| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
| |
|
|
|
|
| |
strict than anticipated. It allows a programmer to pledge/promise/covenant
that their program will operate within an easily defined subset of the
Unix environment, or it pays the price.
|
| |
|
|
|
|
| |
This will be used by a few daemons. If they lack this feature, then
they would need to operate without tame.
Discussed with renato
|
| |
|
|
|
| |
only in TAME_UNIX, stop trying after servicing SOL_SOCKET.
discussion with claudio
|
| |
|
|
|
|
| |
because many routing daemon processes with this attribute need to fetch
that information to work.
discussed with claudio and renato
|
| |
|
|
|
|
|
|
| |
new tame "route" request. Now routing daemons and tools (such as arp),
can narrowly ask for either feature. One thing remains available in
both cases -- support for getifaddr()'s, since libc and programs often
use that in close association with socket creation.
ok benno sthen beck, some discussion with renato
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc". Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose. But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls. Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve(). POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Also the combination of "proc tty" needs to permit TIOCSPGRP.
This is the start at minimum semantics required by processes which
work on process groups, sessions, ttys.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TIOCSBRK, TIOCCDTR, TIOCSETA, TIOCSETAW, and TIOCSETAF on tty
vnodes. This helps programs which call tcsetattr(), tcgetattr(), or
readpassphrase(). Especially the latter - tame's goal is to satisfy
the libc requirements of security-sensitive programs.
Remove TIOCSETAF from the basic "ioctl" request, because it is a "set"
option. "ioctl" is slowly turning into a "request information, cannot
set options" package.
Split the "cmsg" request into "sendfd" and "recvfd". Non-SCM_RIGHTS
messages are currently flowing through freely and we'll need to think
about that. This split lets us more strictly describe what our many
fd-passing programs will do.
|
| |
|
|
|
|
| |
mbuf blob with all the cmsgs inside while on send cmsgs in an mbuf chain,
one mbuf per message. Adjust the calls accordingly.
Putting it in so deraadt@ can move forward.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
for the stdio/libevent usage case. Further ioctl commands are narrowly
checked as before.
ok djm guenther semarie
|
| |
|
|
| |
it is RPATH|WPATH... nothing changes, just the new explanation.
|
| |
|
|
|
| |
find the ps buffer. Few programs want to do their first setproctitle()
rather late...
|
| | |
|
| |
|
|
| |
"every tool helps" deraadt@
|
| |
|
|
| |
can I figure out why I added this in the past...
|
| | |
|
| |
|
|
|
|
| |
dropping through to to the kill path. The best way to understand this
is id(1). It calls getpwuid, which tries /etc/spwd.db before
/etc/pwd.db ...
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok deraadt@, semarie@
|
| |
|
|
| |
ok semarie@
|
| |
|
|
|
|
|
|
|
|
|
| |
- by default, a tamed-program don't have the possibility to use PROT_EXEC for
mmap(2) or mprotect(2)
- for that, use the request "prot_exec" (that could be dropped later)
initial idea from deraadt@ and kettenis@
"make complete sense" beck@
ok deraadt@
|
| |
|
|
| |
leak system path information. Should be reconsidered in the future.
|
| |
|
|
|
|
| |
and add a regress test for that.
ok deraadt@
|
| |
|
|
|
|
|
|
| |
"dns" and "cmsg" in the `tamereq' array.
Restore the previous behaviour.
ok guenther@
|
| |
|
|
|
|
| |
necessary
ok deraadt@ jsing@
|
| |
|
|
|
|
| |
layer because the strings select the right options. Mechanical
conversion.
ok guenther
|
| |
|
|
| |
ok deraadt@ miod@
|
| |
|
|
|
|
|
|
| |
which results in tame() code placements being much more recognizeable.
tame() can be moved to unistd.h and does not need cpp symbols to turn the
bits on and off. The resulting API is a bit unexpected, but simplifies the
mapping to enabling bits in the kernel substantially.
vague ok's from various including guenther doug semarie
|
| |
|
|
|
|
| |
to return failure. open() of these paths should succeed to satisfy
strerror() and friends.
ok semarie
|
| |
|
|
| |
ok doug@
|
| |
|
|
|
|
| |
want to do the same for fstatfs(), after we handle statfs(). These system
calls leak path information, however I am reluctant to add a seperate
catagory.
|
| | |
|
| |
|
|
|
|
| |
document tame.2 according.
ok deraadt@
|
| |
|
|
|
| |
refactor the code around getcwd and canonpath, with some help from semarie
ok semarie
|
| |
|
|
|
|
| |
This is used by readpassphrase() and curses.
ok deraadt@
|
| |
|
|
|
|
| |
The path will not be modified and this reduces casts. Discussed with many.
ok deraadt@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
|
| |
outside the for-loop.
OK deraadt@
|
| |
|
|
| |
ok deraadt@
|
| | |
|
| |
|
|
|
| |
same.
Idea from semarie
|
| |
|
|
| |
with semarie
|
| | |
|
deraadt
claudio
guenther
doug
sthen
semarie
jsg