Add the tame "exec" request. This allows processes which request

"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc".  Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose.  But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls.  Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve().  POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 3c52e1a..8c2287b 100644 (file)
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_exec.c,v 1.166 2015/10/02 15:49:22 deraadt Exp $ */
+/*     $OpenBSD: kern_exec.c,v 1.167 2015/10/07 03:47:43 deraadt Exp $ */
 /*     $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $  */
 
 /*-
@@ -53,6 +53,7 @@
 #include <sys/signalvar.h>
 #include <sys/stat.h>
 #include <sys/conf.h>
+#include <sys/tame.h>
 #ifdef SYSVSHM
 #include <sys/shm.h>
 #endif
@@ -550,6 +551,9 @@ sys_execve(struct proc *p, void *v, register_t *retval)
        else
                atomic_clearbits_int(&pr->ps_flags, PS_SUGIDEXEC);
 
+       atomic_clearbits_int(&pr->ps_flags, PS_TAMED);
+       tame_dropwpaths(pr);
+
        /*
         * deal with set[ug]id.
         * MNT_NOEXEC has already been used to disable s[ug]id.

diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 8c15f83..bb9d1aa 100644 (file)
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_exit.c,v 1.152 2015/09/11 08:22:31 guenther Exp $        */
+/*     $OpenBSD: kern_exit.c,v 1.153 2015/10/07 03:47:43 deraadt Exp $ */
 /*     $NetBSD: kern_exit.c,v 1.39 1996/04/22 01:38:25 christos Exp $  */
 
 /*
@@ -650,15 +650,7 @@ process_zap(struct process *pr)
         */
        (void)chgproccnt(pr->ps_ucred->cr_ruid, -1);
 
-       if (pr->ps_tamepaths && --pr->ps_tamepaths->wl_ref == 0) {
-               struct whitepaths *wl = pr->ps_tamepaths;
-               int i;
-
-               for (i = 0; i < wl->wl_count; i++)
-                       free(wl->wl_paths[i].name, M_TEMP, wl->wl_paths[i].len);
-               free(wl, M_TEMP, wl->wl_size);
-       }
-       pr->ps_tamepaths = NULL;
+       tame_dropwpaths(pr);
 
        /*
         * Release reference to text vnode

diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index 40a2aa2..eda216a 100644 (file)
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_tame.c,v 1.65 2015/10/06 18:35:09 deraadt Exp $  */
+/*     $OpenBSD: kern_tame.c,v 1.66 2015/10/07 03:47:43 deraadt Exp $  */
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -141,6 +141,8 @@ const u_int tame_syscalls[SYS_MAXSYSCALL] = {
        [SYS_sigsuspend] = TAME_PROC,
        [SYS_setrlimit] = TAME_PROC,
 
+       [SYS_execve] = TAME_EXEC,
+
        [SYS_setgroups] = TAME_PROC,
        [SYS_setresgid] = TAME_PROC,
        [SYS_setresuid] = TAME_PROC,
@@ -238,6 +240,7 @@ static const struct {
        { "ioctl",              TAME_IOCTL },
        { "tty",                TAME_TTY },
        { "proc",               TAME_PROC },
+       { "exec",               TAME_EXEC },
        { "cpath",              TAME_CPATH },
        { "abort",              TAME_ABORT },
        { "fattr",              TAME_FATTR },
@@ -1115,6 +1118,20 @@ tame_dns_check(struct proc *p, in_port_t port)
        return (EPERM);
 }
 
+void
+tame_dropwpaths(struct process *pr)
+{
+       if (pr->ps_tamepaths && --pr->ps_tamepaths->wl_ref == 0) {
+               struct whitepaths *wl = pr->ps_tamepaths;
+               int i;
+
+               for (i = 0; i < wl->wl_count; i++)
+                       free(wl->wl_paths[i].name, M_TEMP, wl->wl_paths[i].len);
+               free(wl, M_TEMP, wl->wl_size);
+       }
+       pr->ps_tamepaths = NULL;
+}
+
 int
 canonpath(const char *input, char *buf, size_t bufsize)
 {

diff --git a/sys/sys/tame.h b/sys/sys/tame.h
index 8cfbd03..738ebac 100644 (file)
--- a/sys/sys/tame.h
+++ b/sys/sys/tame.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tame.h,v 1.10 2015/10/06 15:21:26 deraadt Exp $       */
+/*     $OpenBSD: tame.h,v 1.11 2015/10/07 03:47:43 deraadt Exp $       */
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -43,6 +43,7 @@
 #define TAME_TTY       0x00010000      /* tty setting */
 #define TAME_SENDFD    0x00020000      /* AF_UNIX CMSG fd sending */
 #define TAME_RECVFD    0x00040000      /* AF_UNIX CMSG fd receiving */
+#define TAME_EXEC      0x00080000      /* execve, child is free of tame */
 
 #define TAME_ABORT     0x08000000      /* SIGABRT instead of SIGKILL */
 
@@ -82,6 +83,7 @@ struct whitepaths {
                size_t          len;
        } wl_paths[0];
 };
+void   tame_dropwpaths(struct process *);
 
 #endif /* _KERNEL */