summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_pledge.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add an acct(5) flag for pledge violations. Then lastcomm(1) showsbluhm2017-06-071-1/+3
| | | | | | | when something went wrong. This allows to monitor whether the system is under attack and that the attack has been prevented by OpenBSD pledge(2). OK deraadt@ millert@ jmc@
* Avoid printing garbage when aborting a program that tries to use atb2017-06-031-4/+8
| | | | | | prohibited sysctl. ok deraadt
* getrtable() is now permitted in "stdio". It carries no risk factors.deraadt2017-05-301-1/+2
|
* Enable radeondrm(4) on loongson to get accelerated graphicsvisa2017-05-211-2/+3
| | | | | | with the RS780E chipset. OK kettenis@, jsg@
* Stricter pledge for bpf. ok deraadtnatano2017-05-021-2/+4
|
* Mark futex(2) as PLEDGE_STDIO like all other thread-related syscalls.mpi2017-04-291-2/+2
| | | | From semarie@, ok deraadt@
* Add futex(2) syscall based on a sane subset of its Linux equivalent.mpi2017-04-281-1/+2
| | | | | | | | | | | | | | | | The syscall is marked NOLOCK and only FUTEX_WAIT grabs the KERNEL_LOCK() because of PCATCH and the signal nightmare. Serialization of threads is currently done with a global & exclusive rwlock. Note that the current implementation still use copyin(9) which is not guaranteed to be atomic. Committing now such that remaining issues can be addressed in-tree. With inputs from guenther@, kettenis@ and visa@. ok deraadt@, visa@
* only 32 bits of the pledgecode were passed up via ktracederaadt2017-04-201-2/+2
| | | | | from Anton Lindqvist ok semarie
* matthieu@ observes % pax (without any arguments) hits pledge violation,deraadt2017-04-171-4/+7
| | | | | | | because it tries MTIOCTOP against stdin, the tty. It is very inconvenient to use isatty to distinguish this difference in userland, so return ENOTTY for tty devices. ok natano
* Delete the getlogin59 syscall, which was last used one year, two releases,guenther2017-04-131-2/+1
| | | | | | and four libc major versions ago ok sthen@ jsing@ deraadt@ jca@
* Add SIOCATMARK to allow pledge("inet") programs to call sockatmark(3).bluhm2017-04-111-1/+2
| | | | from Matthias Pitzl; OK deraadt@
* correct NBPFILTER #ifdef'sderaadt2017-03-301-3/+3
| | | | from sthen and others
* Allow the multicast ttl/hops and loop options with the mcast pledge.bluhm2017-03-281-1/+5
| | | | from Matthias Pitzl; OK deraadt@
* wrap bpf pledge code in #if BPFFILTERderaadt2017-03-271-1/+4
|
* Inside pledge_ioctl, wrap #if's around the complete sub-blocks.deraadt2017-03-261-9/+9
|
* For the tape ioctls, recognize that block devices don't exist anymore.deraadt2017-03-261-2/+3
| | | | | Also fail if the descriptor is actually a tty. ok guenther
* The "ioctl" pledge which was had functionality split out into "tape",deraadt2017-03-181-2/+1
| | | | | "bpf", and "inet" can finally go away. Use a snapshot if you get into trouble, most likely in pax..
* Allow SIOCGIFXFLAGS in pledge("route") along side SIOCGIFFLAGS, neededflorian2017-03-141-1/+2
| | | | | | for upcoming IPv6 stateless address autoconfiguration daemon to see if autoconfiguration and autoconfprivacy are enabled. Input semarie@; OK deraadt@
* pax conversion was missed; give this another weekderaadt2017-03-111-1/+2
|
* remove pledge "ioctl" backwards compatderaadt2017-03-111-2/+1
|
* Backwards compat for pledge "ioctl" for about a weekderaadt2017-01-231-1/+2
|
* Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP onlyderaadt2017-01-231-20/+19
| | | | upon "inet". Adjust the 4 programs that care about this.
* whitespacederaadt2017-01-231-6/+6
|
* p_comm is the process's command and isn't per thread, so move it fromguenther2017-01-211-5/+5
| | | | | | struct proc to struct process. ok deraadt@ kettenis@
* Fix typo in comment: it's vm.loadavg, not kern.loadavg.tb2016-11-131-2/+2
| | | | From patrick keshishian
* For consistency, allow symlinkat(2) in the same way as symlink(2);schwarze2016-10-271-1/+2
| | | | | | no need to wait until the first program using it breaks... "could make sense" semarie@ (and thanks for the cluestick) OK deraadt@
* pledge changes needed to support pledging vmd(8) on i386, forthcoming.mlarkin2016-10-211-2/+2
| | | | ok deraadt@
* In pledge_namei_wlpath() if resolvpath() errors out early it will notjsg2016-10-061-2/+2
| | | | | | | | | | set variables that will be later used as the size argument to free(NULL calls. This should be harmless as free returns early if the address is NULL without checking the size. Initialise these variables before the call to ensure they are never passed to another function uninitialised. ok tedu@ millert@ deraadt@
* Display the process's PID with p->p_p->ps_pid, not p->p_pid.guenther2016-10-051-12/+13
| | | | | | Use a local variable struct process *pr to simplify expressions ok deraadt@
* NPF > 0 is a better test than SMALL for presence of pf.tedu2016-09-171-3/+4
| | | | ok deraadt
* Remove sys_o58_kill since OpenBSD 6.0 has been tagged/released.jsing2016-09-041-2/+1
| | | | ok deraadt@
* Delete unused ioctls and associated macros. Move macros that are stillratchov2016-08-311-6/+1
| | | | | used internally by low-level drivers from sys/audioio.h to dev/audio_if.h instead of deleting them.
* Revert previous commitmikeb2016-07-281-2/+2
|
* Convert ifq_deq_{begin,rollback,commit} dance to a single ifq_dequeuemikeb2016-07-281-2/+2
|
* remove more noisy messages in "sendfd" and "recvfd"deraadt2016-07-121-11/+4
|
* be less noisy on console in case of "recvfd" refusalderaadt2016-07-111-4/+2
| | | | ok semarie
* pledge: use uint64_t instead of int for temporary storing a 64bit integersemarie2016-07-101-4/+4
| | | | | | | | affects only 32 bits platform (like i386). problem spotted and diff from pelikan@ ok deraadt@ jca@
* Paranoia: check KTRPOINT() before calling ktrpledge() to guarantee weguenther2016-07-101-2/+3
| | | | | | can't (in the future) loop from ktrace writing hitting a pledge condition. diff from Michal Mazurek (akfaew (at) jasminek.net)
* introduces new promise "chown" to allow changing owner/group with *chown(2) familysemarie2016-07-031-6/+11
| | | | | | | | | | | | it splits PLEDGE_FATTR in two ("fattr" stills grant the 2 flags, so no functional changes): - PLEDGE_CHOWN : to be able to call *chown(2) syscalls - PLEDGE_FATTR : the rest it introduces "chown" which grant: - PLEDGE_CHOWN : be able to call *chown(2) - PLEDGE_CHOWNUID : be able to modifying owner/group ok deraadt@ tedu@
* in pledgereq (the array for doing correspondance between textual promise as in pledge(2) and internal PLEDGE_* flag), the flags member should be a uint64_t and not a int.semarie2016-06-281-2/+2
| | | | ok deraadt@
* Restore the sys_o58_kill system call.jsing2016-06-271-1/+2
| | | | | | | | | | | | | By keeping both the new (sys_kill/sys_thrkill) and old (sys_o58_kill) system calls for the OpenBSD 6.0 release, code that uses either of these mechanisms will work on both of the supported OpenBSD releases. This provides a clean transition for runtimes that make direct system calls (namely the Go programming language). This requires a minimal amount of non-intrusive code and does not block development progress within OpenBSD. ok deraadt@ guenther@
* Implement IPV6_MINHOPCOUNT support.jca2016-06-271-1/+2
| | | | | Useful to implement GTSM support in daemons such as bgpd(8). Diff from 2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@
* per trending style, add continue to empty loops.tedu2016-06-071-2/+2
| | | | ok mglocker
* sys_o58_kill is no longer needed for compat.deraadt2016-05-311-2/+1
| | | | ok guenther sthen
* sys_osendsyslog can go away; we have transitioned to the new version withderaadt2016-05-311-2/+1
| | | | | a flags argument ok guenther sthen
* rename(2) operation requires "rpath cpath" at the underlying operationderaadt2016-05-271-2/+2
| | | | | (the src path lookup is considered a rpath operation) noticed by kristaps, discussed with semarie
* remove chroot(2) from allowed syscalls under pledge(2).semarie2016-05-151-3/+1
| | | | | | please note that chrooted process are still possible with pledge(2), but only if the chroot(2) is done *before* calling pledge(2). Once pledged, no more chroot(2) call are permitted.
* 1) Split pledge whitelist path handling out of pledge_namei() and intobeck2016-04-281-60/+72
| | | | | | | | | | | pledge_namei_wlpath(). Call the wlpath check only at the end of namei after the namei lookup would otherwise succeed. 2) Add support to namei to keep the path that was looked up, without the symlinks in it, and use that path for whitelist path lookups. This means that paths in pledge whitelists will need to always be the real path to an intended file to whitelist, without symlinks. Any symlinks to the "real" file will then be allowed ok deraadt@ semarie@
* simplifies the check for allowing only promisessemarie2016-04-251-11/+9
| | | | | | reductions. ok deraadt@
* removes an unneeded check on flags (used historically when tame(2) was usingsemarie2016-04-251-4/+1
| | | | | | bitflags) ok deraadt@ jca@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.