Decouple unveil from the pledge flags, by adding dedicated unveil flags

to the namei args. This fixes a bug where chmod would be allowed when
with only READ. This also allows some further cleanup of some awkward
things like PLEDGE_STAT that will follow
Lots of assistence from semarie@ - thanks!
ok semarie@

diff --git a/sys/dev/diskmap.c b/sys/dev/diskmap.c
index d13763d..bd7509c 100644 (file)
--- a/sys/dev/diskmap.c
+++ b/sys/dev/diskmap.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: diskmap.c,v 1.22 2018/07/04 12:42:30 mpi Exp $        */
+/*     $OpenBSD: diskmap.c,v 1.23 2018/08/05 14:23:57 beck Exp $       */
 
 /*
  * Copyright (c) 2009, 2010 Joel Sing <jsing@openbsd.org>
@@ -85,6 +85,7 @@ diskmapioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p)
 
        NDINIT(&ndp, 0, 0, UIO_SYSSPACE, devname, p);
        ndp.ni_pledge = PLEDGE_RPATH;
+       ndp.ni_unveil = UNVEIL_READ;
        if ((error = vn_open(&ndp, fp0->f_flag, 0)) != 0)
                goto invalid;
 

diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c
index 4af0134..79cbce3 100644 (file)
--- a/sys/kern/exec_elf.c
+++ b/sys/kern/exec_elf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: exec_elf.c,v 1.145 2018/07/20 21:57:26 deraadt Exp $  */
+/*     $OpenBSD: exec_elf.c,v 1.146 2018/08/05 14:23:57 beck Exp $     */
 
 /*
  * Copyright (c) 1996 Per Fogelstrom
@@ -332,6 +332,7 @@ elf_load_file(struct proc *p, char *path, struct exec_package *epp,
 
        NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, path, p);
        nd.ni_pledge = PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_READ;
        if ((error = namei(&nd)) != 0) {
                return (error);
        }

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 0f71fb9..5e5c3de 100644 (file)
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_exec.c,v 1.200 2018/07/20 21:57:26 deraadt Exp $ */
+/*     $OpenBSD: kern_exec.c,v 1.201 2018/08/05 14:23:57 beck Exp $    */
 /*     $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $  */
 
 /*-
@@ -275,6 +275,7 @@ sys_execve(struct proc *p, void *v, register_t *retval)
 
        NDINIT(&nid, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
        nid.ni_pledge = PLEDGE_EXEC;
+       nid.ni_unveil = UNVEIL_EXEC;
 
        /*
         * initialize the fields of the exec package.

diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 7315d41..39249d4 100644 (file)
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_ktrace.c,v 1.98 2018/06/20 10:48:55 mpi Exp $    */
+/*     $OpenBSD: kern_ktrace.c,v 1.99 2018/08/05 14:23:57 beck Exp $   */
 /*     $NetBSD: kern_ktrace.c,v 1.23 1996/02/09 18:59:36 christos Exp $        */
 
 /*
@@ -513,6 +513,7 @@ sys_ktrace(struct proc *p, void *v, register_t *retval)
                cred = p->p_ucred;
                NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, fname, p);
                nd.ni_pledge = PLEDGE_CPATH | PLEDGE_WPATH;
+               nd.ni_unveil = UNVEIL_CREATE | UNVEIL_WRITE;
                if ((error = vn_open(&nd, FWRITE|O_NOFOLLOW, 0)) != 0)
                        return error;
                vp = nd.ni_vp;

diff --git a/sys/kern/kern_unveil.c b/sys/kern/kern_unveil.c
index 7e7b30f..a89f0b2 100644 (file)
--- a/sys/kern/kern_unveil.c
+++ b/sys/kern/kern_unveil.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_unveil.c,v 1.10 2018/08/05 13:59:38 beck Exp $   */
+/*     $OpenBSD: kern_unveil.c,v 1.11 2018/08/05 14:23:57 beck Exp $   */
 
 /*
  * Copyright (c) 2017-2018 Bob Beck <beck@openbsd.org>
@@ -40,6 +40,11 @@
 #define UNVEIL_MAX_VNODES      128
 #define UNVEIL_MAX_NAMES       128
 
+#define        UNVEIL_READ     0x01
+#define        UNVEIL_WRITE    0x02
+#define        UNVEIL_CREATE   0x04
+#define        UNVEIL_EXEC     0x08
+
 static inline int
 unvname_compare(const struct unvname *n1, const struct unvname *n2)
 {
@@ -50,7 +55,7 @@ unvname_compare(const struct unvname *n1, const struct unvname *n2)
 }
 
 struct unvname *
-unvname_new(const char *name, size_t size, uint64_t flags)
+unvname_new(const char *name, size_t size, u_char flags)
 {
        struct unvname *ret = malloc(sizeof(struct unvname), M_PROC, M_WAITOK);
        ret->un_name = malloc(size, M_PROC, M_WAITOK);
@@ -118,7 +123,7 @@ unveil_delete_names(struct unveil *uv)
 }
 
 void
-unveil_add_name(struct unveil *uv, char *name, uint64_t flags)
+unveil_add_name(struct unveil *uv, char *name, u_char flags)
 {
        struct unvname *unvn;
 
@@ -310,7 +315,7 @@ unveil_lookup(struct vnode *vp, struct proc *p)
 }
 
 int
-unveil_parsepermissions(const char *permissions, uint64_t *perms)
+unveil_parsepermissions(const char *permissions, u_char *perms)
 {
        size_t i = 0;
        char c;
@@ -319,16 +324,16 @@ unveil_parsepermissions(const char *permissions, uint64_t *perms)
        while ((c = permissions[i++]) != '\0') {
                switch (c) {
                case 'r':
-                       *perms |= PLEDGE_RPATH;
+                       *perms |= UNVEIL_READ;
                        break;
                case 'w':
-                       *perms |= PLEDGE_WPATH;
+                       *perms |= UNVEIL_WRITE;
                        break;
                case 'x':
-                       *perms |= PLEDGE_EXEC;
+                       *perms |= UNVEIL_EXEC;
                        break;
                case 'c':
-                       *perms |= PLEDGE_CPATH;
+                       *perms |= UNVEIL_CREATE;
                        break;
                default:
                        return -1;
@@ -338,7 +343,7 @@ unveil_parsepermissions(const char *permissions, uint64_t *perms)
 }
 
 int
-unveil_setflags(uint64_t *flags, uint64_t nflags)
+unveil_setflags(u_char *flags, u_char nflags)
 {
 #if 0
        if (((~(*flags)) & nflags) != 0) {
@@ -403,7 +408,7 @@ unveil_add(struct proc *p, struct nameidata *ndp, const char *permissions)
        struct unveil *uv;
        int directory_add;
        int ret = EINVAL;
-       u_int64_t flags;
+       u_char flags;
 
        KASSERT(ISSET(ndp->ni_cnd.cn_flags, HASBUF)); /* must have SAVENAME */
 
@@ -530,9 +535,10 @@ unveil_add(struct proc *p, struct nameidata *ndp, const char *permissions)
  * XXX collapse down later once debug surely unneded
  */
 int
-unveil_flagmatch(struct nameidata *ni, uint64_t flags)
+unveil_flagmatch(struct nameidata *ni, u_char flags)
 {
        if (flags == 0) {
+               /* XXX Fix this, you can do it better */
                if (ni->ni_pledge & PLEDGE_STAT) {
 #ifdef DEBUG_UNVEIL
                        printf("allowing stat/accesss for 0 flags");
@@ -552,34 +558,34 @@ unveil_flagmatch(struct nameidata *ni, uint64_t flags)
                CLR(ni->ni_pledge, PLEDGE_STATLIE);
                return 1;
        }
-       if (ni->ni_pledge & PLEDGE_RPATH) {
-               if ((flags & PLEDGE_RPATH) == 0) {
+       if (ni->ni_unveil & UNVEIL_READ) {
+               if ((flags & UNVEIL_READ) == 0) {
 #ifdef DEBUG_UNVEIL
-                       printf("Pledge wants read but disallowed\n");
+                       printf("unveil lacks UNVEIL_READ\n");
 #endif
                        return 0;
                }
        }
-       if (ni->ni_pledge & PLEDGE_WPATH) {
-               if ((flags & PLEDGE_WPATH) == 0) {
+       if (ni->ni_unveil & UNVEIL_WRITE) {
+               if ((flags & UNVEIL_WRITE) == 0) {
 #ifdef DEBUG_UNVEIL
-                       printf("Pledge wants write but disallowed\n");
+                       printf("unveil lacks UNVEIL_WRITE\n");
 #endif
                        return 0;
                }
        }
-       if (ni->ni_pledge & PLEDGE_EXEC) {
-               if ((flags & PLEDGE_EXEC) == 0) {
+       if (ni->ni_unveil & UNVEIL_EXEC) {
+               if ((flags & UNVEIL_EXEC) == 0) {
 #ifdef DEBUG_UNVEIL
-                       printf("Pledge wants exec but disallowed\n");
+                       printf("unveil lacks UNVEIL_EXEC\n");
 #endif
                        return 0;
                }
        }
-       if (ni->ni_pledge & PLEDGE_CPATH) {
-               if ((flags & PLEDGE_CPATH) == 0) {
+       if (ni->ni_unveil & UNVEIL_CREATE) {
+               if ((flags & UNVEIL_CREATE) == 0) {
 #ifdef DEBUG_UNVEIL
-                       printf("Pledge wants cpath but disallowed\n");
+                       printf("unveil lacks UNVEIL_CREATE\n");
 #endif
                        return 0;
                }

diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index 3c38014..6493730 100644 (file)
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tty.c,v 1.141 2018/06/16 13:55:03 deraadt Exp $       */
+/*     $OpenBSD: tty.c,v 1.142 2018/08/05 14:23:57 beck Exp $  */
 /*     $NetBSD: tty.c,v 1.68.4.2 1996/06/06 16:04:52 thorpej Exp $     */
 
 /*-
@@ -792,6 +792,7 @@ ttioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct proc *p)
                        /* ensure user can open the real console */
                        NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, "/dev/console", p);
                        nid.ni_pledge = PLEDGE_RPATH | PLEDGE_WPATH;
+                       nid.ni_unveil = UNVEIL_READ | UNVEIL_WRITE;
                        error = namei(&nid);
                        if (error)
                                return (error);

diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c
index 3b17c52..8df0683 100644 (file)
--- a/sys/kern/tty_pty.c
+++ b/sys/kern/tty_pty.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tty_pty.c,v 1.87 2018/06/18 09:15:05 mpi Exp $        */
+/*     $OpenBSD: tty_pty.c,v 1.88 2018/08/05 14:23:57 beck Exp $       */
 /*     $NetBSD: tty_pty.c,v 1.33.4.1 1996/06/02 09:08:11 mrg Exp $     */
 
 /*
@@ -1117,6 +1117,7 @@ retry:
                NDINIT(&snd, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE,
                    pti->pty_sn, p);
                snd.ni_pledge = PLEDGE_RPATH | PLEDGE_WPATH;
+               snd.ni_unveil = UNVEIL_READ | UNVEIL_WRITE;
                if ((error = namei(&snd)) != 0)
                        goto bad;
                if ((snd.ni_vp->v_mount->mnt_flag & MNT_RDONLY) == 0) {
@@ -1151,6 +1152,7 @@ retry:
                NDINIT(&snd, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE,
                    pti->pty_sn, p);
                snd.ni_pledge = PLEDGE_RPATH | PLEDGE_WPATH;
+               snd.ni_unveil= UNVEIL_READ | UNVEIL_WRITE;
                /* now open it */
                if ((error = ptm_vn_open(&snd)) != 0)
                        goto bad;

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 0fdc307..7daa79f 100644 (file)
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: vfs_syscalls.c,v 1.300 2018/08/03 02:36:11 beck Exp $ */
+/*     $OpenBSD: vfs_syscalls.c,v 1.301 2018/08/05 14:23:57 beck Exp $ */
 /*     $NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $        */
 
 /*
@@ -638,6 +638,7 @@ sys_statfs(struct proc *p, void *v, register_t *retval)
 
        NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
        nd.ni_pledge = PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_READ;
        nd.ni_cnd.cn_flags |= BYPASSUNVEIL;
        if ((error = namei(&nd)) != 0)
                return (error);
@@ -809,6 +810,7 @@ sys_chdir(struct proc *p, void *v, register_t *retval)
        NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
            SCARG(uap, path), p);
        nd.ni_pledge = PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_READ;
        if ((error = change_dir(&nd, p)) != 0)
                return (error);
        p->p_p->ps_uvpcwd = nd.ni_unveil_match;
@@ -992,6 +994,7 @@ doopenat(struct proc *p, int fd, const char *path, int oflags, mode_t mode,
        struct flock lf;
        struct nameidata nd;
        uint64_t ni_pledge = 0;
+       u_char ni_unveil = 0;
 
        if (oflags & (O_EXLOCK | O_SHLOCK)) {
                error = pledge_flock(p);
@@ -1007,18 +1010,25 @@ doopenat(struct proc *p, int fd, const char *path, int oflags, mode_t mode,
        fdpunlock(fdp);
 
        flags = FFLAGS(oflags);
-       if (flags & FREAD)
+       if (flags & FREAD) {
                ni_pledge |= PLEDGE_RPATH;
-       if (flags & FWRITE)
+               ni_unveil |= UNVEIL_READ;
+       }
+       if (flags & FWRITE) {
                ni_pledge |= PLEDGE_WPATH;
-       if (oflags & O_CREAT)
+               ni_unveil |= UNVEIL_WRITE;
+       }
+       if (oflags & O_CREAT) {
                ni_pledge |= PLEDGE_CPATH;
+               ni_unveil |= UNVEIL_CREATE;
+       }
 
        cmode = ((mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
        if ((p->p_p->ps_flags & PS_PLEDGE))
                cmode &= ACCESSPERMS;
        NDINITAT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = ni_pledge;
+       nd.ni_unveil = ni_unveil;
        p->p_dupfd = -1;                        /* XXX check for fdopen */
        if ((flags & O_TRUNC) && (flags & (O_EXLOCK | O_SHLOCK))) {
                localtrunc = 1;
@@ -1383,6 +1393,7 @@ domknodat(struct proc *p, int fd, const char *path, mode_t mode, dev_t dev)
                return (EINVAL);
        NDINITAT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_DPATH;
+       nd.ni_unveil = UNVEIL_CREATE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -1519,6 +1530,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2,
        follow = (flag & AT_SYMLINK_FOLLOW) ? FOLLOW : NOFOLLOW;
        NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd1, path1, p);
        nd.ni_pledge = PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_READ;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -1530,6 +1542,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2,
 
        NDINITAT(&nd, CREATE, flags, UIO_USERSPACE, fd2, path2, p);
        nd.ni_pledge = PLEDGE_CPATH;
+       nd.ni_unveil = UNVEIL_CREATE;
        if ((error = namei(&nd)) != 0)
                goto out;
        if (nd.ni_vp) {
@@ -1589,6 +1602,7 @@ dosymlinkat(struct proc *p, const char *upath, int fd, const char *link)
                goto out;
        NDINITAT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, fd, link, p);
        nd.ni_pledge = PLEDGE_CPATH;
+       nd.ni_unveil = UNVEIL_CREATE;
        if ((error = namei(&nd)) != 0)
                goto out;
        if (nd.ni_vp) {
@@ -1648,6 +1662,7 @@ dounlinkat(struct proc *p, int fd, const char *path, int flag)
        NDINITAT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE,
            fd, path, p);
        nd.ni_pledge = PLEDGE_CPATH;
+       nd.ni_unveil = UNVEIL_CREATE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -1795,6 +1810,7 @@ dofaccessat(struct proc *p, int fd, const char *path, int amode, int flag)
 
        NDINITAT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_RPATH | PLEDGE_STAT;
+       nd.ni_unveil = 0; /* XXX fix this when we fix PLEDGE_STAT */
        if ((error = namei(&nd)) != 0)
                goto out;
        vp = nd.ni_vp;
@@ -1865,6 +1881,7 @@ dofstatat(struct proc *p, int fd, const char *path, struct stat *buf, int flag)
        follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
        NDINITAT(&nd, LOOKUP, follow | LOCKLEAF, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_RPATH | PLEDGE_STAT;
+       nd.ni_unveil = 0;
        if ((error = namei(&nd)) != 0)
                return (error);
        error = vn_stat(nd.ni_vp, &sb, p);
@@ -1923,6 +1940,7 @@ sys_pathconf(struct proc *p, void *v, register_t *retval)
        NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
            SCARG(uap, path), p);
        nd.ni_pledge = PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_READ;
        if ((error = namei(&nd)) != 0)
                return (error);
        error = VOP_PATHCONF(nd.ni_vp, SCARG(uap, name), retval);
@@ -1972,6 +1990,7 @@ doreadlinkat(struct proc *p, int fd, const char *path, char *buf,
 
        NDINITAT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_RPATH | PLEDGE_STAT;
+       nd.ni_unveil = 0;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -2035,6 +2054,7 @@ dochflagsat(struct proc *p, int fd, const char *path, u_int flags, int atflags)
        follow = (atflags & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
        NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_WRITE;
        if ((error = namei(&nd)) != 0)
                return (error);
        return (dovchflags(p, nd.ni_vp, flags));
@@ -2138,6 +2158,7 @@ dofchmodat(struct proc *p, int fd, const char *path, mode_t mode, int flag)
        follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
        NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_WRITE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -2237,6 +2258,7 @@ dofchownat(struct proc *p, int fd, const char *path, uid_t uid, gid_t gid,
        follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
        NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_CHOWN | PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_WRITE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -2289,6 +2311,7 @@ sys_lchown(struct proc *p, void *v, register_t *retval)
 
        NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
        nd.ni_pledge = PLEDGE_CHOWN | PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_WRITE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -2441,6 +2464,7 @@ doutimensat(struct proc *p, int fd, const char *path,
        follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW;
        NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p);
        nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_WRITE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -2588,6 +2612,7 @@ sys_truncate(struct proc *p, void *v, register_t *retval)
 
        NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
        nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH;
+       nd.ni_unveil = UNVEIL_WRITE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -2713,6 +2738,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd,
        NDINITAT(&fromnd, DELETE, WANTPARENT | SAVESTART, UIO_USERSPACE,
            fromfd, from, p);
        fromnd.ni_pledge = PLEDGE_RPATH | PLEDGE_CPATH;
+       fromnd.ni_unveil = UNVEIL_READ | UNVEIL_CREATE;
        if ((error = namei(&fromnd)) != 0)
                return (error);
        fvp = fromnd.ni_vp;
@@ -2726,6 +2752,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd,
 
        NDINITAT(&tond, RENAME, flags, UIO_USERSPACE, tofd, to, p);
        tond.ni_pledge = PLEDGE_CPATH;
+       tond.ni_unveil = UNVEIL_CREATE;
        if ((error = namei(&tond)) != 0) {
                VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd);
                vrele(fromnd.ni_dvp);
@@ -2819,6 +2846,7 @@ domkdirat(struct proc *p, int fd, const char *path, mode_t mode)
        NDINITAT(&nd, CREATE, LOCKPARENT | STRIPSLASHES, UIO_USERSPACE,
            fd, path, p);
        nd.ni_pledge = PLEDGE_CPATH;
+       nd.ni_unveil = UNVEIL_CREATE;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;
@@ -2945,6 +2973,7 @@ sys_revoke(struct proc *p, void *v, register_t *retval)
 
        NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p);
        nd.ni_pledge = PLEDGE_RPATH | PLEDGE_TTY;
+       nd.ni_unveil = UNVEIL_READ;
        if ((error = namei(&nd)) != 0)
                return (error);
        vp = nd.ni_vp;

diff --git a/sys/sys/namei.h b/sys/sys/namei.h
index a7f8acc..01cd786 100644 (file)
--- a/sys/sys/namei.h
+++ b/sys/sys/namei.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: namei.h,v 1.35 2018/07/13 09:25:23 beck Exp $ */
+/*     $OpenBSD: namei.h,v 1.36 2018/08/05 14:23:57 beck Exp $ */
 /*     $NetBSD: namei.h,v 1.11 1996/02/09 18:25:20 christos Exp $      */
 
 /*
@@ -59,6 +59,7 @@ struct nameidata {
        struct  vnode *ni_startdir;     /* starting directory */
        struct  vnode *ni_rootdir;      /* logical root directory */
        uint64_t ni_pledge;             /* expected pledge for namei */
+       u_char ni_unveil;               /* required unveil flags for namei */
        /*
         * Results: returned from/manipulated by lookup
         */
@@ -250,4 +251,11 @@ struct     nchstats {
        { "ncs_dothits", CTLTYPE_QUAD },        \
        { "nch_dotdothits", CTLTYPE_QUAD },     \
 }
+
+/* Unveil flags for namei */
+#define        UNVEIL_READ     0x01
+#define        UNVEIL_WRITE    0x02
+#define        UNVEIL_CREATE   0x04
+#define        UNVEIL_EXEC     0x08
+
 #endif /* !_SYS_NAMEI_H_ */

diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 59eae61..6f088a5 100644 (file)
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: proc.h,v 1.254 2018/07/28 18:07:26 deraadt Exp $      */
+/*     $OpenBSD: proc.h,v 1.255 2018/08/05 14:23:57 beck Exp $ */
 /*     $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $       */
 
 /*-
@@ -130,7 +130,7 @@ struct tusage {
 struct unvname {
        char                    *un_name;
        size_t                  un_namesize;
-       uint64_t                un_flags;
+       u_char                  un_flags;
        RBT_ENTRY(unvnmae)      un_rbt;
 };
 
@@ -424,7 +424,7 @@ struct unveil {
        struct vnode            *uv_vp;
        struct unvname_rbt      uv_names;
        struct rwlock           uv_lock;
-       u_int64_t               uv_flags;
+       u_char                  uv_flags;
 };
 
 struct uidinfo {