| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok gnezdo@ semarie@ mpi@
|
| | |
|
| |
|
|
| |
Requested by mpi@
|
| |
|
|
|
|
|
| |
implementation file. Pushing the assignment of ps_uvpcwd down to
unveil_add() is required but it doesn't introduce any functional change.
ok mpi@ semarie@
|
| |
|
|
| |
ok tedu
|
| |
|
|
|
|
|
| |
take a struct proc* instead of a struct process*, and vice versa making
unveil_lookup() take a process* instead of a proc*.
ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
to the corresponding red-black tree; meaning the path was not already
present in the tree. This prevents an assertion to trigger in
unveil_destroy() later on when the process exits.
ok beck@
Reported-by: syzbot+db66362e1ffdc72e5aeb@syzkaller.appspotmail.com
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Issue spotted by Benjamin Baier <programmer@netzbasis.de> with relative
path lookups from openat(2). Lacking a current working directory unveil,
operations using the *at functions could fail when not crossing an unveil,
since an initial covering unveil was not found.
This corrects this so we walk up from the directory vnode to find a
covering unveil at the start of non AT_FDCWD lookups, and adds regress
for this case.
ok bluhm@
|
| | |
|
| |
|
|
|
| |
files into the common namei.h header.
OK deraadt@
|
| |
|
|
|
|
|
|
| |
case even if *vpp == vdp. So in unveil_find_cover() it is wrong
to skip dereferencing if parent == vp. This fixes an umount(8)
device busy error when unveil(2) and chroot(2) are used together
on a file system.
reported by Matthias Pitzl; OK deraadt@
|
| | |
|
| |
|
|
|
| |
that are hidden by unveil(2).
OK deraadt@
|
| |
|
|
|
|
|
| |
parent's during fork()
witness reports from ajacoutot@ and Hrvoje Popovski (hrvoje (at) srce.hr)
ok visa@
|
| |
|
|
| |
it actually isn't reached...
|
| |
|
|
|
|
|
| |
added aggressively today. Hopefully post release a glorious
flensing will remove UNVEIL_INSPECT anyway
Reported-by: syzbot+3375ce307ac7909b907b@syzkaller.appspotmail.com
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
UNVEIL_INSPECT is a hack we added to get chrome/glib working. It silently
adds permission for stat(2), access(2), and readlink(2) to be used on
all path components of any unveil'ed path. robert@ has sucessfully now
fixed chrome/glib to not require exessive TOC vs TOU stat(2) and access(2)
calls on the paths it uses, so that this no longer needed there.
readlink(2) is the sole call that is now permitted by UNVEIL_INSPECT,
and this is only needed so that realpath(3) can work. Going forward we will
likely make a realpath(2), after which we can completely deprecate
UNVEIL_INSPECT.
ok deraadt@
|
| |
|
|
|
|
| |
doesn't get freed. move the free calls into the same function as namei.
fixed bug report from Dariusz Sendkowski
ok beck
|
| |
|
|
|
|
|
|
|
| |
1) Correctly notice covering unveil when using .. - fix crash noticed by visa@
2) Notice when v_mount is NULL to not crash when unveil vnodes are on a
forcibly unmounted filesystem, noticed by yasuoka@
3) Add a flag to ni_data so that failures from unveil flag mismatches in covering
unveils return the correct EACCESS instead of ENOENT (noticed by brynet@)
ok deraadt@
|
| | |
|
| |
|
|
|
| |
unveil matches when .. is used correctly. Also adds regress based
upon his test program for the same issue.
|
| |
|
|
|
|
| |
where ps_uvpcwd obviously contains a dangling pointer.
ok deraadt@, krw@
|
| |
|
|
|
|
| |
level directories from working when you don't traverse into them starting
from /. Most found by brynet@ and a few others.
ok brynet@ deraadt@
|
| | |
|
| |
|
|
|
|
|
| |
unveil for each unveil in the process at unveil() time, and refactoring the
handling of current directory and ISDOTDOT to be much more sensible.
Worked out at ns2k18 with guenther@.
ok deraadt@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
| |
final directory in a name unveil was not being added with UNVEIL_INSPECT
if it was not already unveiled. Now passes just added regress test for
this case
|
| |
|
|
|
|
|
|
| |
We use UNVEIL_INSPECT instead in the unveil flags for the same
purpose, and now add traversed vnodes of a path with UNVEIL_INSPECT
instead of with 0 flags and voodoo in unveil_flagmatch. This
allows us to uncontort the logic of unveil_flagmatch a bunch.
helpful review and ok from semarie@
|
| | |
|
| |
|
|
|
|
|
|
| |
to the namei args. This fixes a bug where chmod would be allowed when
with only READ. This also allows some further cleanup of some awkward
things like PLEDGE_STAT that will follow
Lots of assistence from semarie@ - thanks!
ok semarie@
|
| |
|
|
|
| |
sane.
ok kettenis@
|
| |
|
|
| |
man page change will follow
|
| | |
|
| | |
|
| |
|
|
| |
the traversed vnodes - noticed and fixed by semarie@
|
| |
|
|
|
| |
as a descending match.
Noticed by Stuart Cassoff <3d0g@bell.net>
|
| | |
|
| |
|
|
|
|
|
| |
parameter should be declared uint64_t and not int.
From & for semarie@ who isn't committing at the moment and ok beck@
who is on the road.
|
| | |
|
|
|
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.
Still needs to send the unveil's across forks and execs before
fully enabling.
Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@
|
jsg
anton
deraadt
guenther
beck
bluhm
tedu
kettenis
jasper
krw