add an exception to the CPU_ID_AA64ISAR0 in pledged applications so that

libcrypto can access this sysctl on arm64 without restrictions to determine
cpu features

ok deraadt@, kettenis@

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index eaedbe3..b269ba9 100644 (file)
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_pledge.c,v 1.280 2022/02/25 18:24:01 tedu Exp $  */
+/*     $OpenBSD: kern_pledge.c,v 1.281 2022/03/25 17:40:59 robert Exp $        */
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -999,6 +999,12 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, void *new)
                return (0);
 #endif /* CPU_SSE */
 
+#ifdef CPU_ID_AA64ISAR0
+       if (miblen == 2 &&              /* arm64 libcrypto inspects CPU features */
+           mib[0] == CTL_MACHDEP && mib[1] == CPU_ID_AA64ISAR0)
+               return (0);
+#endif /* CPU_ID_AA64ISAR0 */
+
        snprintf(buf, sizeof(buf), "%s(%d): pledge sysctl %d:",
            p->p_p->ps_comm, p->p_p->ps_pid, miblen);
        for (i = 0; i < miblen; i++) {