summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_pledge.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add SIOCATMARK to allow pledge("inet") programs to call sockatmark(3).bluhm2017-04-111-1/+2
| | | | from Matthias Pitzl; OK deraadt@
* correct NBPFILTER #ifdef'sderaadt2017-03-301-3/+3
| | | | from sthen and others
* Allow the multicast ttl/hops and loop options with the mcast pledge.bluhm2017-03-281-1/+5
| | | | from Matthias Pitzl; OK deraadt@
* wrap bpf pledge code in #if BPFFILTERderaadt2017-03-271-1/+4
|
* Inside pledge_ioctl, wrap #if's around the complete sub-blocks.deraadt2017-03-261-9/+9
|
* For the tape ioctls, recognize that block devices don't exist anymore.deraadt2017-03-261-2/+3
| | | | | Also fail if the descriptor is actually a tty. ok guenther
* The "ioctl" pledge which was had functionality split out into "tape",deraadt2017-03-181-2/+1
| | | | | "bpf", and "inet" can finally go away. Use a snapshot if you get into trouble, most likely in pax..
* Allow SIOCGIFXFLAGS in pledge("route") along side SIOCGIFFLAGS, neededflorian2017-03-141-1/+2
| | | | | | for upcoming IPv6 stateless address autoconfiguration daemon to see if autoconfiguration and autoconfprivacy are enabled. Input semarie@; OK deraadt@
* pax conversion was missed; give this another weekderaadt2017-03-111-1/+2
|
* remove pledge "ioctl" backwards compatderaadt2017-03-111-2/+1
|
* Backwards compat for pledge "ioctl" for about a weekderaadt2017-01-231-1/+2
|
* Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP onlyderaadt2017-01-231-20/+19
| | | | upon "inet". Adjust the 4 programs that care about this.
* whitespacederaadt2017-01-231-6/+6
|
* p_comm is the process's command and isn't per thread, so move it fromguenther2017-01-211-5/+5
| | | | | | struct proc to struct process. ok deraadt@ kettenis@
* Fix typo in comment: it's vm.loadavg, not kern.loadavg.tb2016-11-131-2/+2
| | | | From patrick keshishian
* For consistency, allow symlinkat(2) in the same way as symlink(2);schwarze2016-10-271-1/+2
| | | | | | no need to wait until the first program using it breaks... "could make sense" semarie@ (and thanks for the cluestick) OK deraadt@
* pledge changes needed to support pledging vmd(8) on i386, forthcoming.mlarkin2016-10-211-2/+2
| | | | ok deraadt@
* In pledge_namei_wlpath() if resolvpath() errors out early it will notjsg2016-10-061-2/+2
| | | | | | | | | | set variables that will be later used as the size argument to free(NULL calls. This should be harmless as free returns early if the address is NULL without checking the size. Initialise these variables before the call to ensure they are never passed to another function uninitialised. ok tedu@ millert@ deraadt@
* Display the process's PID with p->p_p->ps_pid, not p->p_pid.guenther2016-10-051-12/+13
| | | | | | Use a local variable struct process *pr to simplify expressions ok deraadt@
* NPF > 0 is a better test than SMALL for presence of pf.tedu2016-09-171-3/+4
| | | | ok deraadt
* Remove sys_o58_kill since OpenBSD 6.0 has been tagged/released.jsing2016-09-041-2/+1
| | | | ok deraadt@
* Delete unused ioctls and associated macros. Move macros that are stillratchov2016-08-311-6/+1
| | | | | used internally by low-level drivers from sys/audioio.h to dev/audio_if.h instead of deleting them.
* Revert previous commitmikeb2016-07-281-2/+2
|
* Convert ifq_deq_{begin,rollback,commit} dance to a single ifq_dequeuemikeb2016-07-281-2/+2
|
* remove more noisy messages in "sendfd" and "recvfd"deraadt2016-07-121-11/+4
|
* be less noisy on console in case of "recvfd" refusalderaadt2016-07-111-4/+2
| | | | ok semarie
* pledge: use uint64_t instead of int for temporary storing a 64bit integersemarie2016-07-101-4/+4
| | | | | | | | affects only 32 bits platform (like i386). problem spotted and diff from pelikan@ ok deraadt@ jca@
* Paranoia: check KTRPOINT() before calling ktrpledge() to guarantee weguenther2016-07-101-2/+3
| | | | | | can't (in the future) loop from ktrace writing hitting a pledge condition. diff from Michal Mazurek (akfaew (at) jasminek.net)
* introduces new promise "chown" to allow changing owner/group with *chown(2) familysemarie2016-07-031-6/+11
| | | | | | | | | | | | it splits PLEDGE_FATTR in two ("fattr" stills grant the 2 flags, so no functional changes): - PLEDGE_CHOWN : to be able to call *chown(2) syscalls - PLEDGE_FATTR : the rest it introduces "chown" which grant: - PLEDGE_CHOWN : be able to call *chown(2) - PLEDGE_CHOWNUID : be able to modifying owner/group ok deraadt@ tedu@
* in pledgereq (the array for doing correspondance between textual promise as in pledge(2) and internal PLEDGE_* flag), the flags member should be a uint64_t and not a int.semarie2016-06-281-2/+2
| | | | ok deraadt@
* Restore the sys_o58_kill system call.jsing2016-06-271-1/+2
| | | | | | | | | | | | | By keeping both the new (sys_kill/sys_thrkill) and old (sys_o58_kill) system calls for the OpenBSD 6.0 release, code that uses either of these mechanisms will work on both of the supported OpenBSD releases. This provides a clean transition for runtimes that make direct system calls (namely the Go programming language). This requires a minimal amount of non-intrusive code and does not block development progress within OpenBSD. ok deraadt@ guenther@
* Implement IPV6_MINHOPCOUNT support.jca2016-06-271-1/+2
| | | | | Useful to implement GTSM support in daemons such as bgpd(8). Diff from 2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@
* per trending style, add continue to empty loops.tedu2016-06-071-2/+2
| | | | ok mglocker
* sys_o58_kill is no longer needed for compat.deraadt2016-05-311-2/+1
| | | | ok guenther sthen
* sys_osendsyslog can go away; we have transitioned to the new version withderaadt2016-05-311-2/+1
| | | | | a flags argument ok guenther sthen
* rename(2) operation requires "rpath cpath" at the underlying operationderaadt2016-05-271-2/+2
| | | | | (the src path lookup is considered a rpath operation) noticed by kristaps, discussed with semarie
* remove chroot(2) from allowed syscalls under pledge(2).semarie2016-05-151-3/+1
| | | | | | please note that chrooted process are still possible with pledge(2), but only if the chroot(2) is done *before* calling pledge(2). Once pledged, no more chroot(2) call are permitted.
* 1) Split pledge whitelist path handling out of pledge_namei() and intobeck2016-04-281-60/+72
| | | | | | | | | | | pledge_namei_wlpath(). Call the wlpath check only at the end of namei after the namei lookup would otherwise succeed. 2) Add support to namei to keep the path that was looked up, without the symlinks in it, and use that path for whitelist path lookups. This means that paths in pledge whitelists will need to always be the real path to an intended file to whitelist, without symlinks. Any symlinks to the "real" file will then be allowed ok deraadt@ semarie@
* simplifies the check for allowing only promisessemarie2016-04-251-11/+9
| | | | | | reductions. ok deraadt@
* removes an unneeded check on flags (used historically when tame(2) was usingsemarie2016-04-251-4/+1
| | | | | | bitflags) ok deraadt@ jca@
* Add getlogin_r syscall that checks and returns errors like userspaceguenther2016-03-301-2/+3
| | | | | | getlogin_r() API; keep existing syscall as getlogin59 for temporary compat. ok kettenis@ deraadt@
* Silences compiler warnings, about used uninitialized variables. These lengthssemarie2016-03-251-2/+2
| | | | | | | are passed uninitialized to free(9) only when pointers are NULL. found by jsg@ ok deraadt@
* allow fpathconf() in stdio mode, since it is an innocuous queryderaadt2016-03-221-1/+2
| | | | | system call. discussed with semarie and everyone else during the 5.9 lock.
* Rename the system call sendsyslog2 to sendsyslog. Keep the old onebluhm2016-03-211-2/+2
| | | | | | as osendsyslog for a while. The three argument variant is the only one that will stay. input kettenis@; OK deraadt@
* Expose new audio ioctls that do one thing only: start and stop DMA,ratchov2016-03-161-1/+5
| | | | | | set and get parameters. This is much simpler. ok semarie, armani, tweaks from jmc
* pledge: wl_paths: resolvpath() logic errorsemarie2016-03-151-64/+73
| | | | prepend chroot value *after* canonization and not before.
* pledge: wl_paths: corrects a memory leak in error code path and an evaluationsemarie2016-03-151-2/+4
| | | | | | order ("a += b > c" is the same as "a += (b > c)" which is wrong here) ok jca@
* keep disabled wl_paths for now. the expensiveness impact need to be bettersemarie2016-03-131-1/+5
| | | | | | considered. ok deraadt@
* reenable wl_paths (whitelisted-paths) in pledge(2)semarie2016-03-131-4/+1
|
* pledge: replace #if 0 printf with DNPRINTF macrosemarie2016-03-131-14/+29
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.