During getopt(), an optional file may be opened. After that, tame "stdio"

works.

Time for some commentary!  tame became possible because syslog(3) in
openbsd uses a system call -- sendsyslog(2) -- which does not require
an elaborate dance opening an AF_UNIX socket and using connect() or
send() to deliver to a "/dev/log" unix socket in the filesystem.
sendsyslog(2) was invented to ensure the stack-protector's
__stack_smash_handler() can gaurantee delivery of failure messages to
syslogd(8) in harsh conditions -- such as file descriptor exhaustion
or inside chroot(2).  Now it also works in tame(2)'d proceses, since
sendsyslog(2) is always allowed.  Our syslog(3) needs no elaborate
socket code, therefore piles of software does not have an inate need
for socket(2), connect(2), send(2), nor access to the filesystem.
syslog(3) remains fully compatible otherwise.

How does the stack protector report an error in fully capsicum'd
program?  Or in some other Linux protection mechanism, if someone
protectes a program too far and takes sockets away, how do they see
the stack protector working?

You can have nice things when the underlying rules change.

diff --git a/usr.bin/logger/logger.c b/usr.bin/logger/logger.c
index 41d6e1f..01b8eb1 100644 (file)
--- a/usr.bin/logger/logger.c
+++ b/usr.bin/logger/logger.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: logger.c,v 1.14 2015/04/18 18:28:37 deraadt Exp $     */
+/*     $OpenBSD: logger.c,v 1.15 2015/10/05 23:59:11 deraadt Exp $     */
 /*     $NetBSD: logger.c,v 1.4 1994/12/22 06:27:00 jtc Exp $   */
 
 /*
@@ -37,6 +37,7 @@
 #include <stdio.h>
 #include <ctype.h>
 #include <string.h>
+#include <err.h>
 
 #define        SYSLOG_NAMES
 #include <syslog.h>
@@ -92,6 +93,9 @@ main(int argc, char *argv[])
        openlog(tag ? tag : getlogin(), logflags, 0);
        (void) fclose(stdout);
 
+       if (tame("stdio", NULL) == -1)
+               err(1, "tame");
+
        /* log input line if appropriate */
        if (argc > 0) {
                char *p, *endp;