dev/ptm bynicm2015-10-161-1/+14
| | | | checking cdevsw. ok deraadt
* Always allow a r/w opening of /dev/null though the namei check. Thisderaadt2015-10-161-1/+8
| | | | | | pattern is common, especially because of daemon(3) usage. Will probably help some daemons move their pledge() calls further upwards. ok doug,
* delete pledge_bind_check() function and remove pledge_bind_check() call from sys_bind().semarie2015-10-161-12/+1
| | | | | | | | | bind(2) still require PLEDGE_INET or PLEDGE_UNIX in order to be called, due to SYS_bind entry in pledge_syscalls array. The diff restores also the ability for PLEDGE_UNIX to call bind(2) (pledge_bind_check function missed that). problem spotted by doug@ OK deraadt@
* Place TIOCSTI reminder block betterderaadt2015-10-161-7/+7
|
* For "tty" pledges, treat TIOCGPGRP and TIOCGWINSZ like TIOCGETA -deraadt2015-10-161-3/+3
| | | | returning ENOTTY instead of killing the process.
* Implement real "flock" request and add it to userland programs thatmillert2015-10-161-3/+13
| | | | use pledge and file locking. OK deraadt@
* FIOSETOWN/FIOGETOWN were added to "ioctl", but study finds no programsderaadt2015-10-161-4/+1
| | | | | currently needing them. delete 'em for now. ok doug
* Add TIOCCBRK and TIOCSDTR to the whitelist for pledge ioctl.doug2015-10-161-1/+3
| | | | | | cu(1) uses these. ok deraadt@
* Add TIOCFLUSH to "tty" in support of tcflush()deraadt2015-10-151-1/+2
|
* Exposing FIOASYNC in pledge "ioctl" is a mistake; remove it, cannot find safe uses of itderaadt2015-10-151-2/+1
|
* FIOCLEX & FIONCLEX should be in base ioctl setderaadt2015-10-151-3/+3
|
* FALTHROUGH->FALLTHROUGH in comment, ok deraadt a few days agosthen2015-10-141-2/+2
|
* Add a dummy "flock" request that will allow file locking. It ismillert2015-10-141-3/+3
| | | | | not currently enforced but we want the kernel to be able to parse it for an upcoming diff in the next few days.
* When pledged with "fattr", allow chown to supplimentary groups. Thisderaadt2015-10-141-1/+13
| | | | | came out of a discussion regarding "sort foo -o foo". ok semarie
* pledge "tty" can allow ioctl TIOCEXCL on a ttyderaadt2015-10-141-1/+2
|
* sendmsg() is allowed to pass cmsg's which are not CMSG_RIGHTS - lastderaadt2015-10-141-4/+4
| | | | refactoring inverted the checks; spotted by sthen in ping6.
* 3 more headers required for one stinking inet6 ioctl..deraadt2015-10-131-1/+4
|
* Allow ioctl SIOCGNBRINFO_IN6 in case of "route", for use by ndp.deraadt2015-10-131-1/+2
|
* NET_RT_FLAGS must also accept a proto selection.deraadt2015-10-131-2/+3
|
* allow getsockopt IP_RECVDSTPORT & IPV6_RECVDSTPORT for an "inet" pledgederaadt2015-10-131-1/+3
|
* Pledge "fattr" request should allow fchflags().doug2015-10-131-1/+2
| | | | "add it" deraadt@
* pledge "proc" request should allow setsid()deraadt2015-10-121-1/+2
|
* Remove the "cmsg" attribute, as promised. Use "sendfd" or "recvfd",deraadt2015-10-121-2/+1
| | | | | depending on what you need. inet/inet6 cmsg's come through unmolested -- that is something to consider later.
* add a missed check for PLEDGE_RPATH when reading a file.semarie2015-10-111-1/+6
| | | | ok deraadt@
* sigaltstack is directly used by setjmp on some architectures. it onlyderaadt2015-10-111-1/+2
| | | | refers to the process itself. pledge should allow it.
* put TIOCSWINSZ in the right block "tty", not in "ioctl". this happenedderaadt2015-10-111-13/+13
| | | | | because the "route' tests were placed between the two, creating confusion. fix that while here.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.