From: deraadt Date: Sat, 10 Oct 2015 00:10:07 +0000 (+0000) Subject: ksh can run with pledge "stdio rpath wpath cpath getpw fattr proc exec tty" X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f42d00b36b30fd4f1f3d103a13b7ddb9c1e4e545;p=openbsd ksh can run with pledge "stdio rpath wpath cpath getpw fattr proc exec tty" if the mknod builtin is disabled. It looks like a lot of abilities, but hey, this is a shell. can't open sockets or do other nasty stuff though. (we'll leave the mknod builtin enabled on the install media for now; there is work happening to regain the MAKEDEV performance in a different way) discussions with otto & millert in particular --- diff --git a/bin/ksh/Makefile b/bin/ksh/Makefile index 2c484896928..a5a2fc2b825 100644 --- a/bin/ksh/Makefile +++ b/bin/ksh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.29 2013/12/02 20:41:01 millert Exp $ +# $OpenBSD: Makefile,v 1.30 2015/10/10 00:10:07 deraadt Exp $ PROG= ksh SRCS= alloc.c c_ksh.c c_sh.c c_test.c c_ulimit.c edit.c emacs.c eval.c \ @@ -6,6 +6,7 @@ SRCS= alloc.c c_ksh.c c_sh.c c_test.c c_ulimit.c edit.c emacs.c eval.c \ misc.c path.c shf.c syn.c table.c trap.c tree.c tty.c var.c \ version.c vi.c +# -DMKNOD - enable builtin mknod; conficts with pledge(2) DEFS= -Wall CFLAGS+=${DEFS} -I. -I${.CURDIR} -I${.CURDIR}/../../lib/libc/gen MAN= ksh.1 sh.1 diff --git a/bin/ksh/c_sh.c b/bin/ksh/c_sh.c index 18f99c898b6..25ce11696b9 100644 --- a/bin/ksh/c_sh.c +++ b/bin/ksh/c_sh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_sh.c,v 1.49 2015/09/18 07:28:24 nicm Exp $ */ +/* $OpenBSD: c_sh.c,v 1.50 2015/10/10 00:10:07 deraadt Exp $ */ /* * built-in Bourne commands @@ -817,6 +817,7 @@ c_exec(char **wp) return 0; } +#ifdef MKNOD static int c_mknod(char **wp) { @@ -870,6 +871,7 @@ usage: bi_errorf("usage: mknod [-m mode] name p"); return 1; } +#endif /* MKNOD */ static int c_suspend(char **wp) @@ -929,7 +931,9 @@ const struct builtin shbuiltins [] = { {"ulimit", c_ulimit}, {"+umask", c_umask}, {"*=unset", c_unset}, +#ifdef MKNOD {"mknod", c_mknod}, +#endif {"suspend", c_suspend}, {NULL, NULL} }; diff --git a/bin/ksh/main.c b/bin/ksh/main.c index 63ec3324c67..c6bfd305820 100644 --- a/bin/ksh/main.c +++ b/bin/ksh/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.60 2015/09/18 07:28:24 nicm Exp $ */ +/* $OpenBSD: main.c,v 1.61 2015/10/10 00:10:07 deraadt Exp $ */ /* * startup, main loop, environments and error handling @@ -102,6 +102,11 @@ main(int argc, char *argv[]) kshname = argv[0]; +#ifndef MKNOD + if (pledge("stdio rpath wpath cpath getpw fattr proc exec tty", NULL) == -1) + perror("pledge"); +#endif + ainit(&aperm); /* initialize permanent Area */ /* set up base environment */ diff --git a/distrib/special/ksh/Makefile b/distrib/special/ksh/Makefile index 9e286592811..00cd33dc112 100644 --- a/distrib/special/ksh/Makefile +++ b/distrib/special/ksh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.1 2014/12/23 17:16:02 deraadt Exp $ +# $OpenBSD: Makefile,v 1.2 2015/10/10 00:10:07 deraadt Exp $ PROG= ksh SRCS= alloc.c c_ksh.c c_sh.c c_test.c c_ulimit.c edit.c emacs.c eval.c \ @@ -6,7 +6,7 @@ SRCS= alloc.c c_ksh.c c_sh.c c_test.c c_ulimit.c edit.c emacs.c eval.c \ misc.c path.c shf.c syn.c table.c trap.c tree.c tty.c var.c \ version.c vi.c -DEFS= -Wall +DEFS= -Wall -DMKNOD CFLAGS+=${DEFS} -I. -I${.CURDIR}/../../../bin/ksh -I${.CURDIR}/../../../lib/libc/gen MAN= ksh.1 sh.1