summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_pledge.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* pledge: let wl_paths works well with chrootsemarie2016-03-131-113/+173
| | | | | | | it factorizes path resolution in resolvpath() function, and use it in sys_pledge() and pledge_namei(). please note that wl_paths is still disabled.
* corrects on off-by-one error in pledge_namei()semarie2016-03-131-47/+25
| | | | | | | - rewrite canonpath() to not require extra byte before shrinking - make canonpath() error not fatal for the caller (proposition from tedu@) ok millert@ tedu@ deraadt@
* pledge: define the meaning of passing NULL to one arguments of pledge(2) as "Isemarie2016-03-111-14/+17
| | | | | | | | | | don't want to change the current value" it changes only the `request' argument behaviour when NULL is passed: previously it was traited as "" was passed. with help from jmc@ for man-page OK tb@ on previous version
* Return ENOTTY for TIOCFLUSH when allowed by pledge but the fd ismillert2016-02-171-2/+2
| | | | | not a tty. Fixes a pledge failure in telnet when piping the output. OK deraadt@
* Check if the vnode type is VBAD (corresponds to disconnectedratchov2016-01-191-2/+5
| | | | | | | usb devices) and return ENOTTY rather than terminating the caller program. Found by Michael Reed <m.reed at mykolab.com> ok semarie, deraadt
* Add SYS_truncate as a "wpath" operation. Omission noticed by tb and sthen.deraadt2016-01-181-1/+2
|
* drop "abort" promise, and make it the default behaviour.semarie2016-01-091-17/+9
| | | | | | | | | The current code has already setted it by default since 1.74 any pledge failure tries to make a coredump (default rules for coredump still applies: so setuid binaries don't create them locally). ok deraadt@
* Add "vmm" pledge to allow restricted ioctl access to /dev/vmm.reyk2016-01-081-1/+21
| | | | | | | | | | This will allow to pledge vmd(8)'s vmm and vm processes, so that VMs themselves run "sandboxed", including their host-side virtio layer. It will remain disabled for now (in userland) to not get into the way of ongoing development and upcoming changes in vmd and the ioctl interface. OK mlarkin@ deraadt@ "kernel side in, but not the callers in userland"
* turn off the whitepath code for now; we're not sure it's ready for releasetedu2016-01-061-1/+4
| | | | ok deraadt
* remove unnecessary casts where the incoming type is void *.tedu2016-01-061-4/+4
|
* Add pledge "drm", which allows a subset of the drm(4) ioctls. These arekettenis2016-01-061-2/+21
| | | | | | | | | | | | | basically only the ioctls that Linux allows on the so-called "render nodes". For now, it also allows DRM_IOCTL_GET_MAGIC and DRM_IOCTL_GEM_OPEN, as we don't implement prime/dma-buf yet in OpenBSD. That still leaves a big gaping hole, so they will be removed as soon as we can. Based on a diff by robert@, who did all the heavy lifting by studying the behaviour of the chromium GPU process, with some further suggestions by deraadt@. ok jsg@, deraadt@, robert@
* annoying whitespacederaadt2016-01-051-3/+3
|
* Add missing #include "audio.h". Fixes sndiod pledge issue reported bytb2015-12-271-2/+2
| | | | | | | timo.myyra () wickedbsd ! net, thanks! While there, remove extraneous "pty.h". ok deraadt@
* wrap "audio" pledge code in NAUDIO > 0, because there are a fewderaadt2015-12-271-3/+4
| | | | GENERIC kernels which lack audio drivers.
* pledge "audio" code block must be !SMALL_KERNELderaadt2015-12-231-1/+3
|
* If PLEDGE_AUDIO is set, allow audio(4) ioctls necessaryratchov2015-12-231-1/+17
| | | | | | to use raw audio devices. ok deraadt, semarie
* Change kernel internal pledge variables to 64bit (to prepare for morederaadt2015-12-061-4/+4
| | | | | extensions). This change is exposed in ktrace.out files ok semarie
* Study of kernel code complete. Permit ioctl SIOCGIFMEDIA for pledgederaadt2015-12-051-1/+2
| | | | "route", which krw and mestre will be able to use in dhclient(8).
* allow utrace(2) by default.deraadt2015-12-041-1/+2
| | | | conversation with jsg
* remove PLEDGE_INET granting when using "getpw" in YP environnmentsemarie2015-12-041-7/+25
| | | | | | | it makes PLEDGE_YPACTIVE enough for doing required networking with YP. It should permit to bring YP internals into the light. discuted with deraadt@
* Add pledge "dpath", which provides access to mknod(2) and mkfifo(2).deraadt2015-12-041-1/+6
| | | | | | | This will be required to keep pax/tar/cpio at otherwise very high levels of pledge (and we will see where else it is beneficial). Allocate a bit for pledge "audio", which will be coming soon. good discussions with semarie
* Do not think atomicity is required here. In any case, prepare forderaadt2015-12-041-3/+3
| | | | | ps_pledge to become 64-bits over the next few days (things are getting a bit tight; most newer pledges will be quite device-driver specific)
* Remove the /usr/share/nls/ exception from pledge(2). The libcbluhm2015-12-031-8/+1
| | | | | native language support was deleted a month ago at u2k15. OK semarie@ deraadt@
* pledge(pf) needs to allow DIOCKILLSRCNODES, used in relayd.benno2015-12-031-1/+2
| | | | ok deaadt@
* On a SMALL_KERNEL, pledge "pf" has to be a no-op. We cannot matchderaadt2015-11-291-1/+3
| | | | the device node (since it does not exist...)
* Add pledge "pf" which allows ioctls on pf(4). This will be used bybenno2015-11-291-3/+26
| | | | | relayd and other programs manipulating the packet filter. ok deraadt@
* pledge: allow getsockopt IP_IPDEFTTL with promise inetbenno2015-11-281-1/+2
| | | | | then relayd's host check engine can be pledged. ok reyk@, approach suggested by deraadt@ weeks ago.
* Two additional ioctls for pledge("disklabel"), needed by installboot.jca2015-11-271-1/+3
| | | | Committing on behalf of tb@, problem reported by Rolf Sommerhalder on misc@.
* permit kern.maxpartitionsderaadt2015-11-251-1/+5
|
* Add sendsyslog2(), which accepts the syslog/openlog "logopt" flagderaadt2015-11-241-1/+11
| | | | | | | LOG_CONS. If syslogd is not accepting messages, direct them to the console. This allows us to remove the direct /dev/console opening code from the bowels of libc. Of course, that forgotten code was exposed by pledge. ok kettenis millert beck
* the "getpw" test for /dev/tty is only needed for readpassphrase(3),deraadt2015-11-231-3/+3
| | | | | getpass(3), so don't specifically allow it for "rpath" (rpath will accept it in the end, unless it is on the whitelist)
* need sys/device.hderaadt2015-11-231-1/+2
|
* For "disklabel", allow sysctl mach.chr2kblk and ioctl BIOCINQ/BIOCVOLderaadt2015-11-221-1/+12
| | | | also, to satisfy midlayers that some fs/install tools need.
* "getpw" should also allow access to /etc/netidderaadt2015-11-221-1/+3
| | | | discovered by rpe
* Permit msync(2) in the "stdio" set; only a few programs use it relatedderaadt2015-11-201-1/+2
| | | | | to mmap, but thinking about it nothing feels risky Long discussions with florian
* Add pledge "disklabel", which allows sysctl kern.rawpartition, aderaadt2015-11-201-1/+33
| | | | | | | | | few disklabel ioctls, and the DIOCMAP ioctl against /dev/diskmap used to translate duid numbers into partitions. This will allow pledging of at least 12 disk/filesystem aware programs; due to the negative impact that diff will wait a bit so everyone has a chance to update their kernels. ok semarie
* Exempt accept(2) from the pledge_socket() check part of the "domain"deraadt2015-11-201-1/+3
| | | | | | | check. You cannot open a socket in a domain unless permitted -- but you need to be able to accept one if the code flow asks for that to happen. The most recent check is too tight. We may need to iterate the policy here until we hit the right vibe...
* check domain and state of socket against pledge promise.semarie2015-11-181-9/+25
| | | | ok deraadt@
* backout removal of SYS_break from stdio, suggested by deraadt@sthen2015-11-171-1/+2
| | | | ports using base gcc with PCH include: boost, keepassx, wxWidgets, jdk
* Allow sysctl kern.clockrate, kern.argmax, kern.ngroups, kern.sysvshm,deraadt2015-11-171-12/+24
| | | | | | and kern.posix1version. Enough to satisfy getconf, and I hope we don't need to add much more after this. Largely from jca
* Allow TIOCEXT in pledge "tty"deraadt2015-11-161-1/+2
| | | | Discussed with millert
* Permit revoke(2) for a pledge "rpath tty"deraadt2015-11-161-1/+3
| | | | ok millert semarie tedu guenther
* brk/sbrk's use case is way too narrow to be a default stdio pledge.pascal2015-11-161-2/+1
| | | | | | | Since this only affects base gcc and the ports most in need of PCHs are compiled with ports compilers anyway, let's see what happens if we break it. discussed with and ok deraadt@
* Add pathconf() to pledge "rpath"; ok guentherderaadt2015-11-141-1/+2
|
* For pledge "stdio", allow the break(2) system call which backends the brk/sbrkderaadt2015-11-141-1/+2
| | | | | | | | | | | | | | | | | | | | library routines. The manpage declares, in bold: The brk() and sbrk() functions are historical curiosities left over from earlier days before the advent of virtual memory management. In our base tree, only one program uses these functions -- cc1 in the gcc toolset. A historical curiosity using a historical curiosity, how quaint. brk is used because precompiled c headers are not position independent. Another program which relies upon brk is emacs. Other uses of brk are EXCEEDINGLY RARE, because most software grew up and use modern practices such as malloc and mmap, thereby gaining ASLR benefits. Position independence has become an important part of mitigations. These two programs fight such improvements. Permitting brk/sbrk allows the large attack surface of cc1 to be pledged. "I would rather have cc1 pledged than purity in pledge" guenther
* All setsockopt IPPROTO_IPV6 IPV6_TCLASS (v4 calls this IP_TOS)deraadt2015-11-131-1/+2
|
* Split the intra-thread functionality from kill(2) into its own syscallguenther2015-11-101-2/+4
| | | | | | | | | | | | thrkill(2), rolling the kill(2) syscall number with the ABI change to avoid breaking binaries during during the transition. thrkill(2) includes a 'tcb' argument that eliminates the need for locking in pthread_kill() and simplifies pthread_cancel(). Switch __stack_smash_handler() to use thrkill(2) and explicitly unblock SIGABRT. Minor bump to both libc and libpthread: make sure you install a new kernel! ok semarie@
* revert sys/kern/kern_pledge.c 1.103 and reenable pledge in pwd_mkdbsemarie2015-11-051-13/+3
| | | | ok deraadt@
* pledge_ioctl only takes files, adjust prototype. ok semarietedu2015-11-041-4/+4
|
* move /etc/spwd.db blacklist outside PLEDGE_GETPW check.semarie2015-11-041-3/+13
| | | | | | so that all pledged programs would get it instead of only ones with PLEDGE_GETPW. ok deraadt@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.