From: deraadt <deraadt@openbsd.org>
Date: Fri, 9 Oct 2015 01:24:57 +0000 (+0000)
Subject: tame -> pledge conversion, in libc.  I should crank libc, but am cheating
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=4c738cc8dfcda4dd9f8b01ab736a275a5eeb36f7;p=openbsd

tame -> pledge conversion, in libc.  I should crank libc, but am cheating
hoping things go well.  The old symbol is faked via a stupid stub function,
until next major crank when it can be removed.  I am expecting guenther
to scream at me.
---

diff --git a/lib/libc/Symbols.list b/lib/libc/Symbols.list
index 45f2cfb78f0..87186ac0f22 100644
--- a/lib/libc/Symbols.list
+++ b/lib/libc/Symbols.list
@@ -162,8 +162,9 @@ _thread_sys_nfssvc
 _thread_sys_open
 _thread_sys_openat
 _thread_sys_pathconf
-_thread_sys_pipe2
 _thread_sys_pipe
+_thread_sys_pipe2
+_thread_sys_pledge
 _thread_sys_poll
 _thread_sys_ppoll
 _thread_sys_pread
@@ -354,8 +355,9 @@ nfssvc
 open
 openat
 pathconf
-pipe2
 pipe
+pipe2
+pledge
 poll
 posix_madvise
 ppoll
diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc
index b3d83a013c3..50413efb932 100644
--- a/lib/libc/sys/Makefile.inc
+++ b/lib/libc/sys/Makefile.inc
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.130 2015/09/13 17:08:03 guenther Exp $
+#	$OpenBSD: Makefile.inc,v 1.131 2015/10/09 01:24:57 deraadt Exp $
 #	$NetBSD: Makefile.inc,v 1.35 1995/10/16 23:49:07 jtc Exp $
 #	@(#)Makefile.inc	8.1 (Berkeley) 6/17/93
 
@@ -17,7 +17,7 @@ SRCS+=	posix_madvise.c w_fork.c
 # with old syscall interfaces.
 SRCS+=	ftruncate.c lseek.c mquery.c mmap.c ptrace.c semctl.c truncate.c \
 	timer_create.c timer_delete.c timer_getoverrun.c timer_gettime.c \
-	timer_settime.c pread.c preadv.c pwrite.c pwritev.c
+	timer_settime.c pread.c preadv.c pwrite.c pwritev.c tame.c
 
 # stack protector helper functions
 SRCS+=	stack_protector.c
@@ -45,7 +45,7 @@ ASM=	__get_tcb.o __getcwd.o __semctl.o __set_tcb.o __syscall.o \
 	mknod.o mknodat.o mlock.o mlockall.o mount.o mprotect.o \
 	msgctl.o msgget.o msgrcv.o msgsnd.o msync.o munlock.o \
 	munlockall.o munmap.o nanosleep.o nfssvc.o \
-	open.o openat.o pathconf.o pipe.o pipe2.o \
+	open.o openat.o pathconf.o pipe.o pipe2.o pledge.o \
 	poll.o ppoll.o profil.o pselect.o \
 	quotactl.o read.o readlink.o readlinkat.o readv.o reboot.o \
 	recvfrom.o recvmsg.o rename.o renameat.o revoke.o rmdir.o \
@@ -56,7 +56,7 @@ ASM=	__get_tcb.o __getcwd.o __semctl.o __set_tcb.o __syscall.o \
 	settimeofday.o setuid.o shmat.o shmctl.o shmdt.o \
 	shmget.o shutdown.o sigaction.o sigaltstack.o socket.o \
 	socketpair.o stat.o statfs.o swapctl.o symlink.o symlinkat.o \
-	sync.o sysarch.o sysctl.o tame.o umask.o unlink.o unlinkat.o \
+	sync.o sysarch.o sysctl.o umask.o unlink.o unlinkat.o \
 	unmount.o utimensat.o utimes.o utrace.o wait4.o write.o writev.o
 
 SRCS+=	${SRCS_${MACHINE_CPU}}
@@ -142,7 +142,7 @@ MAN+=	__get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \
 	mincore.2 minherit.2 mkdir.2 mkfifo.2 mknod.2 mlock.2 \
 	mlockall.2 mmap.2 mount.2 mprotect.2 mquery.2 msgctl.2 \
 	msgget.2 msgrcv.2 msgsnd.2 msync.2 munmap.2 nanosleep.2 \
-	nfssvc.2 open.2 pathconf.2 pipe.2 poll.2 profil.2 \
+	nfssvc.2 open.2 pathconf.2 pipe.2 pledge.2 poll.2 profil.2 \
 	ptrace.2 quotactl.2 read.2 readlink.2 reboot.2 recv.2 \
 	rename.2 revoke.2 rmdir.2 sched_yield.2 select.2 semctl.2 semget.2 \
 	semop.2 send.2 setgroups.2 setpgid.2 setregid.2 \
@@ -150,7 +150,7 @@ MAN+=	__get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \
 	shmctl.2 shmget.2 shutdown.2 sigaction.2 sigaltstack.2 sigpending.2 \
 	sigprocmask.2 sigreturn.2 sigsuspend.2 socket.2 \
 	socketpair.2 stat.2 statfs.2 swapctl.2 symlink.2 \
-	sync.2 sysarch.2 syscall.2 tame.2 truncate.2 umask.2 unlink.2 \
+	sync.2 sysarch.2 syscall.2 truncate.2 umask.2 unlink.2 \
 	utimes.2 utrace.2 vfork.2 wait.2 write.2
 
 MLINKS+=__get_tcb.2 __set_tcb.2
diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2
new file mode 100644
index 00000000000..578f3e4a515
--- /dev/null
+++ b/lib/libc/sys/pledge.2
@@ -0,0 +1,456 @@
+.\" $OpenBSD: pledge.2,v 1.1 2015/10/09 01:24:57 deraadt Exp $
+.\"
+.\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 9 2015 $
+.Dt PLEDGE 2
+.Os
+.Sh NAME
+.Nm pledge
+.Nd restrict system operations
+.Sh SYNOPSIS
+.In unistd.h
+.Ft int
+.Fn pledge "const char *request" "const char *paths[]"
+.Sh DESCRIPTION
+The current process is forced into a restricted-service operating mode.
+A few subsets are available, roughly described as computation, memory
+management, read-write operations on file descriptors, opening of files,
+networking.
+In general, these modes were selected by studying the operation
+of many programs using libc and other such interfaces, and setting
+.Ar request
+or
+.Ar paths .
+.Pp
+Use of
+.Fn pledge
+in an application will require at least some study and understanding
+of the interfaces called.
+Subsequent calls to
+.Fn pledge
+can reduce the abilities further, but abilities can never be regained.
+.Pp
+A process which attempts a restricted operation is killed with
+.Dv SIGKILL .
+If
+.Va "abort"
+is set, then a non-blockable
+.Dv SIGABRT
+is delivered instead, possibly resulting in a
+.Xr core 5
+file.
+.Pp
+A
+.Fa request
+value of "" restricts the process to the
+.Xr _exit 2
+system call.
+This can be used for pure computation operating on memory shared
+with another process.
+.Pp
+All
+.Dv requests
+below (with the exception of
+.Va "abort" )
+permit the following system calls:
+.Bd -ragged -offset indent
+.Xr clock_getres 2 ,
+.Xr clock_gettime 2 ,
+.Xr fchdir 2 ,
+.Xr getdtablecount 2 ,
+.Xr getegid 2 ,
+.Xr geteuid 2 ,
+.Xr getgid 2 ,
+.Xr getgroups 2 ,
+.Xr getitimer 2 ,
+.Xr getlogin 2 ,
+.Xr getpgid 2 ,
+.Xr getpgrp 2 ,
+.Xr getpid 2 ,
+.Xr getppid 2 ,
+.Xr getresgid 2 ,
+.Xr getresuid 2 ,
+.Xr getrlimit 2 ,
+.Xr getsid 2 ,
+.Xr getthrid 2 ,
+.Xr gettimeofday 2 ,
+.Xr getuid 2 ,
+.Xr getuid 2 ,
+.Xr issetugid 2 ,
+.Xr nanosleep 2 ,
+.Xr sendsyslog 2 ,
+.Xr setitimer 2 ,
+.Xr sigaction 2 ,
+.Xr sigprocmask 2 ,
+.Xr sigreturn 2 ,
+.Xr umask 2 ,
+.Xr wait4 2 .
+.Ed
+.Pp
+Some system calls, when allowed, have restrictions applied to them:
+.Pp
+.Bl -tag -width "readlink(2)" -offset indent -compact
+.It Xr access 2
+May check for existence of
+.Pa /etc/localtime .
+.Pp
+.It Xr adjtime 2
+Read-only, for
+.Xr ntpd 8 .
+.Pp
+.It Xr chmod 2
+.It Xr fchmod 2
+.It Xr fchmodat 2
+.It Xr chown 2
+.It Xr lchown 2
+.It Xr fchown 2
+.It Xr fchownat 2
+Setuid/setgid/sticky bits are ignored.
+The user or group cannot be changed on a file.
+.Pp
+.It Xr mmap 2
+.It Xr mprotect 2
+.Dv PROT_EXEC
+isn't allowed.
+.Pp
+.It Xr open 2
+May open
+.Pa /etc/localtime ,
+any files below
+.Pa /usr/share/zoneinfo
+and files ending in
+.Pa libc.cat
+below the directory
+.Pa /usr/share/nls/ .
+.Pp
+.It Xr readlink 2
+May operate on
+.Pa /etc/malloc.conf .
+.Pp
+.It Xr sysctl 3
+A small set of read-only operations are allowed, sufficient to
+support:
+.Xr getdomainname 3 ,
+.Xr gethostname 3 ,
+.Xr getifaddrs 3 ,
+.Xr uname 3 ,
+system sensor readings.
+.Pp
+.It Xr pledge 2
+Can only reduce permissions; can only set a list of
+.Pa paths
+once.
+.El
+.Pp
+The
+.Ar request
+is specified as a string, with space separate keywords:
+.Bl -tag -width "tmppath" -offset indent
+.It Va "malloc"
+To allow use of the
+.Xr malloc 3
+family of functions, the following system calls are permitted:
+.Pp
+.Xr getentropy 2 ,
+.Xr madvise 2 ,
+.Xr minherit 2 ,
+.Xr mmap 2 ,
+.Xr mprotect 2 ,
+.Xr mquery 2 ,
+.Xr munmap 2 .
+.It Va "rw"
+The following system calls are permitted to allow most types of IO
+operations on previously allocated file descriptors, including
+libevent or handwritten async IO loops:
+.Pp
+.Xr poll 2 ,
+.Xr kevent 2 ,
+.Xr kqueue 2 ,
+.Xr select 2 ,
+.Xr close 2 ,
+.Xr dup 2 ,
+.Xr dup2 2 ,
+.Xr dup3 2 ,
+.Xr closefrom 2 ,
+.Xr shutdown 2 ,
+.Xr read 2 ,
+.Xr readv 2 ,
+.Xr pread 2 ,
+.Xr preadv 2 ,
+.Xr write 2 ,
+.Xr writev 2 ,
+.Xr pwrite 2 ,
+.Xr pwritev 2 ,
+.Xr ftruncate 2 ,
+.Xr lseek 2 ,
+.Xr fcntl 2 ,
+.Xr fsync 2 ,
+.Xr pipe 2 ,
+.Xr pipe2 2 ,
+.Xr socketpair 2 ,
+.Xr getdents 2 ,
+.Xr sendto 2 ,
+.Xr sendmsg 2 ,
+.Xr recvmsg 2 ,
+.Xr recvfrom 2 ,
+.Xr fstat 2 .
+.Pp
+Note that
+.Xr sendto 2
+is only permitted if its destination socket address is
+.Dv NULL .
+.It Va "stdio"
+This subset is simply the combination of
+.Va "malloc"
+and
+.Va "rw" .
+As a result, all the expected functionalities of libc
+stdio work.
+.It Va "rpath"
+A number of system calls are allowed if they only cause
+read-only effects on the filesystem:
+.Pp
+.Xr chdir 2 ,
+.Xr getcwd 3 ,
+.Xr openat 2 ,
+.Xr fstatat 2 ,
+.Xr faccessat 2 ,
+.Xr readlinkat 2 ,
+.Xr lstat 2 ,
+.Xr chmod 2 ,
+.Xr fchmod 2 ,
+.Xr fchmodat 2 ,
+.Xr chflags 2 ,
+.Xr chflagsat 2 ,
+.Xr chown 2 ,
+.Xr fchown 2 ,
+.Xr fchownat 2 ,
+.Xr fstat 2 ,
+.Xr getfsstat 2 .
+.It Va "wpath"
+A number of system calls are allowed and may cause
+write-effects on the filesystem:
+.Pp
+.Xr getcwd 3 ,
+.Xr openat 2 ,
+.Xr fstatat 2 ,
+.Xr faccessat 2 ,
+.Xr readlinkat 2 ,
+.Xr lstat 2 ,
+.Xr chmod 2 ,
+.Xr fchmod 2 ,
+.Xr fchmodat 2 ,
+.Xr chflags 2 ,
+.Xr chflagsat 2 ,
+.Xr chown 2 ,
+.Xr fchown 2 ,
+.Xr fchownat 2 ,
+.Xr fstat 2 .
+.It Va "cpath"
+A number of system calls and sub-modes are allowed, which may
+create new files or directories in the filesystem:
+.Pp
+.Xr rename 2 ,
+.Xr rmdir 2 ,
+.Xr renameat 2 ,
+.Xr link 2 ,
+.Xr linkat 2 ,
+.Xr symlink 2 ,
+.Xr unlink 2 ,
+.Xr unlinkat 2 ,
+.Xr mkdir 2 ,
+.Xr mkdirat 2 .
+.It Va "tmppath"
+A number of system calls are allowed to do operations in the
+.Pa /tmp
+directory, including create, read, or write:
+.Pp
+.Xr lstat 2 ,
+.Xr chmod 2 ,
+.Xr chflags 2 ,
+.Xr chown 2 ,
+.Xr unlink 2 ,
+.Xr fstat 2 .
+.It Va "inet"
+The following system calls are allowed to operate in the
+.Dv AF_INET
+and
+.Dv AF_INET6
+domains:
+.Pp
+.Xr socket 2 ,
+.Xr listen 2 ,
+.Xr bind 2 ,
+.Xr connect 2 ,
+.Xr accept4 2 ,
+.Xr accept 2 ,
+.Xr getpeername 2 ,
+.Xr getsockname 2 ,
+.Xr setsockopt 2 ,
+.Xr getsockopt 2 .
+.Pp
+.Xr setsockopt 2
+has been reduced in functionality substantially.
+.It Va "fattr"
+The following system calls are allowed to make explicit changes
+to fields in
+.Va struct stat
+relating to a file:
+.Pp
+.Xr utimes 2 ,
+.Xr futimes 2 ,
+.Xr utimensat 2 ,
+.Xr futimens 2 ,
+.Xr chmod 2 ,
+.Xr fchmod 2 ,
+.Xr fchmodat 2 ,
+.Xr chflags 2 ,
+.Xr chflagsat 2 ,
+.Xr chown 2 ,
+.Xr fchownat 2 ,
+.Xr lchown 2 ,
+.Xr fchown 2 ,
+.Xr utimes 2 .
+.It Va "unix"
+The following system calls are allowed to operate in the
+.Dv AF_UNIX
+domain:
+.Pp
+.Xr socket 2 ,
+.Xr listen 2 ,
+.Xr bind 2 ,
+.Xr connect 2 ,
+.Xr accept4 2 ,
+.Xr accept 2 ,
+.Xr getpeername 2 ,
+.Xr getsockname 2 ,
+.Xr setsockopt 2 ,
+.Xr getsockopt 2 .
+.It Va "dns"
+Subsequent to a successful
+.Xr open 2
+of
+.Pa /etc/resolv.conf ,
+a few system calls become able to allow DNS network transactions:
+.Pp
+.Xr sendto 2 ,
+.Xr recvfrom 2 ,
+.Xr socket 2 ,
+.Xr connect 2 .
+.It Va "getpw"
+This allows read-only opening of files in
+.Pa /etc
+for the
+.Xr getpwnam 3 ,
+.Xr getgrnam 3 ,
+.Xr getgrouplist 3 ,
+and
+.Xr initgroups 3
+family of functions.
+They may also need to operate in a
+.Xr yp 8
+environment, so a successful
+.Xr open 2
+of
+.Pa /var/run/ypbind.lock
+enables
+.Va "inet"
+operations.
+.It Va "cmsg"
+Allows passing of file descriptors using the
+.Xr sendmsg 2
+and
+.Xr recvmsg 2
+functions.
+.It Va "ioctl"
+Allows a subset of
+.Xr ioctl 2
+operations:
+.Pp
+.Dv FIOCLEX ,
+.Dv FIONCLEX ,
+.Dv FIONREAD ,
+.Dv FIONBIO ,
+.Dv FIOGETOWN ,
+.Dv TIOCGETA ,
+.Dv TIOCGPGRP ,
+.Dv TIOCGWINSZ ,
+.Dv TIOCSTI .
+.It Va "proc"
+Allows the following process relationship operations:
+.Pp
+.Xr fork 2 ,
+.Xr vfork 2 ,
+.Xr kill 2 ,
+.Xr setgroups 2 ,
+.Xr setresgid 2 ,
+.Xr setresuid 2 .
+.It Va "prot_exec"
+Allows the use of
+.Dv PROT_EXEC
+with
+.Xr mmap 2
+and
+.Xr mprotect 2 .
+.It Va "abort"
+Deliver an unblockable
+.Dv SIGABRT
+upon violation instead of
+.Dv SIGKILL .
+.El
+.Pp
+A whitelist of permitted paths may be provided in
+.Ar paths .
+All other paths will return
+.Er ENOENT .
+.Sh RETURN VALUES
+.Rv -std
+.Sh ERRORS
+.Fn pledge
+will fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+.Fa paths
+points outside the process's allocated address space.
+.It Bq Er ENAMETOOLONG
+An element of
+.Fa paths
+is too large, or prepending
+.Fa cwd
+to it would exceed
+.Dv PATH_MAX
+bytes.
+.It Bq Er EPERM
+This process is attempting to increase permissions.
+.It Bq Er E2BIG
+The
+.Ar paths
+array is too large, or the total number of bytes exceeds a
+system-imposed limit.
+The limit in the system as released is 262144 bytes
+.Pf ( Dv ARG_MAX ) .
+.El
+.Sh HISTORY
+The
+.Fn pledge
+system call appeared in
+.Ox 5.8 .
+.Sh CAVEATS
+It is not possible to
+.Xr systrace 4
+a
+.Fn pledge
+program.
diff --git a/lib/libc/sys/tame.2 b/lib/libc/sys/tame.2
deleted file mode 100644
index 5357435c6c8..00000000000
--- a/lib/libc/sys/tame.2
+++ /dev/null
@@ -1,456 +0,0 @@
-.\" $OpenBSD: tame.2,v 1.31 2015/10/04 20:47:16 djm Exp $
-.\"
-.\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 4 2015 $
-.Dt TAME 2
-.Os
-.Sh NAME
-.Nm tame
-.Nd restrict system operations
-.Sh SYNOPSIS
-.In unistd.h
-.Ft int
-.Fn tame "const char *request" "const char *paths[]"
-.Sh DESCRIPTION
-The current process is forced into a restricted-service operating mode.
-A few subsets are available, roughly described as computation, memory
-management, read-write operations on file descriptors, opening of files,
-networking.
-In general, these modes were selected by studying the operation
-of many programs using libc and other such interfaces, and setting
-.Ar request
-or
-.Ar paths .
-.Pp
-Use of
-.Fn tame
-in an application will require at least some study and understanding
-of the interfaces called.
-Subsequent calls to
-.Fn tame
-can reduce the abilities further, but abilities can never be regained.
-.Pp
-A process which attempts a restricted operation is killed with
-.Dv SIGKILL .
-If
-.Va "abort"
-is set, then a non-blockable
-.Dv SIGABRT
-is delivered instead, possibly resulting in a
-.Xr core 5
-file.
-.Pp
-A
-.Fa request
-value of "" restricts the process to the
-.Xr _exit 2
-system call.
-This can be used for pure computation operating on memory shared
-with another process.
-.Pp
-All
-.Dv requests
-below (with the exception of
-.Va "abort" )
-permit the following system calls:
-.Bd -ragged -offset indent
-.Xr clock_getres 2 ,
-.Xr clock_gettime 2 ,
-.Xr fchdir 2 ,
-.Xr getdtablecount 2 ,
-.Xr getegid 2 ,
-.Xr geteuid 2 ,
-.Xr getgid 2 ,
-.Xr getgroups 2 ,
-.Xr getitimer 2 ,
-.Xr getlogin 2 ,
-.Xr getpgid 2 ,
-.Xr getpgrp 2 ,
-.Xr getpid 2 ,
-.Xr getppid 2 ,
-.Xr getresgid 2 ,
-.Xr getresuid 2 ,
-.Xr getrlimit 2 ,
-.Xr getsid 2 ,
-.Xr getthrid 2 ,
-.Xr gettimeofday 2 ,
-.Xr getuid 2 ,
-.Xr getuid 2 ,
-.Xr issetugid 2 ,
-.Xr nanosleep 2 ,
-.Xr sendsyslog 2 ,
-.Xr setitimer 2 ,
-.Xr sigaction 2 ,
-.Xr sigprocmask 2 ,
-.Xr sigreturn 2 ,
-.Xr umask 2 ,
-.Xr wait4 2 .
-.Ed
-.Pp
-Some system calls, when allowed, have restrictions applied to them:
-.Pp
-.Bl -tag -width "readlink(2)" -offset indent -compact
-.It Xr access 2
-May check for existence of
-.Pa /etc/localtime .
-.Pp
-.It Xr adjtime 2
-Read-only, for
-.Xr ntpd 8 .
-.Pp
-.It Xr chmod 2
-.It Xr fchmod 2
-.It Xr fchmodat 2
-.It Xr chown 2
-.It Xr lchown 2
-.It Xr fchown 2
-.It Xr fchownat 2
-Setuid/setgid/sticky bits are ignored.
-The user or group cannot be changed on a file.
-.Pp
-.It Xr mmap 2
-.It Xr mprotect 2
-.Dv PROT_EXEC
-isn't allowed.
-.Pp
-.It Xr open 2
-May open
-.Pa /etc/localtime ,
-any files below
-.Pa /usr/share/zoneinfo
-and files ending in
-.Pa libc.cat
-below the directory
-.Pa /usr/share/nls/ .
-.Pp
-.It Xr readlink 2
-May operate on
-.Pa /etc/malloc.conf .
-.Pp
-.It Xr sysctl 3
-A small set of read-only operations are allowed, sufficient to
-support:
-.Xr getdomainname 3 ,
-.Xr gethostname 3 ,
-.Xr getifaddrs 3 ,
-.Xr uname 3 ,
-system sensor readings.
-.Pp
-.It Xr tame 2
-Can only reduce permissions; can only set a list of
-.Pa paths
-once.
-.El
-.Pp
-The
-.Ar request
-is specified as a string, with space separate keywords:
-.Bl -tag -width "tmppath" -offset indent
-.It Va "malloc"
-To allow use of the
-.Xr malloc 3
-family of functions, the following system calls are permitted:
-.Pp
-.Xr getentropy 2 ,
-.Xr madvise 2 ,
-.Xr minherit 2 ,
-.Xr mmap 2 ,
-.Xr mprotect 2 ,
-.Xr mquery 2 ,
-.Xr munmap 2 .
-.It Va "rw"
-The following system calls are permitted to allow most types of IO
-operations on previously allocated file descriptors, including
-libevent or handwritten async IO loops:
-.Pp
-.Xr poll 2 ,
-.Xr kevent 2 ,
-.Xr kqueue 2 ,
-.Xr select 2 ,
-.Xr close 2 ,
-.Xr dup 2 ,
-.Xr dup2 2 ,
-.Xr dup3 2 ,
-.Xr closefrom 2 ,
-.Xr shutdown 2 ,
-.Xr read 2 ,
-.Xr readv 2 ,
-.Xr pread 2 ,
-.Xr preadv 2 ,
-.Xr write 2 ,
-.Xr writev 2 ,
-.Xr pwrite 2 ,
-.Xr pwritev 2 ,
-.Xr ftruncate 2 ,
-.Xr lseek 2 ,
-.Xr fcntl 2 ,
-.Xr fsync 2 ,
-.Xr pipe 2 ,
-.Xr pipe2 2 ,
-.Xr socketpair 2 ,
-.Xr getdents 2 ,
-.Xr sendto 2 ,
-.Xr sendmsg 2 ,
-.Xr recvmsg 2 ,
-.Xr recvfrom 2 ,
-.Xr fstat 2 .
-.Pp
-Note that
-.Xr sendto 2
-is only permitted if its destination socket address is
-.Dv NULL .
-.It Va "stdio"
-This subset is simply the combination of
-.Va "malloc"
-and
-.Va "rw" .
-As a result, all the expected functionalities of libc
-stdio work.
-.It Va "rpath"
-A number of system calls are allowed if they only cause
-read-only effects on the filesystem:
-.Pp
-.Xr chdir 2 ,
-.Xr getcwd 3 ,
-.Xr openat 2 ,
-.Xr fstatat 2 ,
-.Xr faccessat 2 ,
-.Xr readlinkat 2 ,
-.Xr lstat 2 ,
-.Xr chmod 2 ,
-.Xr fchmod 2 ,
-.Xr fchmodat 2 ,
-.Xr chflags 2 ,
-.Xr chflagsat 2 ,
-.Xr chown 2 ,
-.Xr fchown 2 ,
-.Xr fchownat 2 ,
-.Xr fstat 2 ,
-.Xr getfsstat 2 .
-.It Va "wpath"
-A number of system calls are allowed and may cause
-write-effects on the filesystem:
-.Pp
-.Xr getcwd 3 ,
-.Xr openat 2 ,
-.Xr fstatat 2 ,
-.Xr faccessat 2 ,
-.Xr readlinkat 2 ,
-.Xr lstat 2 ,
-.Xr chmod 2 ,
-.Xr fchmod 2 ,
-.Xr fchmodat 2 ,
-.Xr chflags 2 ,
-.Xr chflagsat 2 ,
-.Xr chown 2 ,
-.Xr fchown 2 ,
-.Xr fchownat 2 ,
-.Xr fstat 2 .
-.It Va "cpath"
-A number of system calls and sub-modes are allowed, which may
-create new files or directories in the filesystem:
-.Pp
-.Xr rename 2 ,
-.Xr rmdir 2 ,
-.Xr renameat 2 ,
-.Xr link 2 ,
-.Xr linkat 2 ,
-.Xr symlink 2 ,
-.Xr unlink 2 ,
-.Xr unlinkat 2 ,
-.Xr mkdir 2 ,
-.Xr mkdirat 2 .
-.It Va "tmppath"
-A number of system calls are allowed to do operations in the
-.Pa /tmp
-directory, including create, read, or write:
-.Pp
-.Xr lstat 2 ,
-.Xr chmod 2 ,
-.Xr chflags 2 ,
-.Xr chown 2 ,
-.Xr unlink 2 ,
-.Xr fstat 2 .
-.It Va "inet"
-The following system calls are allowed to operate in the
-.Dv AF_INET
-and
-.Dv AF_INET6
-domains:
-.Pp
-.Xr socket 2 ,
-.Xr listen 2 ,
-.Xr bind 2 ,
-.Xr connect 2 ,
-.Xr accept4 2 ,
-.Xr accept 2 ,
-.Xr getpeername 2 ,
-.Xr getsockname 2 ,
-.Xr setsockopt 2 ,
-.Xr getsockopt 2 .
-.Pp
-.Xr setsockopt 2
-has been reduced in functionality substantially.
-.It Va "fattr"
-The following system calls are allowed to make explicit changes
-to fields in
-.Va struct stat
-relating to a file:
-.Pp
-.Xr utimes 2 ,
-.Xr futimes 2 ,
-.Xr utimensat 2 ,
-.Xr futimens 2 ,
-.Xr chmod 2 ,
-.Xr fchmod 2 ,
-.Xr fchmodat 2 ,
-.Xr chflags 2 ,
-.Xr chflagsat 2 ,
-.Xr chown 2 ,
-.Xr fchownat 2 ,
-.Xr lchown 2 ,
-.Xr fchown 2 ,
-.Xr utimes 2 .
-.It Va "unix"
-The following system calls are allowed to operate in the
-.Dv AF_UNIX
-domain:
-.Pp
-.Xr socket 2 ,
-.Xr listen 2 ,
-.Xr bind 2 ,
-.Xr connect 2 ,
-.Xr accept4 2 ,
-.Xr accept 2 ,
-.Xr getpeername 2 ,
-.Xr getsockname 2 ,
-.Xr setsockopt 2 ,
-.Xr getsockopt 2 .
-.It Va "dns"
-Subsequent to a successful
-.Xr open 2
-of
-.Pa /etc/resolv.conf ,
-a few system calls become able to allow DNS network transactions:
-.Pp
-.Xr sendto 2 ,
-.Xr recvfrom 2 ,
-.Xr socket 2 ,
-.Xr connect 2 .
-.It Va "getpw"
-This allows read-only opening of files in
-.Pa /etc
-for the
-.Xr getpwnam 3 ,
-.Xr getgrnam 3 ,
-.Xr getgrouplist 3 ,
-and
-.Xr initgroups 3
-family of functions.
-They may also need to operate in a
-.Xr yp 8
-environment, so a successful
-.Xr open 2
-of
-.Pa /var/run/ypbind.lock
-enables
-.Va "inet"
-operations.
-.It Va "cmsg"
-Allows passing of file descriptors using the
-.Xr sendmsg 2
-and
-.Xr recvmsg 2
-functions.
-.It Va "ioctl"
-Allows a subset of
-.Xr ioctl 2
-operations:
-.Pp
-.Dv FIOCLEX ,
-.Dv FIONCLEX ,
-.Dv FIONREAD ,
-.Dv FIONBIO ,
-.Dv FIOGETOWN ,
-.Dv TIOCGETA ,
-.Dv TIOCGPGRP ,
-.Dv TIOCGWINSZ ,
-.Dv TIOCSTI .
-.It Va "proc"
-Allows the following process relationship operations:
-.Pp
-.Xr fork 2 ,
-.Xr vfork 2 ,
-.Xr kill 2 ,
-.Xr setgroups 2 ,
-.Xr setresgid 2 ,
-.Xr setresuid 2 .
-.It Va "prot_exec"
-Allows the use of
-.Dv PROT_EXEC
-with
-.Xr mmap 2
-and
-.Xr mprotect 2 .
-.It Va "abort"
-Deliver an unblockable
-.Dv SIGABRT
-upon violation instead of
-.Dv SIGKILL .
-.El
-.Pp
-A whitelist of permitted paths may be provided in
-.Ar paths .
-All other paths will return
-.Er ENOENT .
-.Sh RETURN VALUES
-.Rv -std
-.Sh ERRORS
-.Fn tame
-will fail if:
-.Bl -tag -width Er
-.It Bq Er EFAULT
-.Fa paths
-points outside the process's allocated address space.
-.It Bq Er ENAMETOOLONG
-An element of
-.Fa paths
-is too large, or prepending
-.Fa cwd
-to it would exceed
-.Dv PATH_MAX
-bytes.
-.It Bq Er EPERM
-This process is attempting to increase permissions.
-.It Bq Er E2BIG
-The
-.Ar paths
-array is too large, or the total number of bytes exceeds a
-system-imposed limit.
-The limit in the system as released is 262144 bytes
-.Pf ( Dv ARG_MAX ) .
-.El
-.Sh HISTORY
-The
-.Fn tame
-system call appeared in
-.Ox 5.8 .
-.Sh CAVEATS
-It is not possible to
-.Xr systrace 4
-a
-.Fn tame
-program.
diff --git a/lib/libc/sys/tame.c b/lib/libc/sys/tame.c
new file mode 100644
index 00000000000..4774a17afeb
--- /dev/null
+++ b/lib/libc/sys/tame.c
@@ -0,0 +1,17 @@
+/*	$OpenBSD: tame.c,v 1.1 2015/10/09 01:24:57 deraadt Exp $	*/
+/*
+ *	Written by Artur Grabowski <art@openbsd.org> Public Domain
+ */
+
+#include <sys/types.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+int tame(const char *req, const char **paths);
+
+int
+tame(const char *req, const char **paths)
+{
+	return (pledge(req, paths));
+}
+DEF_WEAK(mquery);