summaryrefslogtreecommitdiffstats
path: root/sys/kern (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add TIOCCBRK and TIOCSDTR to the whitelist for pledge ioctl.doug2015-10-161-1/+3
| | | | | | cu(1) uses these. ok deraadt@
* Add TIOCFLUSH to "tty" in support of tcflush()deraadt2015-10-151-1/+2
|
* Exposing FIOASYNC in pledge "ioctl" is a mistake; remove it, cannot find safe uses of itderaadt2015-10-151-2/+1
|
* FIOCLEX & FIONCLEX should be in base ioctl setderaadt2015-10-151-3/+3
|
* FALTHROUGH->FALLTHROUGH in comment, ok deraadt a few days agosthen2015-10-141-2/+2
|
* Add a dummy "flock" request that will allow file locking. It ismillert2015-10-141-3/+3
| | | | | not currently enforced but we want the kernel to be able to parse it for an upcoming diff in the next few days.
* When pledged with "fattr", allow chown to supplimentary groups. Thisderaadt2015-10-142-17/+18
| | | | | came out of a discussion regarding "sort foo -o foo". ok semarie
* pledge "tty" can allow ioctl TIOCEXCL on a ttyderaadt2015-10-141-1/+2
|
* sendmsg() is allowed to pass cmsg's which are not CMSG_RIGHTS - lastderaadt2015-10-141-4/+4
| | | | refactoring inverted the checks; spotted by sthen in ping6.
* 3 more headers required for one stinking inet6 ioctl..deraadt2015-10-131-1/+4
|
* Allow ioctl SIOCGNBRINFO_IN6 in case of "route", for use by ndp.deraadt2015-10-131-1/+2
|
* NET_RT_FLAGS must also accept a proto selection.deraadt2015-10-131-2/+3
|
* allow getsockopt IP_RECVDSTPORT & IPV6_RECVDSTPORT for an "inet" pledgederaadt2015-10-131-1/+3
|
* Initialize va_filerev in vattr_null() to avoid leaking stack garbage;guenther2015-10-131-9/+23
| | | | | | | | | | | | | problem pointed out by Martin Natano (natano (at) natano.net) Also, stop chaining assignments (foo = bar = baz) in vattr_null(). The exact meaning of those depends on the order of the sizes-and- signednesses of the lvalues, making them fragile: a statement here mixed *six* types, but managed to get them in a safe order. Delete a 20+ year old XXX comment that was almost certainly bemoaning a bug from when they were in an unsafe order. ok deraadt@ miod@
* Pledge "fattr" request should allow fchflags().doug2015-10-131-1/+2
| | | | "add it" deraadt@
* pledge "proc" request should allow setsid()deraadt2015-10-121-1/+2
|
* Remove the "cmsg" attribute, as promised. Use "sendfd" or "recvfd",deraadt2015-10-121-2/+1
| | | | | depending on what you need. inet/inet6 cmsg's come through unmolested -- that is something to consider later.
* pledge_ioctl_check() will do the killing if neccessary; if it returns,deraadt2015-10-111-2/+2
| | | | | that is an errno to pass up to the calling system call instead. test case is "who < /dev/null", via ttyname().
* add a missed check for PLEDGE_RPATH when reading a file.semarie2015-10-111-1/+6
| | | | ok deraadt@
* sigaltstack is directly used by setjmp on some architectures. it onlyderaadt2015-10-111-1/+2
| | | | refers to the process itself. pledge should allow it.
* put TIOCSWINSZ in the right block "tty", not in "ioctl". this happenedderaadt2015-10-111-13/+13
| | | | | because the "route' tests were placed between the two, creating confusion. fix that while here.
* In pledge "tty", allow TIOCSWINSZ. stty(1) is the obvious silly use.deraadt2015-10-111-1/+2
| | | | | | | The more important use will be tmux(1) and other active window size controlling programs. There seems little risk in exposing this small tty setting alongside the tcsetattr() family. ok millert
* __get_tcb() is needed for errno access in threaded programs on some archs.guenther2015-10-111-1/+2
| | | | | | Make it always available. ok deraadt@
* Always set the timeout at least one tick in the future for EVFILT_TIMERguenther2015-10-111-16/+16
| | | | | | | to avoid looping in softclock() based on diff by sthen@ ok sthen@
* For pledge, sigsuspend() should is affecting the behaviour a process itself,deraadt2015-10-101-2/+2
| | | | | so we should allow it for 'self'. ok djm
* pid 0 also implies self, so allow that for the pledge case. Found inderaadt2015-10-101-2/+3
| | | | a refactoring being done for the bc/dc relationship with otto.
* shuffle #ifdef TIOCSTI block to avoid a future /*FALLTHROUGH*/ mistake.deraadt2015-10-102-4/+7
|
* allow sysctl of kern.clockratederaadt2015-10-101-1/+4
|
* I forgot execve would go through the namei codepath, so a program markedderaadt2015-10-102-2/+8
| | | | | | "stdio rpath" this would fail to execve. pre-indicate exec actions to the namei checker to allow them through. ok semarie
* Allow kill(self, sig) in pledge SELF also. the stack protector, abort(),deraadt2015-10-092-3/+12
| | | | | and readpassphrase() in particular use this. ok millert tedu semarie
* Have not come up with a great pattern for flock() yet. flock() is permittedderaadt2015-10-091-2/+3
| | | | | | | | | | | | by "getpw" because libc getpw*/getgr* use open() of /var/run/ypbind.lock plus flock() to detect YP running. The kernel observes this dance to "open up" the YP door (ugliness should drive us to rewrite this mechanism from SunOS later). however, flock is also used independently. Current users are htpasswd mail skeyinit tmux authpf pwd_mkdb ldapd smtpd ypbind login_token mail.local lockspool Let's enable flock() for "cpath", and see if that helps these programs, otherwise we'll try "wpath" next.
* oops, snuck into a syscalls sync; spotted by sthenderaadt2015-10-091-16/+16
|
* another stray )deraadt2015-10-091-2/+2
|
* shortcircuit TIOCGETA to directly return ENOTTY for non-ttys. It couldderaadt2015-10-092-3/+10
| | | | | be called against a non-tty fd, so as to test "is this a tty". Discovered by sthen and rob pierce at the same time.
* stardate 93370.16: a whitespace appears to have entered our quadrant...deraadt2015-10-091-2/+2
|
* multicast test backwards; noted by renatoderaadt2015-10-091-3/+3
|
* Rename tame() to pledge(). This fairly interface has evolved to be morederaadt2015-10-092-5/+5
| | | | | | strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
* syncderaadt2015-10-093-23/+23
|
* Rename tame() to pledge(). This fairly interface has evolved to be morederaadt2015-10-0913-411/+411
| | | | | | strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
* Expose a small set of multicast join operators under the request "mcast".deraadt2015-10-081-2/+18
| | | | | | This will be used by a few daemons. If they lack this feature, then they would need to operate without tame. Discussed with renato
* setsockopt has a small list of options it can set. If we find ourselvesderaadt2015-10-081-1/+8
| | | | | only in TAME_UNIX, stop trying after servicing SOL_SOCKET. discussion with claudio
* Only in TAME_ROUTE, allow ioctl SIOCGIFADDR/SIOCGIFFLAGS/SIOCGIFRDOMAIN,deraadt2015-10-081-1/+12
| | | | | | because many routing daemon processes with this attribute need to fetch that information to work. discussed with claudio and renato
* Use the radix API directly and get rid of the function pointers. Therempi2015-10-081-10/+6
| | | | | | is no point in keeping an unused level of abstraction. ok mikeb@, claudio@
* Split out routing sysctl's from tame "inet", and put them into thederaadt2015-10-071-44/+55
| | | | | | | | new tame "route" request. Now routing daemons and tools (such as arp), can narrowly ask for either feature. One thing remains available in both cases -- support for getifaddr()'s, since libc and programs often use that in close association with socket creation. ok benno sthen beck, some discussion with renato
* easy free sizes; ok mpideraadt2015-10-072-5/+5
|
* rn_inithead() offset argument is now specified in byte, missed in previous.mpi2015-10-071-2/+2
|
* Initialize the routing table before domains.mpi2015-10-071-2/+5
| | | | | | | | | | | | | | | | | | | | | | | The routing table is not an optional component of the network stack and initializing it inside the "routing domain" requires some ugly introspection in the domain interface. This put the rtable* layer at the same level of the if* level. These two subsystem are organized around the two global data structure used in the network stack: - the global &ifnet list, to be used in process context only, and - the routing table which can be read in interrupt context. This change makes the rtable_* layer domain-aware and extends the "struct domain" such that INET, INET6 and MPLS can specify the length of the binary key used in lookups. This allows us to keep, or move towards, AF-free route and rtable layers. While here stop the madness and pass the size of the maximum key length in *byte* to rn_inithead0(). ok claudio@, mikeb@
* Add the tame "exec" request. This allows processes which requestderaadt2015-10-073-12/+25
| | | | | | | | | | | | | | | "exec" to call execve(2), potentially fork(2) beforehands if they asked for "proc". Calling execve is what "shells" (ksh, tmux, etc) have as their primary purpose. But meantime, if such a shell has a nasty bug, we want to mitigate the process from opening a socket or calling 100+ other system calls. Unfortunately silver bullets are in short supply, so if our goal is to stay in a POSIX-y environment, we have to let shells call execve(). POSIX ate the world, so choices do we all have? Warning for many: silver bullets are even more rare in other OS ecosystems, so please accept this as a narrow lowering of the bar in a very raised environment. Commited from a machine running tame "proc exec" ksh, make, etc.
* A process should be able to do sigpending for itselfderaadt2015-10-061-1/+2
|
* For TAME_PROC, allow setrlimit()deraadt2015-10-061-1/+2
|