From: deraadt Date: Fri, 9 Oct 2015 01:10:27 +0000 (+0000) Subject: Rename tame() to pledge(). This fairly interface has evolved to be more X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=df174574d401c5c122a73e20e0b23ac91a73c4b1;p=openbsd Rename tame() to pledge(). This fairly interface has evolved to be more strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price. --- diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 8c2287bc428..d47f2520e4e 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.167 2015/10/07 03:47:43 deraadt Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.168 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -53,7 +53,7 @@ #include #include #include -#include +#include #ifdef SYSVSHM #include #endif @@ -551,8 +551,8 @@ sys_execve(struct proc *p, void *v, register_t *retval) else atomic_clearbits_int(&pr->ps_flags, PS_SUGIDEXEC); - atomic_clearbits_int(&pr->ps_flags, PS_TAMED); - tame_dropwpaths(pr); + atomic_clearbits_int(&pr->ps_flags, PS_PLEDGE); + pledge_dropwpaths(pr); /* * deal with set[ug]id. diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index bb9d1aaf774..9b3e397f182 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exit.c,v 1.153 2015/10/07 03:47:43 deraadt Exp $ */ +/* $OpenBSD: kern_exit.c,v 1.154 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: kern_exit.c,v 1.39 1996/04/22 01:38:25 christos Exp $ */ /* @@ -60,7 +60,7 @@ #include #include #include -#include +#include #ifdef SYSVSEM #include #endif @@ -650,7 +650,7 @@ process_zap(struct process *pr) */ (void)chgproccnt(pr->ps_ucred->cr_ruid, -1); - tame_dropwpaths(pr); + pledge_dropwpaths(pr); /* * Release reference to text vnode diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 516ab090808..cbbb54c708a 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_fork.c,v 1.183 2015/09/11 08:22:31 guenther Exp $ */ +/* $OpenBSD: kern_fork.c,v 1.184 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: kern_fork.c,v 1.29 1996/02/09 18:59:34 christos Exp $ */ /* @@ -58,7 +58,7 @@ #include #include #include -#include +#include #include #include @@ -204,7 +204,7 @@ process_new(struct proc *p, struct process *parent, int flags) if (pr->ps_textvp) vref(pr->ps_textvp); - pr->ps_flags = parent->ps_flags & (PS_SUGID | PS_SUGIDEXEC | PS_TAMED); + pr->ps_flags = parent->ps_flags & (PS_SUGID | PS_SUGIDEXEC | PS_PLEDGE); if (parent->ps_session->s_ttyvp != NULL) pr->ps_flags |= parent->ps_flags & PS_CONTROLT; @@ -225,8 +225,8 @@ process_new(struct proc *p, struct process *parent, int flags) else pr->ps_vmspace = uvmspace_fork(parent); - if (pr->ps_tamepaths) - pr->ps_tamepaths->wl_ref++; + if (pr->ps_pledgepaths) + pr->ps_pledgepaths->wl_ref++; if (parent->ps_flags & PS_PROFIL) startprofclock(pr); diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 1fed1fa84b8..5d34952665c 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_ktrace.c,v 1.79 2015/10/02 05:07:41 guenther Exp $ */ +/* $OpenBSD: kern_ktrace.c,v 1.80 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: kern_ktrace.c,v 1.23 1996/02/09 18:59:36 christos Exp $ */ /* @@ -429,7 +429,7 @@ sys_ktrace(struct proc *p, void *v, register_t *retval) * an operation which requires a file argument. */ cred = p->p_ucred; - p->p_tamenote = TMN_CPATH; + p->p_pledgenote = TMN_CPATH; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, fname), p); if ((error = vn_open(&nd, FREAD|FWRITE|O_NOFOLLOW, 0)) != 0) diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index 8afc60219ee..87a85a1958d 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sig.c,v 1.183 2015/07/27 18:22:37 deraadt Exp $ */ +/* $OpenBSD: kern_sig.c,v 1.184 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $ */ /* @@ -1517,7 +1517,7 @@ coredump(struct proc *p) cred->cr_gid = 0; } - p->p_tamenote = TMN_COREDUMP; + p->p_pledgenote = TMN_COREDUMP; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p); error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR); diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index 3a716b0ac6a..b5258b5309c 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sysctl.c,v 1.295 2015/09/28 16:59:35 deraadt Exp $ */ +/* $OpenBSD: kern_sysctl.c,v 1.296 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */ /*- @@ -69,7 +69,7 @@ #include #include #include -#include +#include #include #include #include @@ -174,8 +174,8 @@ sys_sysctl(struct proc *p, void *v, register_t *retval) if (error) return (error); - if (tame_sysctl_check(p, SCARG(uap, namelen), name, SCARG(uap, new))) - return (tame_fail(p, EPERM, TAME_SELF)); + if (pledge_sysctl_check(p, SCARG(uap, namelen), name, SCARG(uap, new))) + return (pledge_fail(p, EPERM, PLEDGE_SELF)); switch (name[0]) { case CTL_KERN: diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c index 3e7525f20ab..3ccb09989f8 100644 --- a/sys/kern/kern_tame.c +++ b/sys/kern/kern_tame.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_tame.c,v 1.70 2015/10/08 17:29:43 deraadt Exp $ */ +/* $OpenBSD: kern_tame.c,v 1.71 2015/10/09 01:10:27 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -44,215 +44,215 @@ #include #include #include -#include +#include int canonpath(const char *input, char *buf, size_t bufsize); -const u_int tame_syscalls[SYS_MAXSYSCALL] = { +const u_int pledge_syscalls[SYS_MAXSYSCALL] = { [SYS_exit] = 0xffffffff, [SYS_kbind] = 0xffffffff, - [SYS_getuid] = TAME_SELF, - [SYS_geteuid] = TAME_SELF, - [SYS_getresuid] = TAME_SELF, - [SYS_getgid] = TAME_SELF, - [SYS_getegid] = TAME_SELF, - [SYS_getresgid] = TAME_SELF, - [SYS_getgroups] = TAME_SELF, - [SYS_getlogin] = TAME_SELF, - [SYS_getpgrp] = TAME_SELF, - [SYS_getpgid] = TAME_SELF, - [SYS_getppid] = TAME_SELF, - [SYS_getsid] = TAME_SELF, - [SYS_getthrid] = TAME_SELF, - [SYS_getrlimit] = TAME_SELF, - [SYS_gettimeofday] = TAME_SELF, - [SYS_getdtablecount] = TAME_SELF, - [SYS_getrusage] = TAME_SELF, - [SYS_issetugid] = TAME_SELF, - [SYS_clock_getres] = TAME_SELF, - [SYS_clock_gettime] = TAME_SELF, - [SYS_getpid] = TAME_SELF, - [SYS_umask] = TAME_SELF, - [SYS_sysctl] = TAME_SELF, /* read-only; narrow subset */ - [SYS_adjtime] = TAME_SELF, /* read-only */ - - [SYS_fchdir] = TAME_SELF, /* careful of directory fd inside jails */ + [SYS_getuid] = PLEDGE_SELF, + [SYS_geteuid] = PLEDGE_SELF, + [SYS_getresuid] = PLEDGE_SELF, + [SYS_getgid] = PLEDGE_SELF, + [SYS_getegid] = PLEDGE_SELF, + [SYS_getresgid] = PLEDGE_SELF, + [SYS_getgroups] = PLEDGE_SELF, + [SYS_getlogin] = PLEDGE_SELF, + [SYS_getpgrp] = PLEDGE_SELF, + [SYS_getpgid] = PLEDGE_SELF, + [SYS_getppid] = PLEDGE_SELF, + [SYS_getsid] = PLEDGE_SELF, + [SYS_getthrid] = PLEDGE_SELF, + [SYS_getrlimit] = PLEDGE_SELF, + [SYS_gettimeofday] = PLEDGE_SELF, + [SYS_getdtablecount] = PLEDGE_SELF, + [SYS_getrusage] = PLEDGE_SELF, + [SYS_issetugid] = PLEDGE_SELF, + [SYS_clock_getres] = PLEDGE_SELF, + [SYS_clock_gettime] = PLEDGE_SELF, + [SYS_getpid] = PLEDGE_SELF, + [SYS_umask] = PLEDGE_SELF, + [SYS_sysctl] = PLEDGE_SELF, /* read-only; narrow subset */ + [SYS_adjtime] = PLEDGE_SELF, /* read-only */ + + [SYS_fchdir] = PLEDGE_SELF, /* careful of directory fd inside jails */ /* needed by threaded programs */ - [SYS_sched_yield] = TAME_SELF, - [SYS___thrsleep] = TAME_SELF, - [SYS___thrwakeup] = TAME_SELF, - [SYS___threxit] = TAME_SELF, - [SYS___thrsigdivert] = TAME_SELF, - - [SYS_sendsyslog] = TAME_SELF, - [SYS_nanosleep] = TAME_SELF, - [SYS_sigprocmask] = TAME_SELF, - [SYS_sigaction] = TAME_SELF, - [SYS_sigreturn] = TAME_SELF, - [SYS_sigpending] = TAME_SELF, - [SYS_getitimer] = TAME_SELF, - [SYS_setitimer] = TAME_SELF, - - [SYS_tame] = TAME_SELF, - - [SYS_wait4] = TAME_SELF, - - [SYS_poll] = TAME_RW, - [SYS_kevent] = TAME_RW, - [SYS_kqueue] = TAME_RW, - [SYS_select] = TAME_RW, - - [SYS_close] = TAME_RW, - [SYS_dup] = TAME_RW, - [SYS_dup2] = TAME_RW, - [SYS_dup3] = TAME_RW, - [SYS_closefrom] = TAME_RW, - [SYS_shutdown] = TAME_RW, - [SYS_read] = TAME_RW, - [SYS_readv] = TAME_RW, - [SYS_pread] = TAME_RW, - [SYS_preadv] = TAME_RW, - [SYS_write] = TAME_RW, - [SYS_writev] = TAME_RW, - [SYS_pwrite] = TAME_RW, - [SYS_pwritev] = TAME_RW, - [SYS_ftruncate] = TAME_RW, - [SYS_lseek] = TAME_RW, - [SYS_fstat] = TAME_RW, - - [SYS_fcntl] = TAME_RW, - [SYS_fsync] = TAME_RW, - [SYS_pipe] = TAME_RW, - [SYS_pipe2] = TAME_RW, - [SYS_socketpair] = TAME_RW, - [SYS_getdents] = TAME_RW, - - [SYS_sendto] = TAME_RW | TAME_DNS_ACTIVE | TAME_YP_ACTIVE, - [SYS_sendmsg] = TAME_RW, - [SYS_recvmsg] = TAME_RW, - [SYS_recvfrom] = TAME_RW | TAME_DNS_ACTIVE | TAME_YP_ACTIVE, - - [SYS_fork] = TAME_PROC, - [SYS_vfork] = TAME_PROC, - [SYS_kill] = TAME_PROC, - [SYS_setpgid] = TAME_PROC, - [SYS_sigsuspend] = TAME_PROC, - [SYS_setrlimit] = TAME_PROC, - - [SYS_execve] = TAME_EXEC, - - [SYS_setgroups] = TAME_PROC, - [SYS_setresgid] = TAME_PROC, - [SYS_setresuid] = TAME_PROC, - - /* FIONREAD/FIONBIO, plus further checks in tame_ioctl_check() */ - [SYS_ioctl] = TAME_RW | TAME_IOCTL | TAME_TTY, - - [SYS_getentropy] = TAME_MALLOC, - [SYS_madvise] = TAME_MALLOC, - [SYS_minherit] = TAME_MALLOC, - [SYS_mmap] = TAME_MALLOC, - [SYS_mprotect] = TAME_MALLOC, - [SYS_mquery] = TAME_MALLOC, - [SYS_munmap] = TAME_MALLOC, - - [SYS_open] = TAME_SELF, /* further checks in namei */ - [SYS_stat] = TAME_SELF, /* further checks in namei */ - [SYS_access] = TAME_SELF, /* further checks in namei */ - [SYS_readlink] = TAME_SELF, /* further checks in namei */ - - [SYS_chdir] = TAME_RPATH, - [SYS_openat] = TAME_RPATH | TAME_WPATH, - [SYS_fstatat] = TAME_RPATH | TAME_WPATH, - [SYS_faccessat] = TAME_RPATH | TAME_WPATH, - [SYS_readlinkat] = TAME_RPATH | TAME_WPATH, - [SYS_lstat] = TAME_RPATH | TAME_WPATH | TAME_TMPPATH, - [SYS_rename] = TAME_CPATH, - [SYS_rmdir] = TAME_CPATH, - [SYS_renameat] = TAME_CPATH, - [SYS_link] = TAME_CPATH, - [SYS_linkat] = TAME_CPATH, - [SYS_symlink] = TAME_CPATH, - [SYS_unlink] = TAME_CPATH | TAME_TMPPATH, - [SYS_unlinkat] = TAME_CPATH, - [SYS_mkdir] = TAME_CPATH, - [SYS_mkdirat] = TAME_CPATH, + [SYS_sched_yield] = PLEDGE_SELF, + [SYS___thrsleep] = PLEDGE_SELF, + [SYS___thrwakeup] = PLEDGE_SELF, + [SYS___threxit] = PLEDGE_SELF, + [SYS___thrsigdivert] = PLEDGE_SELF, + + [SYS_sendsyslog] = PLEDGE_SELF, + [SYS_nanosleep] = PLEDGE_SELF, + [SYS_sigprocmask] = PLEDGE_SELF, + [SYS_sigaction] = PLEDGE_SELF, + [SYS_sigreturn] = PLEDGE_SELF, + [SYS_sigpending] = PLEDGE_SELF, + [SYS_getitimer] = PLEDGE_SELF, + [SYS_setitimer] = PLEDGE_SELF, + + [SYS_pledge] = PLEDGE_SELF, + + [SYS_wait4] = PLEDGE_SELF, + + [SYS_poll] = PLEDGE_RW, + [SYS_kevent] = PLEDGE_RW, + [SYS_kqueue] = PLEDGE_RW, + [SYS_select] = PLEDGE_RW, + + [SYS_close] = PLEDGE_RW, + [SYS_dup] = PLEDGE_RW, + [SYS_dup2] = PLEDGE_RW, + [SYS_dup3] = PLEDGE_RW, + [SYS_closefrom] = PLEDGE_RW, + [SYS_shutdown] = PLEDGE_RW, + [SYS_read] = PLEDGE_RW, + [SYS_readv] = PLEDGE_RW, + [SYS_pread] = PLEDGE_RW, + [SYS_preadv] = PLEDGE_RW, + [SYS_write] = PLEDGE_RW, + [SYS_writev] = PLEDGE_RW, + [SYS_pwrite] = PLEDGE_RW, + [SYS_pwritev] = PLEDGE_RW, + [SYS_ftruncate] = PLEDGE_RW, + [SYS_lseek] = PLEDGE_RW, + [SYS_fstat] = PLEDGE_RW, + + [SYS_fcntl] = PLEDGE_RW, + [SYS_fsync] = PLEDGE_RW, + [SYS_pipe] = PLEDGE_RW, + [SYS_pipe2] = PLEDGE_RW, + [SYS_socketpair] = PLEDGE_RW, + [SYS_getdents] = PLEDGE_RW, + + [SYS_sendto] = PLEDGE_RW | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, + [SYS_sendmsg] = PLEDGE_RW, + [SYS_recvmsg] = PLEDGE_RW, + [SYS_recvfrom] = PLEDGE_RW | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, + + [SYS_fork] = PLEDGE_PROC, + [SYS_vfork] = PLEDGE_PROC, + [SYS_kill] = PLEDGE_PROC, + [SYS_setpgid] = PLEDGE_PROC, + [SYS_sigsuspend] = PLEDGE_PROC, + [SYS_setrlimit] = PLEDGE_PROC, + + [SYS_execve] = PLEDGE_EXEC, + + [SYS_setgroups] = PLEDGE_PROC, + [SYS_setresgid] = PLEDGE_PROC, + [SYS_setresuid] = PLEDGE_PROC, + + /* FIONREAD/FIONBIO, plus further checks in pledge_ioctl_check() */ + [SYS_ioctl] = PLEDGE_RW | PLEDGE_IOCTL | PLEDGE_TTY, + + [SYS_getentropy] = PLEDGE_MALLOC, + [SYS_madvise] = PLEDGE_MALLOC, + [SYS_minherit] = PLEDGE_MALLOC, + [SYS_mmap] = PLEDGE_MALLOC, + [SYS_mprotect] = PLEDGE_MALLOC, + [SYS_mquery] = PLEDGE_MALLOC, + [SYS_munmap] = PLEDGE_MALLOC, + + [SYS_open] = PLEDGE_SELF, /* further checks in namei */ + [SYS_stat] = PLEDGE_SELF, /* further checks in namei */ + [SYS_access] = PLEDGE_SELF, /* further checks in namei */ + [SYS_readlink] = PLEDGE_SELF, /* further checks in namei */ + + [SYS_chdir] = PLEDGE_RPATH, + [SYS_openat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_fstatat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_faccessat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_readlinkat] = PLEDGE_RPATH | PLEDGE_WPATH, + [SYS_lstat] = PLEDGE_RPATH | PLEDGE_WPATH | PLEDGE_TMPPATH, + [SYS_rename] = PLEDGE_CPATH, + [SYS_rmdir] = PLEDGE_CPATH, + [SYS_renameat] = PLEDGE_CPATH, + [SYS_link] = PLEDGE_CPATH, + [SYS_linkat] = PLEDGE_CPATH, + [SYS_symlink] = PLEDGE_CPATH, + [SYS_unlink] = PLEDGE_CPATH | PLEDGE_TMPPATH, + [SYS_unlinkat] = PLEDGE_CPATH, + [SYS_mkdir] = PLEDGE_CPATH, + [SYS_mkdirat] = PLEDGE_CPATH, /* * Classify as RPATH|WPATH, because of path information leakage. * WPATH due to unknown use of mk*temp(3) on non-/tmp paths.. */ - [SYS___getcwd] = TAME_RPATH | TAME_WPATH, + [SYS___getcwd] = PLEDGE_RPATH | PLEDGE_WPATH, /* Classify as RPATH, because these leak path information */ - [SYS_getfsstat] = TAME_RPATH, - [SYS_statfs] = TAME_RPATH, - [SYS_fstatfs] = TAME_RPATH, - - [SYS_utimes] = TAME_FATTR, - [SYS_futimes] = TAME_FATTR, - [SYS_utimensat] = TAME_FATTR, - [SYS_futimens] = TAME_FATTR, - [SYS_chmod] = TAME_FATTR, - [SYS_fchmod] = TAME_FATTR, - [SYS_fchmodat] = TAME_FATTR, - [SYS_chflags] = TAME_FATTR, - [SYS_chflagsat] = TAME_FATTR, - [SYS_chown] = TAME_FATTR, - [SYS_fchownat] = TAME_FATTR, - [SYS_lchown] = TAME_FATTR, - [SYS_fchown] = TAME_FATTR, - - [SYS_socket] = TAME_INET | TAME_UNIX | TAME_DNS_ACTIVE | TAME_YP_ACTIVE, - [SYS_connect] = TAME_INET | TAME_UNIX | TAME_DNS_ACTIVE | TAME_YP_ACTIVE, - - [SYS_listen] = TAME_INET | TAME_UNIX, - [SYS_bind] = TAME_INET | TAME_UNIX, - [SYS_accept4] = TAME_INET | TAME_UNIX, - [SYS_accept] = TAME_INET | TAME_UNIX, - [SYS_getpeername] = TAME_INET | TAME_UNIX, - [SYS_getsockname] = TAME_INET | TAME_UNIX, - [SYS_setsockopt] = TAME_INET | TAME_UNIX, - [SYS_getsockopt] = TAME_INET | TAME_UNIX, - - [SYS_flock] = TAME_GETPW, + [SYS_getfsstat] = PLEDGE_RPATH, + [SYS_statfs] = PLEDGE_RPATH, + [SYS_fstatfs] = PLEDGE_RPATH, + + [SYS_utimes] = PLEDGE_FATTR, + [SYS_futimes] = PLEDGE_FATTR, + [SYS_utimensat] = PLEDGE_FATTR, + [SYS_futimens] = PLEDGE_FATTR, + [SYS_chmod] = PLEDGE_FATTR, + [SYS_fchmod] = PLEDGE_FATTR, + [SYS_fchmodat] = PLEDGE_FATTR, + [SYS_chflags] = PLEDGE_FATTR, + [SYS_chflagsat] = PLEDGE_FATTR, + [SYS_chown] = PLEDGE_FATTR, + [SYS_fchownat] = PLEDGE_FATTR, + [SYS_lchown] = PLEDGE_FATTR, + [SYS_fchown] = PLEDGE_FATTR, + + [SYS_socket] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, + [SYS_connect] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS_ACTIVE | PLEDGE_YP_ACTIVE, + + [SYS_listen] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_bind] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_accept4] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_accept] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_getpeername] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_getsockname] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_setsockopt] = PLEDGE_INET | PLEDGE_UNIX, + [SYS_getsockopt] = PLEDGE_INET | PLEDGE_UNIX, + + [SYS_flock] = PLEDGE_GETPW, }; static const struct { char *name; int flags; -} tamereq[] = { - { "malloc", TAME_SELF | TAME_MALLOC }, - { "rw", TAME_SELF | TAME_RW }, - { "stdio", TAME_SELF | TAME_MALLOC | TAME_RW }, - { "rpath", TAME_SELF | TAME_RW | TAME_RPATH }, - { "wpath", TAME_SELF | TAME_RW | TAME_WPATH }, - { "tmppath", TAME_SELF | TAME_RW | TAME_TMPPATH }, - { "inet", TAME_SELF | TAME_RW | TAME_INET }, - { "unix", TAME_SELF | TAME_RW | TAME_UNIX }, - { "dns", TAME_SELF | TAME_MALLOC | TAME_DNSPATH }, - { "getpw", TAME_SELF | TAME_MALLOC | TAME_RW | TAME_GETPW }, -/*X*/ { "cmsg", TAME_UNIX | TAME_INET | TAME_SENDFD | TAME_RECVFD }, - { "sendfd", TAME_RW | TAME_SENDFD }, - { "recvfd", TAME_RW | TAME_RECVFD }, - { "ioctl", TAME_IOCTL }, - { "route", TAME_ROUTE }, - { "mcast", TAME_MCAST }, - { "tty", TAME_TTY }, - { "proc", TAME_PROC }, - { "exec", TAME_EXEC }, - { "cpath", TAME_CPATH }, - { "abort", TAME_ABORT }, - { "fattr", TAME_FATTR }, - { "prot_exec", TAME_PROTEXEC }, +} pledgereq[] = { + { "malloc", PLEDGE_SELF | PLEDGE_MALLOC }, + { "rw", PLEDGE_SELF | PLEDGE_RW }, + { "stdio", PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_RW }, + { "rpath", PLEDGE_SELF | PLEDGE_RW | PLEDGE_RPATH }, + { "wpath", PLEDGE_SELF | PLEDGE_RW | PLEDGE_WPATH }, + { "tmppath", PLEDGE_SELF | PLEDGE_RW | PLEDGE_TMPPATH }, + { "inet", PLEDGE_SELF | PLEDGE_RW | PLEDGE_INET }, + { "unix", PLEDGE_SELF | PLEDGE_RW | PLEDGE_UNIX }, + { "dns", PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_DNSPATH }, + { "getpw", PLEDGE_SELF | PLEDGE_MALLOC | PLEDGE_RW | PLEDGE_GETPW }, +/*X*/ { "cmsg", PLEDGE_UNIX | PLEDGE_INET | PLEDGE_SENDFD | PLEDGE_RECVFD }, + { "sendfd", PLEDGE_RW | PLEDGE_SENDFD }, + { "recvfd", PLEDGE_RW | PLEDGE_RECVFD }, + { "ioctl", PLEDGE_IOCTL }, + { "route", PLEDGE_ROUTE }, + { "mcast", PLEDGE_MCAST }, + { "tty", PLEDGE_TTY }, + { "proc", PLEDGE_PROC }, + { "exec", PLEDGE_EXEC }, + { "cpath", PLEDGE_CPATH }, + { "abort", PLEDGE_ABORT }, + { "fattr", PLEDGE_FATTR }, + { "prot_exec", PLEDGE_PROTEXEC }, }; int -sys_tame(struct proc *p, void *v, register_t *retval) +sys_pledge(struct proc *p, void *v, register_t *retval) { - struct sys_tame_args /* { + struct sys_pledge_args /* { syscallarg(const char *)request; syscallarg(const char **)paths; } */ *uap = v; @@ -273,7 +273,7 @@ sys_tame(struct proc *p, void *v, register_t *retval) } #ifdef KTRACE if (KTRPOINT(p, KTR_STRUCT)) - ktrstruct(p, "tamereq", rbuf, rbuflen-1); + ktrstruct(p, "pledgereq", rbuf, rbuflen-1); #endif for (rp = rbuf; rp && *rp && error == 0; rp = pn) { @@ -283,9 +283,9 @@ sys_tame(struct proc *p, void *v, register_t *retval) *pn++ = '\0'; } - for (f = i = 0; i < nitems(tamereq); i++) { - if (strcmp(rp, tamereq[i].name) == 0) { - f = tamereq[i].flags; + for (f = i = 0; i < nitems(pledgereq); i++) { + if (strcmp(rp, pledgereq[i].name) == 0) { + f = pledgereq[i].flags; break; } } @@ -298,18 +298,18 @@ sys_tame(struct proc *p, void *v, register_t *retval) free(rbuf, M_TEMP, MAXPATHLEN); } - if (flags & ~TAME_USERSET) + if (flags & ~PLEDGE_USERSET) return (EINVAL); - if ((p->p_p->ps_flags & PS_TAMED)) { - /* Already tamed, only allow reductions */ - if (((flags | p->p_p->ps_tame) & TAME_USERSET) != - (p->p_p->ps_tame & TAME_USERSET)) { + if ((p->p_p->ps_flags & PS_PLEDGE)) { + /* Already pledged, only allow reductions */ + if (((flags | p->p_p->ps_pledge) & PLEDGE_USERSET) != + (p->p_p->ps_pledge & PLEDGE_USERSET)) { return (EPERM); } - flags &= p->p_p->ps_tame; - flags &= TAME_USERSET; /* Relearn _ACTIVE */ + flags &= p->p_p->ps_pledge; + flags &= PLEDGE_USERSET; /* Relearn _ACTIVE */ } if (SCARG(uap, paths)) { @@ -319,17 +319,17 @@ sys_tame(struct proc *p, void *v, register_t *retval) size_t cwdpathlen = MAXPATHLEN * 4, cwdlen, len, maxargs = 0; int i, error; - if (p->p_p->ps_tamepaths) + if (p->p_p->ps_pledgepaths) return (EPERM); /* Count paths */ - for (i = 0; i < TAME_MAXPATHS; i++) { + for (i = 0; i < PLEDGE_MAXPATHS; i++) { if ((error = copyin(u + i, &sp, sizeof(sp))) != 0) return (error); if (sp == NULL) break; } - if (i == TAME_MAXPATHS) + if (i == PLEDGE_MAXPATHS) return (E2BIG); wl = malloc(sizeof *wl + sizeof(struct whitepath) * (i+1), @@ -353,7 +353,7 @@ sys_tame(struct proc *p, void *v, register_t *retval) break; #ifdef KTRACE if (KTRPOINT(p, KTR_STRUCT)) - ktrstruct(p, "tamepath", path, len-1); + ktrstruct(p, "pledgepath", path, len-1); #endif /* If path is relative, prepend cwd */ @@ -383,7 +383,7 @@ sys_tame(struct proc *p, void *v, register_t *retval) } builtpath = malloc(builtlen, M_TEMP, M_WAITOK); snprintf(builtpath, builtlen, "%s/%s", cwd, path); - // printf("tame: builtpath = %s\n", builtpath); + // printf("pledge: builtpath = %s\n", builtpath); fullpath = builtpath; } else fullpath = path; @@ -399,7 +399,7 @@ sys_tame(struct proc *p, void *v, register_t *retval) len = strlen(canopath) + 1; - //printf("tame: canopath = %s %lld strlen %lld\n", canopath, + //printf("pledge: canopath = %s %lld strlen %lld\n", canopath, // (long long)len, (long long)strlen(canopath)); if (maxargs += len > ARG_MAX) { @@ -421,40 +421,40 @@ sys_tame(struct proc *p, void *v, register_t *retval) free(wl, M_TEMP, wl->wl_size); return (error); } - p->p_p->ps_tamepaths = wl; + p->p_p->ps_pledgepaths = wl; #if 0 - printf("tame: %s(%d): paths loaded:\n", p->p_comm, p->p_pid); + printf("pledge: %s(%d): paths loaded:\n", p->p_comm, p->p_pid); for (i = 0; i < wl->wl_count; i++) if (wl->wl_paths[i].name) - printf("tame: %d=%s %lld\n", i, wl->wl_paths[i].name, + printf("pledge: %d=%s %lld\n", i, wl->wl_paths[i].name, (long long)wl->wl_paths[i].len); #endif } - p->p_p->ps_tame = flags; - p->p_p->ps_flags |= PS_TAMED; + p->p_p->ps_pledge = flags; + p->p_p->ps_flags |= PS_PLEDGE; return (0); } int -tame_check(struct proc *p, int code) +pledge_check(struct proc *p, int code) { - p->p_tamenote = p->p_tameafter = 0; /* XX optimise? */ - p->p_tame_syscall = code; + p->p_pledgenote = p->p_pledgeafter = 0; /* XX optimise? */ + p->p_pledge_syscall = code; if (code < 0 || code > SYS_MAXSYSCALL - 1) return (0); - if (p->p_p->ps_tame == 0) + if (p->p_p->ps_pledge == 0) return (code == SYS_exit || code == SYS_kbind); - return (p->p_p->ps_tame & tame_syscalls[code]); + return (p->p_p->ps_pledge & pledge_syscalls[code]); } int -tame_fail(struct proc *p, int error, int code) +pledge_fail(struct proc *p, int error, int code) { - printf("%s(%d): syscall %d\n", p->p_comm, p->p_pid, p->p_tame_syscall); - if (p->p_p->ps_tame & TAME_ABORT) { /* Core dump requested */ + printf("%s(%d): syscall %d\n", p->p_comm, p->p_pid, p->p_pledge_syscall); + if (p->p_p->ps_pledge & PLEDGE_ABORT) { /* Core dump requested */ struct sigaction sa; memset(&sa, 0, sizeof sa); @@ -464,7 +464,7 @@ tame_fail(struct proc *p, int error, int code) } else psignal(p, SIGKILL); - p->p_p->ps_tame = 0; /* Disable all TAME_ flags */ + p->p_p->ps_pledge = 0; /* Disable all PLEDGE_ flags */ return (error); } @@ -473,27 +473,27 @@ tame_fail(struct proc *p, int error, int code) * without the right flags set */ int -tame_namei(struct proc *p, char *origpath) +pledge_namei(struct proc *p, char *origpath) { char path[PATH_MAX]; - if (p->p_tamenote == TMN_COREDUMP) + if (p->p_pledgenote == TMN_COREDUMP) return (0); /* Allow a coredump */ if (canonpath(origpath, path, sizeof(path)) != 0) - return (tame_fail(p, EPERM, TAME_RPATH)); + return (pledge_fail(p, EPERM, PLEDGE_RPATH)); - if ((p->p_tamenote & TMN_FATTR) && - (p->p_p->ps_tame & TAME_FATTR) == 0) { + if ((p->p_pledgenote & TMN_FATTR) && + (p->p_p->ps_pledge & PLEDGE_FATTR) == 0) { printf("%s(%d): inode syscall%d, not allowed\n", - p->p_comm, p->p_pid, p->p_tame_syscall); - return (tame_fail(p, EPERM, TAME_FATTR)); + p->p_comm, p->p_pid, p->p_pledge_syscall); + return (pledge_fail(p, EPERM, PLEDGE_FATTR)); } /* Detect what looks like a mkstemp(3) family operation */ - if ((p->p_p->ps_tame & TAME_TMPPATH) && - (p->p_tame_syscall == SYS_open) && - (p->p_tamenote & TMN_CPATH) && + if ((p->p_p->ps_pledge & PLEDGE_TMPPATH) && + (p->p_pledge_syscall == SYS_open) && + (p->p_pledgenote & TMN_CPATH) && strncmp(path, "/tmp/", sizeof("/tmp/") - 1) == 0) { return (0); } @@ -501,33 +501,33 @@ tame_namei(struct proc *p, char *origpath) /* Allow unlinking of a mkstemp(3) file... * Good opportunity for strict checks here. */ - if ((p->p_p->ps_tame & TAME_TMPPATH) && - (p->p_tame_syscall == SYS_unlink) && + if ((p->p_p->ps_pledge & PLEDGE_TMPPATH) && + (p->p_pledge_syscall == SYS_unlink) && strncmp(path, "/tmp/", sizeof("/tmp/") - 1) == 0) { return (0); } /* open, mkdir, or other path creation operation */ - if ((p->p_tamenote & TMN_CPATH) && - ((p->p_p->ps_tame & TAME_CPATH) == 0)) - return (tame_fail(p, EPERM, TAME_CPATH)); + if ((p->p_pledgenote & TMN_CPATH) && + ((p->p_p->ps_pledge & PLEDGE_CPATH) == 0)) + return (pledge_fail(p, EPERM, PLEDGE_CPATH)); - if ((p->p_tamenote & TMN_WPATH) && - (p->p_p->ps_tame & TAME_WPATH) == 0) - return (tame_fail(p, EPERM, TAME_WPATH)); + if ((p->p_pledgenote & TMN_WPATH) && + (p->p_p->ps_pledge & PLEDGE_WPATH) == 0) + return (pledge_fail(p, EPERM, PLEDGE_WPATH)); /* Read-only paths used occasionally by libc */ - switch (p->p_tame_syscall) { + switch (p->p_pledge_syscall) { case SYS_access: /* tzset() needs this. */ - if ((p->p_tamenote == TMN_RPATH) && + if ((p->p_pledgenote == TMN_RPATH) && strcmp(path, "/etc/localtime") == 0) return (0); break; case SYS_open: /* getpw* and friends need a few files */ - if ((p->p_tamenote == TMN_RPATH) && - (p->p_p->ps_tame & TAME_GETPW)) { + if ((p->p_pledgenote == TMN_RPATH) && + (p->p_p->ps_pledge & PLEDGE_GETPW)) { if (strcmp(path, "/etc/spwd.db") == 0) return (EPERM); if (strcmp(path, "/etc/pwd.db") == 0) @@ -537,10 +537,10 @@ tame_namei(struct proc *p, char *origpath) } /* DNS needs /etc/{resolv.conf,hosts,services}. */ - if ((p->p_tamenote == TMN_RPATH) && - (p->p_p->ps_tame & TAME_DNSPATH)) { + if ((p->p_pledgenote == TMN_RPATH) && + (p->p_p->ps_pledge & PLEDGE_DNSPATH)) { if (strcmp(path, "/etc/resolv.conf") == 0) { - p->p_tameafter |= TMA_DNSRESOLV; + p->p_pledgeafter |= TMA_DNSRESOLV; return (0); } if (strcmp(path, "/etc/hosts") == 0) @@ -548,10 +548,10 @@ tame_namei(struct proc *p, char *origpath) if (strcmp(path, "/etc/services") == 0) return (0); } - if ((p->p_tamenote == TMN_RPATH) && - (p->p_p->ps_tame & TAME_GETPW)) { + if ((p->p_pledgenote == TMN_RPATH) && + (p->p_p->ps_pledge & PLEDGE_GETPW)) { if (strcmp(path, "/var/run/ypbind.lock") == 0) { - p->p_tameafter |= TMA_YPLOCK; + p->p_pledgeafter |= TMA_YPLOCK; return (0); } if (strncmp(path, "/var/yp/binding/", @@ -559,16 +559,16 @@ tame_namei(struct proc *p, char *origpath) return (0); } /* tzset() needs these. */ - if ((p->p_tamenote == TMN_RPATH) && + if ((p->p_pledgenote == TMN_RPATH) && strncmp(path, "/usr/share/zoneinfo/", sizeof("/usr/share/zoneinfo/") - 1) == 0) return (0); - if ((p->p_tamenote == TMN_RPATH) && + if ((p->p_pledgenote == TMN_RPATH) && strcmp(path, "/etc/localtime") == 0) return (0); /* /usr/share/nls/../libc.cat has to succeed for strerror(3). */ - if ((p->p_tamenote == TMN_RPATH) && + if ((p->p_pledgenote == TMN_RPATH) && strncmp(path, "/usr/share/nls/", sizeof("/usr/share/nls/") - 1) == 0 && strcmp(path + strlen(path) - 9, "/libc.cat") == 0) @@ -576,16 +576,16 @@ tame_namei(struct proc *p, char *origpath) break; case SYS_readlink: /* Allow /etc/malloc.conf for malloc(3). */ - if ((p->p_tamenote == TMN_RPATH) && + if ((p->p_pledgenote == TMN_RPATH) && strcmp(path, "/etc/malloc.conf") == 0) return (0); break; case SYS_stat: /* DNS needs /etc/resolv.conf. */ - if ((p->p_tamenote == TMN_RPATH) && - (p->p_p->ps_tame & TAME_DNSPATH)) { + if ((p->p_pledgenote == TMN_RPATH) && + (p->p_p->ps_pledge & PLEDGE_DNSPATH)) { if (strcmp(path, "/etc/resolv.conf") == 0) { - p->p_tameafter |= TMA_DNSRESOLV; + p->p_pledgeafter |= TMA_DNSRESOLV; return (0); } } @@ -596,8 +596,8 @@ tame_namei(struct proc *p, char *origpath) * If a whitelist is set, compare canonical paths. Anything * not on the whitelist gets ENOENT. */ - if (p->p_p->ps_tamepaths) { - struct whitepaths *wl = p->p_p->ps_tamepaths; + if (p->p_p->ps_pledgepaths) { + struct whitepaths *wl = p->p_p->ps_pledgepaths; char *fullpath, *builtpath = NULL, *canopath = NULL; size_t builtlen = 0; int i, error; @@ -639,7 +639,7 @@ tame_namei(struct proc *p, char *origpath) free(builtpath, M_TEMP, builtlen); if (error != 0) { free(canopath, M_TEMP, MAXPATHLEN); - return (tame_fail(p, EPERM, TAME_RPATH)); + return (pledge_fail(p, EPERM, PLEDGE_RPATH)); } //printf("namei: canopath = %s strlen %lld\n", canopath, @@ -660,30 +660,30 @@ tame_namei(struct proc *p, char *origpath) return (error); /* Don't hint why it failed */ } - if (p->p_p->ps_tame & TAME_RPATH) + if (p->p_p->ps_pledge & PLEDGE_RPATH) return (0); - if (p->p_p->ps_tame & TAME_WPATH) + if (p->p_p->ps_pledge & PLEDGE_WPATH) return (0); - if (p->p_p->ps_tame & TAME_CPATH) + if (p->p_p->ps_pledge & PLEDGE_CPATH) return (0); - return (tame_fail(p, EPERM, TAME_RPATH)); + return (pledge_fail(p, EPERM, PLEDGE_RPATH)); } void -tame_aftersyscall(struct proc *p, int code, int error) +pledge_aftersyscall(struct proc *p, int code, int error) { - if ((p->p_tameafter & TMA_YPLOCK) && error == 0) - atomic_setbits_int(&p->p_p->ps_tame, TAME_YP_ACTIVE | TAME_INET); - if ((p->p_tameafter & TMA_DNSRESOLV) && error == 0) - atomic_setbits_int(&p->p_p->ps_tame, TAME_DNS_ACTIVE); + if ((p->p_pledgeafter & TMA_YPLOCK) && error == 0) + atomic_setbits_int(&p->p_p->ps_pledge, PLEDGE_YP_ACTIVE | PLEDGE_INET); + if ((p->p_pledgeafter & TMA_DNSRESOLV) && error == 0) + atomic_setbits_int(&p->p_p->ps_pledge, PLEDGE_DNS_ACTIVE); } /* * By default, only the advisory cmsg's can be received from the kernel, * such as TIMESTAMP ntpd. * - * If TAME_RECVFD is set SCM_RIGHTS is also allowed in for a carefully + * If PLEDGE_RECVFD is set SCM_RIGHTS is also allowed in for a carefully * selected set of descriptors (specifically to exclude directories). * * This results in a kill upon recv, if some other process on the system @@ -691,7 +691,7 @@ tame_aftersyscall(struct proc *p, int code, int error) * leaving such sockets lying around... */ int -tame_cmsg_recv(struct proc *p, struct mbuf *control) +pledge_cmsg_recv(struct proc *p, struct mbuf *control) { struct msghdr tmp; struct cmsghdr *cmsg; @@ -699,7 +699,7 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control) struct file *fp; int nfds, i; - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); /* Scan the cmsg */ @@ -719,8 +719,8 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control) if (cmsg == NULL) return (0); - if ((p->p_p->ps_tame & TAME_RECVFD) == 0) - return tame_fail(p, EPERM, TAME_RECVFD); + if ((p->p_p->ps_pledge & PLEDGE_RECVFD) == 0) + return pledge_fail(p, EPERM, PLEDGE_RECVFD); /* In OpenBSD, a CMSG only contains one SCM_RIGHTS. Check it. */ fdp = (int *)CMSG_DATA(cmsg); @@ -732,7 +732,7 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control) fd = *fdp++; fp = fd_getfile(p->p_fd, fd); if (fp == NULL) - return tame_fail(p, EBADF, TAME_RECVFD); + return pledge_fail(p, EBADF, PLEDGE_RECVFD); /* Only allow passing of sockets, pipes, and pure files */ switch (fp->f_type) { @@ -747,30 +747,30 @@ tame_cmsg_recv(struct proc *p, struct mbuf *control) default: break; } - return tame_fail(p, EPERM, TAME_RECVFD); + return pledge_fail(p, EPERM, PLEDGE_RECVFD); } return (0); } /* - * When tamed, default prevents sending of a cmsg. + * When pledged, default prevents sending of a cmsg. * - * Unlike tame_cmsg_recv tame_cmsg_send is called with individual + * Unlike pledge_cmsg_recv pledge_cmsg_send is called with individual * cmsgs one per mbuf. So no need to loop or scan. */ int -tame_cmsg_send(struct proc *p, struct mbuf *control) +pledge_cmsg_send(struct proc *p, struct mbuf *control) { struct cmsghdr *cmsg; int *fdp, fd; struct file *fp; int nfds, i; - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_tame & TAME_SENDFD) == 0) - return tame_fail(p, EPERM, TAME_SENDFD); + if ((p->p_p->ps_pledge & PLEDGE_SENDFD) == 0) + return pledge_fail(p, EPERM, PLEDGE_SENDFD); /* Scan the cmsg */ cmsg = mtod(control, struct cmsghdr *); @@ -790,7 +790,7 @@ tame_cmsg_send(struct proc *p, struct mbuf *control) fd = *fdp++; fp = fd_getfile(p->p_fd, fd); if (fp == NULL) - return tame_fail(p, EBADF, TAME_SENDFD); + return pledge_fail(p, EBADF, PLEDGE_SENDFD); /* Only allow passing of sockets, pipes, and pure files */ switch (fp->f_type) { @@ -806,22 +806,22 @@ tame_cmsg_send(struct proc *p, struct mbuf *control) break; } /* Not allowed to send a bad fd type */ - return tame_fail(p, EPERM, TAME_SENDFD); + return pledge_fail(p, EPERM, PLEDGE_SENDFD); } return (0); } int -tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new) +pledge_sysctl_check(struct proc *p, int miblen, int *mib, void *new) { - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); if (new) return (EFAULT); /* routing table observation */ - if ((p->p_p->ps_tame & TAME_ROUTE)) { + if ((p->p_p->ps_pledge & PLEDGE_ROUTE)) { if (miblen == 7 && mib[0] == CTL_NET && mib[1] == PF_ROUTE && mib[2] == 0 && @@ -843,7 +843,7 @@ tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new) return (0); } - if ((p->p_p->ps_tame & (TAME_ROUTE | TAME_INET))) { + if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET))) { if (miblen == 6 && /* getifaddrs() */ mib[0] == CTL_NET && mib[1] == PF_ROUTE && mib[2] == 0 && @@ -892,11 +892,11 @@ tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new) } int -tame_adjtime_check(struct proc *p, const void *v) +pledge_adjtime_check(struct proc *p, const void *v) { const struct timeval *delta = v; - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); if (delta) @@ -905,32 +905,32 @@ tame_adjtime_check(struct proc *p, const void *v) } int -tame_connect_check(struct proc *p) +pledge_connect_check(struct proc *p) { - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_tame & TAME_DNS_ACTIVE)) + if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE)) return (0); /* A port check happens inside sys_connect() */ - if ((p->p_p->ps_tame & (TAME_INET | TAME_UNIX))) + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) return (0); return (EPERM); } int -tame_recvfrom_check(struct proc *p, void *v) +pledge_recvfrom_check(struct proc *p, void *v) { struct sockaddr *from = v; - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) && from == NULL) + if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && from == NULL) return (0); - if (p->p_p->ps_tame & TAME_INET) + if (p->p_p->ps_pledge & PLEDGE_INET) return (0); - if (p->p_p->ps_tame & TAME_UNIX) + if (p->p_p->ps_pledge & PLEDGE_UNIX) return (0); if (from == NULL) return (0); /* behaves just like write */ @@ -938,19 +938,19 @@ tame_recvfrom_check(struct proc *p, void *v) } int -tame_sendto_check(struct proc *p, const void *v) +pledge_sendto_check(struct proc *p, const void *v) { const struct sockaddr *to = v; - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) && to == NULL) + if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && to == NULL) return (0); - if ((p->p_p->ps_tame & TAME_INET)) + if ((p->p_p->ps_pledge & PLEDGE_INET)) return (0); - if ((p->p_p->ps_tame & TAME_UNIX)) + if ((p->p_p->ps_pledge & PLEDGE_UNIX)) return (0); if (to == NULL) return (0); /* behaves just like write */ @@ -958,36 +958,36 @@ tame_sendto_check(struct proc *p, const void *v) } int -tame_socket_check(struct proc *p, int domain) +pledge_socket_check(struct proc *p, int domain) { - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_tame & (TAME_INET | TAME_UNIX))) + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) return (0); - if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) && + if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && (domain == AF_INET || domain == AF_INET6)) return (0); return (EPERM); } int -tame_bind_check(struct proc *p, const void *v) +pledge_bind_check(struct proc *p, const void *v) { - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_tame & TAME_INET)) + if ((p->p_p->ps_pledge & PLEDGE_INET)) return (0); return (EPERM); } int -tame_ioctl_check(struct proc *p, long com, void *v) +pledge_ioctl_check(struct proc *p, long com, void *v) { struct file *fp = v; struct vnode *vp = NULL; - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); /* @@ -1007,7 +1007,7 @@ tame_ioctl_check(struct proc *p, long com, void *v) * Further sets of ioctl become available, but are checked a * bit more carefully against the vnode. */ - if ((p->p_p->ps_tame & TAME_IOCTL)) { + if ((p->p_p->ps_pledge & PLEDGE_IOCTL)) { switch (com) { case FIOCLEX: case FIONCLEX: @@ -1034,14 +1034,14 @@ tame_ioctl_check(struct proc *p, long com, void *v) return (0); break; case SIOCGIFGROUP: - if ((p->p_p->ps_tame & TAME_INET) && + if ((p->p_p->ps_pledge & PLEDGE_INET) && fp->f_type == DTYPE_SOCKET) return (0); break; } } - if ((p->p_p->ps_tame & TAME_ROUTE)) { + if ((p->p_p->ps_pledge & PLEDGE_ROUTE)) { switch (com) { case SIOCGIFADDR: case SIOCGIFFLAGS: @@ -1052,10 +1052,10 @@ tame_ioctl_check(struct proc *p, long com, void *v) } } - if ((p->p_p->ps_tame & TAME_TTY)) { + if ((p->p_p->ps_pledge & PLEDGE_TTY)) { switch (com) { case TIOCSPGRP: - if ((p->p_p->ps_tame & TAME_PROC) == 0) + if ((p->p_p->ps_pledge & PLEDGE_PROC) == 0) break; /* FALTHROUGH */ case TIOCGETA: @@ -1075,16 +1075,16 @@ tame_ioctl_check(struct proc *p, long com, void *v) } } - return tame_fail(p, EPERM, TAME_IOCTL); + return pledge_fail(p, EPERM, PLEDGE_IOCTL); } int -tame_setsockopt_check(struct proc *p, int level, int optname) +pledge_setsockopt_check(struct proc *p, int level, int optname) { - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - /* common case for TAME_UNIX and TAME_INET */ + /* common case for PLEDGE_UNIX and PLEDGE_INET */ switch (level) { case SOL_SOCKET: switch (optname) { @@ -1094,7 +1094,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname) return (0); } - if ((p->p_p->ps_tame & TAME_INET) == 0) + if ((p->p_p->ps_pledge & PLEDGE_INET) == 0) return (EPERM); switch (level) { @@ -1119,7 +1119,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname) case IP_MULTICAST_IF: case IP_ADD_MEMBERSHIP: case IP_DROP_MEMBERSHIP: - if ((p->p_p->ps_tame & TAME_MCAST) == 0) + if ((p->p_p->ps_pledge & PLEDGE_MCAST) == 0) return (0); break; } @@ -1139,7 +1139,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname) case IPV6_MULTICAST_IF: case IPV6_JOIN_GROUP: case IPV6_LEAVE_GROUP: - if ((p->p_p->ps_tame & TAME_MCAST) == 0) + if ((p->p_p->ps_pledge & PLEDGE_MCAST) == 0) return (0); break; } @@ -1151,30 +1151,30 @@ tame_setsockopt_check(struct proc *p, int level, int optname) } int -tame_dns_check(struct proc *p, in_port_t port) +pledge_dns_check(struct proc *p, in_port_t port) { - if ((p->p_p->ps_flags & PS_TAMED) == 0) + if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_tame & TAME_INET)) + if ((p->p_p->ps_pledge & PLEDGE_INET)) return (0); - if ((p->p_p->ps_tame & TAME_DNS_ACTIVE) && port == htons(53)) + if ((p->p_p->ps_pledge & PLEDGE_DNS_ACTIVE) && port == htons(53)) return (0); /* Allow a DNS connect outbound */ return (EPERM); } void -tame_dropwpaths(struct process *pr) +pledge_dropwpaths(struct process *pr) { - if (pr->ps_tamepaths && --pr->ps_tamepaths->wl_ref == 0) { - struct whitepaths *wl = pr->ps_tamepaths; + if (pr->ps_pledgepaths && --pr->ps_pledgepaths->wl_ref == 0) { + struct whitepaths *wl = pr->ps_pledgepaths; int i; for (i = 0; i < wl->wl_count; i++) free(wl->wl_paths[i].name, M_TEMP, wl->wl_paths[i].len); free(wl, M_TEMP, wl->wl_size); } - pr->ps_tamepaths = NULL; + pr->ps_pledgepaths = NULL; } int diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 2942e3de2cc..3aab66ce4d9 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_time.c,v 1.93 2015/09/11 08:22:31 guenther Exp $ */ +/* $OpenBSD: kern_time.c,v 1.94 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: kern_time.c,v 1.20 1996/02/18 11:57:06 fvdl Exp $ */ /* @@ -40,7 +40,7 @@ #include #include #include -#include +#include #include #include @@ -433,7 +433,7 @@ sys_adjtime(struct proc *p, void *v, register_t *retval) struct timeval atv; int error; - if (tame_adjtime_check(p, delta)) + if (pledge_adjtime_check(p, delta)) return (EPERM); if (olddelta) { diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index bccfe3d7198..31dfa063d50 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -1,4 +1,4 @@ -; $OpenBSD: syscalls.master,v 1.161 2015/10/02 17:49:40 kettenis Exp $ +; $OpenBSD: syscalls.master,v 1.162 2015/10/09 01:10:27 deraadt Exp $ ; $NetBSD: syscalls.master,v 1.32 1996/04/23 10:24:21 mycroft Exp $ ; @(#)syscalls.master 8.2 (Berkeley) 1/13/94 @@ -225,7 +225,7 @@ 106 STD { int sys_listen(int s, int backlog); } 107 STD { int sys_chflagsat(int fd, const char *path, \ u_int flags, int atflags); } -108 STD { int sys_tame(const char *request, const char **paths); } +108 STD { int sys_pledge(const char *request, const char **paths); } 109 STD { int sys_ppoll(struct pollfd *fds, \ u_int nfds, const struct timespec *ts, \ const sigset_t *mask); } diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 8cb3444affd..13780c4a5ac 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_syscalls.c,v 1.111 2015/10/06 14:55:41 claudio Exp $ */ +/* $OpenBSD: uipc_syscalls.c,v 1.112 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: uipc_syscalls.c,v 1.19 1996/02/09 19:00:48 christos Exp $ */ /* @@ -45,7 +45,7 @@ #include #include #include -#include +#include #include #include #ifdef KTRACE @@ -79,8 +79,8 @@ sys_socket(struct proc *p, void *v, register_t *retval) int type = SCARG(uap, type); int fd, error; - if (tame_socket_check(p, SCARG(uap, domain))) - return (tame_fail(p, EPERM, TAME_UNIX)); + if (pledge_socket_check(p, SCARG(uap, domain))) + return (pledge_fail(p, EPERM, PLEDGE_UNIX)); fdplock(fdp); error = falloc(p, &fp, &fd); @@ -124,8 +124,8 @@ sys_bind(struct proc *p, void *v, register_t *retval) struct mbuf *nam; int error; - if (tame_bind_check(p, SCARG(uap, name))) - return (tame_fail(p, EPERM, TAME_UNIX)); + if (pledge_bind_check(p, SCARG(uap, name))) + return (pledge_fail(p, EPERM, PLEDGE_UNIX)); if ((error = getsock(p, SCARG(uap, s), &fp)) != 0) return (error); @@ -322,8 +322,8 @@ sys_connect(struct proc *p, void *v, register_t *retval) struct mbuf *nam = NULL; int error, s; - if (tame_connect_check(p)) - return (tame_fail(p, EPERM, TAME_UNIX)); + if (pledge_connect_check(p)) + return (pledge_fail(p, EPERM, PLEDGE_UNIX)); if ((error = getsock(p, SCARG(uap, s), &fp)) != 0) return (error); @@ -465,8 +465,8 @@ sys_sendto(struct proc *p, void *v, register_t *retval) struct msghdr msg; struct iovec aiov; - if (tame_sendto_check(p, SCARG(uap, to))) - return (tame_fail(p, EPERM, TAME_UNIX)); + if (pledge_sendto_check(p, SCARG(uap, to))) + return (pledge_fail(p, EPERM, PLEDGE_UNIX)); msg.msg_name = (caddr_t)SCARG(uap, to); msg.msg_namelen = SCARG(uap, tolen); @@ -499,8 +499,8 @@ sys_sendmsg(struct proc *p, void *v, register_t *retval) ktrmsghdr(p, &msg); #endif - if (tame_sendto_check(p, msg.msg_name)) - return (tame_fail(p, EPERM, TAME_UNIX)); + if (pledge_sendto_check(p, msg.msg_name)) + return (pledge_fail(p, EPERM, PLEDGE_UNIX)); if (msg.msg_iovlen > IOV_MAX) return (EMSGSIZE); @@ -586,7 +586,7 @@ sendit(struct proc *p, int s, struct msghdr *mp, int flags, register_t *retsize) mp->msg_controllen); #endif - if (tame_cmsg_send(p, control)) { + if (pledge_cmsg_send(p, control)) { m_free(control); error = EPERM; goto bad; @@ -645,8 +645,8 @@ sys_recvfrom(struct proc *p, void *v, register_t *retval) struct iovec aiov; int error; - if (tame_recvfrom_check(p, SCARG(uap, from))) - return (tame_fail(p, EPERM, TAME_UNIX)); + if (pledge_recvfrom_check(p, SCARG(uap, from))) + return (pledge_fail(p, EPERM, PLEDGE_UNIX)); if (SCARG(uap, fromlenaddr)) { error = copyin(SCARG(uap, fromlenaddr), @@ -682,8 +682,8 @@ sys_recvmsg(struct proc *p, void *v, register_t *retval) if (error) return (error); - if (tame_recvfrom_check(p, msg.msg_name)) - return (tame_fail(p, EPERM, TAME_UNIX)); + if (pledge_recvfrom_check(p, msg.msg_name)) + return (pledge_fail(p, EPERM, PLEDGE_UNIX)); if (msg.msg_iovlen > IOV_MAX) return (EMSGSIZE); @@ -821,7 +821,7 @@ recvit(struct proc *p, int s, struct msghdr *mp, caddr_t namelenp, mp->msg_flags |= MSG_CTRUNC; i = len; } - if (tame_cmsg_recv(p, m)) { + if (pledge_cmsg_recv(p, m)) { error = EPERM; goto out; } @@ -883,8 +883,8 @@ sys_setsockopt(struct proc *p, void *v, register_t *retval) struct mbuf *m = NULL; int error; - if (tame_setsockopt_check(p, SCARG(uap, level), SCARG(uap, name))) - return (tame_fail(p, EPERM, TAME_INET)); + if (pledge_setsockopt_check(p, SCARG(uap, level), SCARG(uap, name))) + return (pledge_fail(p, EPERM, PLEDGE_INET)); if ((error = getsock(p, SCARG(uap, s), &fp)) != 0) return (error); diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index ddc130fb4ed..2eae3077063 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_usrreq.c,v 1.86 2015/08/29 21:10:20 deraadt Exp $ */ +/* $OpenBSD: uipc_usrreq.c,v 1.87 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $ */ /* @@ -433,7 +433,7 @@ unp_bind(struct unpcb *unp, struct mbuf *nam, struct proc *p) /* Fixup sun_len to keep it in sync with m_len. */ soun->sun_len = nam2->m_len; - p->p_tamenote = TMN_CPATH; + p->p_pledgenote = TMN_CPATH; NDINIT(&nd, CREATE, NOFOLLOW | LOCKPARENT, UIO_SYSSPACE, soun->sun_path, p); /* SHOULD BE ABLE TO ADOPT EXISTING AND wakeup() ALA FIFO's */ @@ -492,7 +492,7 @@ unp_connect(struct socket *so, struct mbuf *nam, struct proc *p) else if (memchr(soun->sun_path, '\0', sizeof(soun->sun_path)) == NULL) return (EINVAL); - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, soun->sun_path, p); if ((error = namei(&nd)) != 0) return (error); diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index fc8c274ec27..9de8580dd50 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_lookup.c,v 1.56 2015/09/11 08:22:31 guenther Exp $ */ +/* $OpenBSD: vfs_lookup.c,v 1.57 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: vfs_lookup.c,v 1.17 1996/02/09 19:00:59 christos Exp $ */ /* @@ -49,7 +49,7 @@ #include #include #include -#include +#include #include #include @@ -166,8 +166,8 @@ fail: */ if ((ndp->ni_rootdir = fdp->fd_rdir) == NULL) ndp->ni_rootdir = rootvnode; - if ((p->p_p->ps_flags & PS_TAMED)) { - error = tame_namei(p, cnp->cn_pnbuf); + if ((p->p_p->ps_flags & PS_PLEDGE)) { + error = pledge_namei(p, cnp->cn_pnbuf); if (error) goto fail; } diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 4c23eb59c94..af85e9a5bc1 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_syscalls.c,v 1.228 2015/10/06 14:39:07 deraadt Exp $ */ +/* $OpenBSD: vfs_syscalls.c,v 1.229 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $ */ /* @@ -562,7 +562,7 @@ sys_statfs(struct proc *p, void *v, register_t *retval) int error; struct nameidata nd; - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); if ((error = namei(&nd)) != 0) return (error); @@ -847,17 +847,17 @@ doopenat(struct proc *p, int fd, const char *path, int oflags, mode_t mode, switch (oflags & O_ACCMODE) { case O_RDONLY: - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; break; case O_WRONLY: - p->p_tamenote = TMN_WPATH; + p->p_pledgenote = TMN_WPATH; break; case O_RDWR: - p->p_tamenote = TMN_RPATH | TMN_WPATH; + p->p_pledgenote = TMN_RPATH | TMN_WPATH; break; } if (oflags & O_CREAT) - p->p_tamenote |= TMN_CPATH; + p->p_pledgenote |= TMN_CPATH; fdplock(fdp); @@ -1295,7 +1295,7 @@ sys_mkfifo(struct proc *p, void *v, register_t *retval) syscallarg(mode_t) mode; } */ *uap = v; - p->p_tamenote = TMN_CPATH | TMN_RPATH; + p->p_pledgenote = TMN_CPATH | TMN_RPATH; return (domknodat(p, AT_FDCWD, SCARG(uap, path), (SCARG(uap, mode) & ALLPERMS) | S_IFIFO, 0)); } @@ -1357,7 +1357,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2, return (EINVAL); follow = (flag & AT_SYMLINK_FOLLOW) ? FOLLOW : NOFOLLOW; - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd1, path1, p); if ((error = namei(&nd)) != 0) return (error); @@ -1368,7 +1368,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2, flags |= STRIPSLASHES; } - p->p_tamenote = TMN_CPATH; + p->p_pledgenote = TMN_CPATH; NDINITAT(&nd, CREATE, flags, UIO_USERSPACE, fd2, path2, p); if ((error = namei(&nd)) != 0) goto out; @@ -1428,7 +1428,7 @@ dosymlinkat(struct proc *p, const char *upath, int fd, const char *link) error = copyinstr(upath, path, MAXPATHLEN, NULL); if (error) goto out; - p->p_tamenote = TMN_CPATH; + p->p_pledgenote = TMN_CPATH; NDINITAT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, fd, link, p); if ((error = namei(&nd)) != 0) goto out; @@ -1487,7 +1487,7 @@ dounlinkat(struct proc *p, int fd, const char *path, int flag) if (flag & ~AT_REMOVEDIR) return (EINVAL); - p->p_tamenote = TMN_CPATH; + p->p_pledgenote = TMN_CPATH; NDINITAT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) @@ -1608,7 +1608,7 @@ sys_access(struct proc *p, void *v, register_t *retval) syscallarg(int) amode; } */ *uap = v; - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; return (dofaccessat(p, AT_FDCWD, SCARG(uap, path), SCARG(uap, amode), 0)); } @@ -1655,7 +1655,7 @@ dofaccessat(struct proc *p, int fd, const char *path, int amode, int flag) newcred->cr_gid = newcred->cr_rgid; } - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; NDINITAT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) goto out; @@ -1726,7 +1726,7 @@ dofstatat(struct proc *p, int fd, const char *path, struct stat *buf, int flag) follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; NDINITAT(&nd, LOOKUP, follow | LOCKLEAF, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) return (error); @@ -1825,7 +1825,7 @@ doreadlinkat(struct proc *p, int fd, const char *path, char *buf, int error; struct nameidata nd; - p->p_tamenote = TMN_RPATH; + p->p_pledgenote = TMN_RPATH; NDINITAT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) return (error); @@ -1888,7 +1888,7 @@ dochflagsat(struct proc *p, int fd, const char *path, u_int flags, int atflags) return (EINVAL); follow = (atflags & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; - p->p_tamenote = TMN_FATTR | TMN_RPATH; + p->p_pledgenote = TMN_FATTR | TMN_RPATH; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) return (error); @@ -1986,13 +1986,13 @@ dofchmodat(struct proc *p, int fd, const char *path, mode_t mode, int flag) if (mode & ~(S_IFMT | ALLPERMS)) return (EINVAL); - if ((p->p_p->ps_flags & PS_TAMED)) + if ((p->p_p->ps_flags & PS_PLEDGE)) mode &= ACCESSPERMS; if (flag & ~AT_SYMLINK_NOFOLLOW) return (EINVAL); follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; - p->p_tamenote = TMN_FATTR | TMN_RPATH; + p->p_pledgenote = TMN_FATTR | TMN_RPATH; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) return (error); @@ -2028,7 +2028,7 @@ sys_fchmod(struct proc *p, void *v, register_t *retval) if (mode & ~(S_IFMT | ALLPERMS)) return (EINVAL); - if ((p->p_p->ps_flags & PS_TAMED)) + if ((p->p_p->ps_flags & PS_PLEDGE)) mode &= ACCESSPERMS; if ((error = getvnode(p, SCARG(uap, fd), &fp)) != 0) @@ -2093,7 +2093,7 @@ dofchownat(struct proc *p, int fd, const char *path, uid_t uid, gid_t gid, return (EINVAL); follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; - p->p_tamenote = TMN_FATTR | TMN_RPATH; + p->p_pledgenote = TMN_FATTR | TMN_RPATH; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) return (error); @@ -2102,7 +2102,7 @@ dofchownat(struct proc *p, int fd, const char *path, uid_t uid, gid_t gid, if (vp->v_mount->mnt_flag & MNT_RDONLY) error = EROFS; else { - if ((p->p_p->ps_flags & PS_TAMED) && + if ((p->p_p->ps_flags & PS_PLEDGE) && ((uid != -1 && uid != p->p_ucred->cr_uid) || (gid != -1 && gid != p->p_ucred->cr_gid))) { error = EPERM; @@ -2149,7 +2149,7 @@ sys_lchown(struct proc *p, void *v, register_t *retval) uid_t uid = SCARG(uap, uid); gid_t gid = SCARG(uap, gid); - p->p_tamenote = TMN_FATTR | TMN_RPATH; + p->p_pledgenote = TMN_FATTR | TMN_RPATH; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), p); if ((error = namei(&nd)) != 0) return (error); @@ -2158,7 +2158,7 @@ sys_lchown(struct proc *p, void *v, register_t *retval) if (vp->v_mount->mnt_flag & MNT_RDONLY) error = EROFS; else { - if ((p->p_p->ps_flags & PS_TAMED) && + if ((p->p_p->ps_flags & PS_PLEDGE) && ((uid != -1 && uid != p->p_ucred->cr_uid) || (gid != -1 && gid != p->p_ucred->cr_gid))) { error = EPERM; @@ -2212,7 +2212,7 @@ sys_fchown(struct proc *p, void *v, register_t *retval) if (vp->v_mount->mnt_flag & MNT_RDONLY) error = EROFS; else { - if ((p->p_p->ps_flags & PS_TAMED) && + if ((p->p_p->ps_flags & PS_PLEDGE) && ((uid != -1 && uid != p->p_ucred->cr_uid) || (gid != -1 && gid != p->p_ucred->cr_gid))) { error = EPERM; @@ -2308,7 +2308,7 @@ doutimensat(struct proc *p, int fd, const char *path, return (EINVAL); follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; - p->p_tamenote = TMN_FATTR | TMN_RPATH; + p->p_pledgenote = TMN_FATTR | TMN_RPATH; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) return (error); @@ -2453,7 +2453,7 @@ sys_truncate(struct proc *p, void *v, register_t *retval) int error; struct nameidata nd; - p->p_tamenote = TMN_FATTR | TMN_RPATH; + p->p_pledgenote = TMN_FATTR | TMN_RPATH; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); if ((error = namei(&nd)) != 0) return (error); @@ -2580,7 +2580,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd, int error; int flags; - p->p_tamenote = TMN_RPATH | TMN_CPATH; + p->p_pledgenote = TMN_RPATH | TMN_CPATH; NDINITAT(&fromnd, DELETE, WANTPARENT | SAVESTART, UIO_USERSPACE, fromfd, from, p); if ((error = namei(&fromnd)) != 0) @@ -2594,7 +2594,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd, if (fvp->v_type == VDIR) flags |= STRIPSLASHES; - p->p_tamenote = TMN_CPATH; + p->p_pledgenote = TMN_CPATH; NDINITAT(&tond, RENAME, flags, UIO_USERSPACE, tofd, to, p); if ((error = namei(&tond)) != 0) { VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd); @@ -2663,7 +2663,7 @@ sys_mkdir(struct proc *p, void *v, register_t *retval) syscallarg(mode_t) mode; } */ *uap = v; - p->p_tamenote = TMN_CPATH | TMN_RPATH; + p->p_pledgenote = TMN_CPATH | TMN_RPATH; return (domkdirat(p, AT_FDCWD, SCARG(uap, path), SCARG(uap, mode))); } @@ -2688,7 +2688,7 @@ domkdirat(struct proc *p, int fd, const char *path, mode_t mode) int error; struct nameidata nd; - p->p_tamenote = TMN_CPATH | TMN_RPATH; + p->p_pledgenote = TMN_CPATH | TMN_RPATH; NDINITAT(&nd, CREATE, LOCKPARENT | STRIPSLASHES, UIO_USERSPACE, fd, path, p); if ((error = namei(&nd)) != 0) @@ -2723,7 +2723,7 @@ sys_rmdir(struct proc *p, void *v, register_t *retval) syscallarg(const char *) path; } */ *uap = v; - p->p_tamenote = TMN_CPATH; + p->p_pledgenote = TMN_CPATH; return (dounlinkat(p, AT_FDCWD, SCARG(uap, path), AT_REMOVEDIR)); } diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index fe26a5a6840..ed4fd8b9a06 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.180 2015/09/22 09:34:38 vgross Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.181 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -77,7 +77,7 @@ #include #include #include -#include +#include #include #include @@ -455,8 +455,8 @@ in_pcbconnect(struct inpcb *inp, struct mbuf *nam) if (sin->sin_port == 0) return (EADDRNOTAVAIL); - if (tame_dns_check(p, sin->sin_port)) - return (tame_fail(p, EPERM, TAME_DNSPATH)); + if (pledge_dns_check(p, sin->sin_port)) + return (pledge_fail(p, EPERM, PLEDGE_DNSPATH)); error = in_selectsrc(&ina, sin, inp->inp_moptions, &inp->inp_route, &inp->inp_laddr, inp->inp_rtableid); diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index 866fc9cf800..67b5384780f 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_pcb.c,v 1.75 2015/09/22 09:34:39 vgross Exp $ */ +/* $OpenBSD: in6_pcb.c,v 1.76 2015/10/09 01:10:27 deraadt Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -109,7 +109,7 @@ #include #include #include -#include +#include #include #include @@ -403,8 +403,8 @@ in6_pcbconnect(struct inpcb *inp, struct mbuf *nam) if (sin6->sin6_port == 0) return (EADDRNOTAVAIL); - if (tame_dns_check(p, sin6->sin6_port)) - return (tame_fail(p, EPERM, TAME_DNSPATH)); + if (pledge_dns_check(p, sin6->sin6_port)) + return (pledge_fail(p, EPERM, PLEDGE_DNSPATH)); /* reject IPv4 mapped address, we have no support for it */ if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h new file mode 100644 index 00000000000..583ef86c18b --- /dev/null +++ b/sys/sys/pledge.h @@ -0,0 +1,92 @@ +/* $OpenBSD: pledge.h,v 1.1 2015/10/09 01:10:27 deraadt Exp $ */ + +/* + * Copyright (c) 2015 Nicholas Marriott + * Copyright (c) 2015 Theo de Raadt + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _SYS_PLEDGE_H_ +#define _SYS_PLEDGE_H_ + +#ifdef _KERNEL + +#include + +#define PLEDGE_SELF 0x00000001 /* operate on own pid */ +#define PLEDGE_RW 0x00000002 /* basic io operations */ +#define PLEDGE_MALLOC 0x00000004 /* enough for malloc */ +#define PLEDGE_DNSPATH 0x00000008 /* access to DNS pathnames */ +#define PLEDGE_RPATH 0x00000010 /* allow open for read */ +#define PLEDGE_WPATH 0x00000020 /* allow open for write */ +#define PLEDGE_TMPPATH 0x00000040 /* for mk*temp() */ +#define PLEDGE_INET 0x00000080 /* AF_INET/AF_INET6 sockets */ +#define PLEDGE_UNIX 0x00000100 /* AF_UNIX sockets */ +// reuse, old CMSG 0x00000200 +#define PLEDGE_IOCTL 0x00000400 /* Select ioctl */ +#define PLEDGE_GETPW 0x00000800 /* YP enables if ypbind.lock */ +#define PLEDGE_PROC 0x00001000 /* fork, waitpid, etc */ +#define PLEDGE_CPATH 0x00002000 /* allow creat, mkdir, path creations */ +#define PLEDGE_FATTR 0x00004000 /* allow explicit file st_* mods */ +#define PLEDGE_PROTEXEC 0x00008000 /* allow use of PROT_EXEC */ +#define PLEDGE_TTY 0x00010000 /* tty setting */ +#define PLEDGE_SENDFD 0x00020000 /* AF_UNIX CMSG fd sending */ +#define PLEDGE_RECVFD 0x00040000 /* AF_UNIX CMSG fd receiving */ +#define PLEDGE_EXEC 0x00080000 /* execve, child is free of pledge */ +#define PLEDGE_ROUTE 0x00100000 /* routing lookups */ +#define PLEDGE_MCAST 0x00200000 /* multicast joins */ + +#define PLEDGE_ABORT 0x08000000 /* SIGABRT instead of SIGKILL */ + +/* Following flags are set by kernel, as it learns things. + * Not user settable. Should be moved to a seperate variable */ +#define PLEDGE_USERSET 0x0fffffff +#define PLEDGE_YP_ACTIVE 0x10000000 /* YP use detected and allowed */ +#define PLEDGE_DNS_ACTIVE 0x20000000 /* DNS use detected and allowed */ + +int pledge_check(struct proc *, int); +int pledge_fail(struct proc *, int, int); +int pledge_namei(struct proc *, char *); +void pledge_aftersyscall(struct proc *, int, int); + +struct mbuf; +int pledge_cmsg_send(struct proc *p, struct mbuf *control); +int pledge_cmsg_recv(struct proc *p, struct mbuf *control); +int pledge_sysctl_check(struct proc *p, int namelen, int *name, void *new); +int pledge_adjtime_check(struct proc *p, const void *v); +int pledge_recvfrom_check(struct proc *p, void *from); +int pledge_sendto_check(struct proc *p, const void *to); +int pledge_bind_check(struct proc *p, const void *v); +int pledge_connect_check(struct proc *p); +int pledge_socket_check(struct proc *p, int domain); +int pledge_setsockopt_check(struct proc *p, int level, int optname); +int pledge_dns_check(struct proc *p, in_port_t port); +int pledge_ioctl_check(struct proc *p, long com, void *); + +#define PLEDGE_MAXPATHS 8192 + +struct whitepaths { + size_t wl_size; + int wl_count; + int wl_ref; + struct whitepath { + char *name; + size_t len; + } wl_paths[0]; +}; +void pledge_dropwpaths(struct process *); + +#endif /* _KERNEL */ + +#endif /* _SYS_PLEDGE_H_ */ diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 63d736b18d3..064fd1d93c2 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.205 2015/09/11 08:22:31 guenther Exp $ */ +/* $OpenBSD: proc.h,v 1.206 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */ /*- @@ -212,8 +212,8 @@ struct process { u_short ps_acflag; /* Accounting flags. */ - u_int ps_tame; - struct whitepaths *ps_tamepaths; + u_int ps_pledge; + struct whitepaths *ps_pledgepaths; int64_t ps_kbind_cookie; u_long ps_kbind_addr; @@ -255,14 +255,14 @@ struct process { #define PS_EMBRYO 0x00020000 /* New process, not yet fledged */ #define PS_ZOMBIE 0x00040000 /* Dead and ready to be waited for */ #define PS_NOBROADCASTKILL 0x00080000 /* Process excluded from kill -1. */ -#define PS_TAMED 0x00100000 /* Has called tame(2) */ +#define PS_PLEDGE 0x00100000 /* Has called pledge(2) */ #define PS_BITS \ ("\20" "\01CONTROLT" "\02EXEC" "\03INEXEC" "\04EXITING" "\05SUGID" \ "\06SUGIDEXEC" "\07PPWAIT" "\010ISPWAIT" "\011PROFIL" "\012TRACED" \ "\013WAITED" "\014COREDUMP" "\015SINGLEEXIT" "\016SINGLEUNWIND" \ "\017NOZOMBIE" "\020STOPPED" "\021SYSTEM" "\022EMBRYO" "\023ZOMBIE" \ - "\024NOBROADCASTKILL" "\025TAMED") + "\024NOBROADCASTKILL" "\025PLEDGE") struct proc { @@ -326,14 +326,14 @@ struct proc { u_char p_usrpri; /* User-priority based on p_cpu and ps_nice. */ char p_comm[MAXCOMLEN+1]; - int p_tame_syscall; /* Cache of current syscall */ - int p_tamenote; /* Observance during syscall */ + int p_pledge_syscall; /* Cache of current syscall */ + int p_pledgenote; /* Observance during syscall */ #define TMN_RPATH 0x00000001 #define TMN_WPATH 0x00000002 #define TMN_CPATH 0x00000004 #define TMN_FATTR 0x00000008 #define TMN_COREDUMP 0x00000010 - int p_tameafter; + int p_pledgeafter; #define TMA_YPLOCK 0x00000001 #define TMA_DNSRESOLV 0x00000002 diff --git a/sys/sys/tame.h b/sys/sys/tame.h deleted file mode 100644 index abf668a0d25..00000000000 --- a/sys/sys/tame.h +++ /dev/null @@ -1,92 +0,0 @@ -/* $OpenBSD: tame.h,v 1.13 2015/10/08 17:29:43 deraadt Exp $ */ - -/* - * Copyright (c) 2015 Nicholas Marriott - * Copyright (c) 2015 Theo de Raadt - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef _SYS_TAME_H_ -#define _SYS_TAME_H_ - -#ifdef _KERNEL - -#include - -#define TAME_SELF 0x00000001 /* operate on own pid */ -#define TAME_RW 0x00000002 /* basic io operations */ -#define TAME_MALLOC 0x00000004 /* enough for malloc */ -#define TAME_DNSPATH 0x00000008 /* access to DNS pathnames */ -#define TAME_RPATH 0x00000010 /* allow open for read */ -#define TAME_WPATH 0x00000020 /* allow open for write */ -#define TAME_TMPPATH 0x00000040 /* for mk*temp() */ -#define TAME_INET 0x00000080 /* AF_INET/AF_INET6 sockets */ -#define TAME_UNIX 0x00000100 /* AF_UNIX sockets */ -// reuse, old CMSG 0x00000200 -#define TAME_IOCTL 0x00000400 /* Select ioctl */ -#define TAME_GETPW 0x00000800 /* YP enables if ypbind.lock */ -#define TAME_PROC 0x00001000 /* fork, waitpid, etc */ -#define TAME_CPATH 0x00002000 /* allow creat, mkdir, path creations */ -#define TAME_FATTR 0x00004000 /* allow explicit file st_* mods */ -#define TAME_PROTEXEC 0x00008000 /* allow use of PROT_EXEC */ -#define TAME_TTY 0x00010000 /* tty setting */ -#define TAME_SENDFD 0x00020000 /* AF_UNIX CMSG fd sending */ -#define TAME_RECVFD 0x00040000 /* AF_UNIX CMSG fd receiving */ -#define TAME_EXEC 0x00080000 /* execve, child is free of tame */ -#define TAME_ROUTE 0x00100000 /* routing lookups */ -#define TAME_MCAST 0x00200000 /* multicast joins */ - -#define TAME_ABORT 0x08000000 /* SIGABRT instead of SIGKILL */ - -/* Following flags are set by kernel, as it learns things. - * Not user settable. Should be moved to a seperate variable */ -#define TAME_USERSET 0x0fffffff -#define TAME_YP_ACTIVE 0x10000000 /* YP use detected and allowed */ -#define TAME_DNS_ACTIVE 0x20000000 /* DNS use detected and allowed */ - -int tame_check(struct proc *, int); -int tame_fail(struct proc *, int, int); -int tame_namei(struct proc *, char *); -void tame_aftersyscall(struct proc *, int, int); - -struct mbuf; -int tame_cmsg_send(struct proc *p, struct mbuf *control); -int tame_cmsg_recv(struct proc *p, struct mbuf *control); -int tame_sysctl_check(struct proc *p, int namelen, int *name, void *new); -int tame_adjtime_check(struct proc *p, const void *v); -int tame_recvfrom_check(struct proc *p, void *from); -int tame_sendto_check(struct proc *p, const void *to); -int tame_bind_check(struct proc *p, const void *v); -int tame_connect_check(struct proc *p); -int tame_socket_check(struct proc *p, int domain); -int tame_setsockopt_check(struct proc *p, int level, int optname); -int tame_dns_check(struct proc *p, in_port_t port); -int tame_ioctl_check(struct proc *p, long com, void *); - -#define TAME_MAXPATHS 8192 - -struct whitepaths { - size_t wl_size; - int wl_count; - int wl_ref; - struct whitepath { - char *name; - size_t len; - } wl_paths[0]; -}; -void tame_dropwpaths(struct process *); - -#endif /* _KERNEL */ - -#endif /* _SYS_TAME_H_ */ diff --git a/sys/uvm/uvm_mmap.c b/sys/uvm/uvm_mmap.c index 00145afead8..5f177abdb94 100644 --- a/sys/uvm/uvm_mmap.c +++ b/sys/uvm/uvm_mmap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uvm_mmap.c,v 1.119 2015/09/30 11:36:07 semarie Exp $ */ +/* $OpenBSD: uvm_mmap.c,v 1.120 2015/10/09 01:10:27 deraadt Exp $ */ /* $NetBSD: uvm_mmap.c,v 1.49 2001/02/18 21:19:08 chs Exp $ */ /* @@ -65,7 +65,7 @@ #include #include #include -#include +#include #include /* for KBIND* */ #include @@ -365,10 +365,10 @@ sys_mmap(struct proc *p, void *v, register_t *retval) if (size == 0) return (EINVAL); - if ((p->p_p->ps_flags & PS_TAMED) && - !(p->p_p->ps_tame & TAME_PROTEXEC) && + if ((p->p_p->ps_flags & PS_PLEDGE) && + !(p->p_p->ps_pledge & PLEDGE_PROTEXEC) && (prot & PROT_EXEC)) - return (tame_fail(p, EPERM, TAME_PROTEXEC)); + return (pledge_fail(p, EPERM, PLEDGE_PROTEXEC)); /* align file position and save offset. adjust size. */ ALIGN_ADDR(pos, size, pageoff); @@ -668,10 +668,10 @@ sys_mprotect(struct proc *p, void *v, register_t *retval) if ((prot & PROT_MASK) != prot) return (EINVAL); - if ((p->p_p->ps_flags & PS_TAMED) && - !(p->p_p->ps_tame & TAME_PROTEXEC) && + if ((p->p_p->ps_flags & PS_PLEDGE) && + !(p->p_p->ps_pledge & PLEDGE_PROTEXEC) && (prot & PROT_EXEC)) - return (tame_fail(p, EPERM, TAME_PROTEXEC)); + return (pledge_fail(p, EPERM, PLEDGE_PROTEXEC)); /* * align the address to a page boundary, and adjust the size accordingly