| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
it's invoked with either -A/-C/-L, which at the time I left alone due to some
forbidden ioctls by pledge(2).
Now we have unveil(2) and this path can be further restricted by using it
instead of chroot(2) since this "sandbox" (not sure why people call sandbox to
about everything these days) can be escaped with *at(2) calls.
Since no filesystem access is needed here then we can disable its access by
calling unveil("/", "") unveil(NULL, NULL).
added /* no filesystem visibility */ as per suggestion by and OK deraadt@
|
| |
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
looked at the error handling here, and.... oh my.
If opening /dev/pf on startup fails, don't just warn and move on, but bail.
If chroot (or the chdir after) fail, don't just warn and move on, bail.
If dropping privileges fails, the last thing we want to do is to just move
on with root privs, having warned or not.
If the pipe to the parent process is closed, that almost certainly means
that the parent process went away, and it absolutely certainly means that
the table handler process has no meaningful reason to exist any more, thus
bail.
ok florian ccardenas krw
|
| |
|
|
| |
log_warn(). Zap a couple of explicit 'syslog()' calls.
|
| |
|
|
| |
fatalx() -> fatal() and even a couple of fprintf(stderr) -> log_warn().
|
| |
|
|
| |
ok benno@
|
| |
|
|
| |
"Looks good" to deraadt@
|
| |
|
|
|
|
|
| |
each *.c file.
Inspired by mention of header silliness by Edgar Pettijohn and mmcc@
on tech@.
|
| |
|
|
|
|
| |
closed. e.g. dhcpd has been killed.
ok henning@
|
| |
|
|
| |
ports is ready, <net/pfvar.h> will stop including a pile of balony.
|
| |
|
|
|
|
|
|
|
| |
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
| |
|
|
| |
asking for confusion. Replace bcopy()'s with memcpy()'s.
|
| | |
|
| |
|
|
|
|
| |
"-L leased" wouldn't work without "-A abandoned".
testing help from merdely
"i like" deraadt
|
| |
|
|
| |
ok ckuethe deraadt
|
| | |
|
| |
|
|
|
|
|
|
| |
periodically - based on the length of the shortest lease time - walk across
all leases searching for expired leases which are then removed from the pf
table.
ok henning
|
| |
|
|
|
|
|
| |
we might have conditionally sent a message, we now just call the pfmsg()
function, and let it figure out whether the message should be sent or not.
ok henning
|
| |
|
|
| |
ok henning
|
| |
|
|
| |
ok henning@
|
|
|
dhcpd is now able to place abandoned addresses into a table (to offer some
protection against machines camping on an address) and remove them from the
table if they are properly leased.
When dhcpd assigns an IP to a new hardware address, it can remove that
address from a table. This is for use with the overload table in pf; newly
arrived machines will not be punished for the actions of a machine that
went away.
beck@ and krw@ liked previous versions of this, henning@ final ok
|
mestre
deraadt
henning
krw
jmc
ckuethe
tedu