| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
only applied to the child process, which requires the parent to not pass
directory file descriptors (tame("cmsg") does not allow it). Because
file(1) is already privsep, the permissions in the child can be quickly
restricted: first to "stdio cmsg getpw proc" then after the privdrop to
"stdio cmsg".
|
| | |
|
| |
|
|
| |
"every tool helps" deraadt@
|
| | |
|
| |
|
|
|
| |
increments argc when run with no arguments, causing a read past the end
of argv.
|
| |
|
|
|
| |
off with tame "stdio rpath". Once the (optional) file is opened, a
further drop down to tame "stdio" works.
|
| | |
|
| | |
|
| |
|
|
| |
tame "stdio rpath" works, right before calling getopt()
|
| |
|
|
|
|
|
|
|
| |
/bin/ed. This is RETARDED. Nothing learned from the last year?
Add tame "proc" until that is fixed, to allow fork+exec.
I beg for someone to cross-link the guts of ed directly into patch, or
write a ed-subset which can do the job.
|
| |
|
|
|
|
|
| |
- Replace arc4random with arc4random_uniform.
- Replace memset with explicit_bzero.
OK millert@
|
| |
|
|
|
|
| |
this program and see it does uname(3) and stdio printf. uname(3) is
backed by a cluster of sysctl() reads, all permitted by the kernel
in tame_sysctl_check()
|
| |
|
|
|
|
|
|
| |
This one should be an unsigned long in theory, but the formatter function
argument we're printing from is already an int (being casted from register_t
at the formatter call time). So lets fix one bug at a time.
authoritative okay from guenther@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
computation, and outputs result to stdout. (note: in the tame model,
malloc is implicit because stdio needs it, and mmap is implicit since
malloc needs it; libz is satisfied by this environment also).
this tame change consists of 1 line, setting "stdio rpath" before
getopt. this protection is fairly strict. grep could be improved
further by computing a wpathlist based on argv, keeping -R in mind.
feel free to take a shot at it.
grep was an early target of capsicum also. know anyone running capsicum grep?
ok doug
|
| |
|
|
|
|
| |
it might seem we can hoist the open above tame and then drop "rpath",
but guenther found getprotobynumber can be called much later.
ok guenther
|
| |
|
|
|
| |
tame "stdio proc" satisfies it.
ok doug
|
| |
|
|
|
|
|
|
|
|
|
|
| |
system behaviours such as forking, execve, sockets, etc.
in theory this extended by parsing the arguments first, and creating
the whitepathlist. the pathlist probably needs to be directory-oriented,
rather than exact path of files, because a gzip file may specify the
filename it wants (and that won't be available until it is opened, and
partially parsed). anyone want to give this a try?
gzip was an early goal for capsicum. who is running a capsicum gzip?
|
| |
|
|
|
| |
http://marc.info/?l=openssl-dev&m=144374015404899&w=2
ok doug
|
| |
|
|
|
| |
discussed it at length with djm -- i think it is time to give this a
trial in snapshots.
|
| |
|
|
|
|
| |
in case of exploitation, no more network access, fork, execve, etc.
I wonder if we could use whitepath lists here - if it is reasonable to
limit operation in directories known early on?
|
| |
|
|
|
|
|
| |
can tame "stdio rpath wpath cpath"; all three paths abilities are needed
for it to setup the right files (worst case spotted by sthen). later
once the files are opened, the program is only looking at strings and
outputing via stdio functions, so we can tame "stdio".
|
| |
|
|
|
|
|
| |
tame "stdio" since all it does is move data back and forth, while the master
process needs "stdio ioctl" to use TCSAFLUSH at the very end. TCSAFLUSH is
included in the kernel's rather restrictive ioctl feature lists made
available with the "ioctl" ability.
|
| |
|
|
|
|
| |
still runs fingerd? not many places, it took a while to find a server)
tame "stdio getpw rpath inet" is possible early on, then later when
the network lookups list is consumed, tame "stddio getpw rpath"
|
| |
|
|
|
| |
it does not need to open any files, so we can tame with "stdio dns inet".
i think florian and i did this about 2 months ago.
|
| |
|
|
|
| |
talk to stdio. tame "stdio" is a no-brainer.
reviewed a while ago by doug
|
| |
|
|
|
|
|
| |
access in case it is exploited. tame with "stdio wpath rpath cpath"
seesms to covers all usage cases, except -i performs a fchmod() on the
in-place file, so conditionally also needs "fattr".
ok sthen
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok tedu@ deraadt@
|
| |
|
|
| |
ok djm
|
| |
|
|
|
| |
way they look like tame...
ok djm
|
| | |
|
| |
|
|
| |
Found the hard way by Mark Patruck.
|
| |
|
|
|
|
|
| |
feasible. Currently, mg does this check much later on which means some
functions (e.g showbuffer()) are called multiple times. This fixes the
location of the cursor when opening a directory using filevisit,
findvisitalt and poptofile. ok jasper@
|
| |
|
|
| |
ok deraadt guenther
|
| |
|
|
| |
ok millert@
|
| |
|
|
|
|
| |
Convert eread(buf, a2, a3, a4) to eread("%s", a2, a3, a4, buf)
ok millert@ lum@
|
| |
|
|
| |
Problem reported by jasper@ and ok jasper@
|
| |
|
|
| |
ok millert@
|
| |
|
|
|
|
| |
mismatches this revealed
ok espie@
|
| |
|
|
| |
(others require more care)
|
| | |
|
| | |
|
| | |
|
| | |
|
nicm
deraadt
guenther
tedu
otto
tim
zhuk
jmc
ratchov
jsing
lum
jasper
schwarze