millert [Tue, 13 Oct 2015 12:25:04 +0000 (12:25 +0000)]
Sync printf family return value with ISO C which specifies that
these functions return a negative value on failure.
OK doug@ deraadt@
eric [Tue, 13 Oct 2015 11:32:47 +0000 (11:32 +0000)]
Add a helper for writing the message to simplify the code.
It also fixes the reported message length by taking prepended
headers into account and adds missing error checks there.
ok millert@ gilles@
gilles [Tue, 13 Oct 2015 11:03:30 +0000 (11:03 +0000)]
pledge() queue process
ok deraadt@
gilles [Tue, 13 Oct 2015 10:59:04 +0000 (10:59 +0000)]
pledge() control process
ok deraadt@
mpi [Tue, 13 Oct 2015 10:29:16 +0000 (10:29 +0000)]
Make use of rtisvalid(9) to check if local route entries match existing
configured addressses.
ok mikeb@
mpi [Tue, 13 Oct 2015 10:21:27 +0000 (10:21 +0000)]
Simplify arptfree() to no longer look at the route entry's refcounter.
ARP entries with an expired timeout are now removed from the tree even
if they are cached somehwere else. This also reduces differences with
NDP.
ok bluhm@
mpi [Tue, 13 Oct 2015 10:16:17 +0000 (10:16 +0000)]
Use rtisivalid(9) to check if the given (cached) route can be used.
Note that after calling rtalloc(9) we only check if a route has been
returned or not and do not check for its validity. This cannot be
improved without a massive refactoring.
The kernel currently *do* use !RTF_UP route due to a mismatch between
the value of ifp->if_link_state and the IFF_UP|IFF_RUNNING code.
I'd explain the RTF_UP flag as follow:
. If a cached route entry w/o RTF_UP is passed to ip{6,}_output(),
. call rtalloc(9) to see if a better entry is present in the tree.
This is enough to support MPATH and route cache invalidation.
ok bluhm@
mpi [Tue, 13 Oct 2015 09:59:37 +0000 (09:59 +0000)]
Make sure RTF_LOCAL route entries are UP when added to the tree.
This is required to maintain the original BSD behavior of locally
configured addresses being always reacheable.
Some interfaces are^w^W^Wem(4) is special and generally has a DOWN
link state when configured by netstart(8). As a result all the
route entries cloned/added before its link state goes to UP are also
marked as DOWN.
Note that this problem was not present when local addresses were
attached to lo0.
ok mikeb@
guenther [Tue, 13 Oct 2015 09:11:48 +0000 (09:11 +0000)]
Initialize va_filerev in vattr_null() to avoid leaking stack garbage;
problem pointed out by Martin Natano (natano (at) natano.net)
Also, stop chaining assignments (foo = bar = baz) in vattr_null().
The exact meaning of those depends on the order of the sizes-and-
signednesses of the lvalues, making them fragile: a statement here
mixed *six* types, but managed to get them in a safe order. Delete
a 20+ year old XXX comment that was almost certainly bemoaning a bug
from when they were in an unsafe order.
ok deraadt@ miod@
guenther [Tue, 13 Oct 2015 08:53:43 +0000 (08:53 +0000)]
ctype functions isxdigit() expect an unsigned char value; add missing casts
and adjust variable types to get correct behavior
ok beck@ millert@
guenther [Tue, 13 Oct 2015 08:49:51 +0000 (08:49 +0000)]
To alter just the atime of the mailspool, use utimensat()+UTIME_OMIT instead
of stat()+utimes(). Prefer clock_gettime() over gettimeofday() to avoid
timeval->timespec conversion
ok millert@
sunil [Tue, 13 Oct 2015 08:33:06 +0000 (08:33 +0000)]
Plug a leak.
Ok gilles@, reyk@
gilles [Tue, 13 Oct 2015 08:09:25 +0000 (08:09 +0000)]
pledge("stdio") the scheduler process
gilles [Tue, 13 Oct 2015 08:07:35 +0000 (08:07 +0000)]
pledge("stdio") the RSA-privsep process
gilles [Tue, 13 Oct 2015 08:06:22 +0000 (08:06 +0000)]
let the enqueuer pledge() in both online and offline modes
ok deraadt@
reyk [Tue, 13 Oct 2015 07:57:13 +0000 (07:57 +0000)]
Pass unsigned chars to ctype functions.
From Michael McConville
jmc [Tue, 13 Oct 2015 07:23:49 +0000 (07:23 +0000)]
new sentence, new line;
do not Xr self;
gilles [Tue, 13 Oct 2015 07:18:53 +0000 (07:18 +0000)]
offline queue is no longer user-writable, do not attempt resetting fchflags
it serves no purpose.
ok millert@, ok jung@, ok eric@
doug [Tue, 13 Oct 2015 07:10:38 +0000 (07:10 +0000)]
Pledge "stdio rpath" requests for nologin.
ok deraadt@
"reads ok" semarie@
doug [Tue, 13 Oct 2015 07:03:26 +0000 (07:03 +0000)]
Obvious pledge "stdio" for yes.
ok deraadt@
daniel [Tue, 13 Oct 2015 04:30:53 +0000 (04:30 +0000)]
revert previous. changes the behaviour of:
rm -f ""
guenther [Tue, 13 Oct 2015 04:29:50 +0000 (04:29 +0000)]
Add some newer DT_* and DF_* constants
ok kettenis@ miod@
bentley [Tue, 13 Oct 2015 02:17:46 +0000 (02:17 +0000)]
Tighten the ranges in wcrtomb(3).
By definition, the range of valid Unicode code points is the union of
U+0000..U+D7FF and U+E000..U+10FFFF (see Unicode 8.0.0, chapter 3.9).
In UTF-16, the encoded values that would represent U+D800..U+DFFF are
used for surrogate pairs. UTF-8 has no concept of surrogate pairs;
attempting to treat them as regular code points violates the standard
and makes no sense besides.
ok stsp@
djm [Tue, 13 Oct 2015 00:21:27 +0000 (00:21 +0000)]
free the correct IV length, don't assume it's always the cipher
blocksize; ok dtucker@
doug [Tue, 13 Oct 2015 00:03:42 +0000 (00:03 +0000)]
Pledge "fattr" request should allow fchflags().
"add it" deraadt@
deraadt [Mon, 12 Oct 2015 23:32:55 +0000 (23:32 +0000)]
satisfy jmc!
deraadt [Mon, 12 Oct 2015 23:16:23 +0000 (23:16 +0000)]
pledge "proc" request should allow setsid()
schwarze [Mon, 12 Oct 2015 22:41:18 +0000 (22:41 +0000)]
plegde(2) for apropos(1), help(1), man(1), mandoc(1), and whatis(1):
Always needed: stdio rpath (to open multiple files and for .so)
In addition after starting the pager: tmppath (to clean up the temp files)
In addition before starting the pager: proc exec
Looks good to deraadt@.
schwarze [Mon, 12 Oct 2015 22:30:27 +0000 (22:30 +0000)]
pledge(2) for makewhatis(8):
Always needed: stdio rpath.
In addition when writing to an existing db: wpath cpath fattr.
In addition when creating a new db: proc exec.
Based on work by and OK bentley@, "get moving" deraadt@.
gilles [Mon, 12 Oct 2015 22:29:49 +0000 (22:29 +0000)]
do not call sync() when committing a message, it's not helping in any way
deraadt [Mon, 12 Oct 2015 22:01:08 +0000 (22:01 +0000)]
surprisingly, this can pledge "stdio rpath exec" right at start. once
the config file is opened, it can pledge "stdio exec", and be on its
merry way to start the real MTA
deraadt [Mon, 12 Oct 2015 21:43:20 +0000 (21:43 +0000)]
Remove the "cmsg" attribute, as promised. Use "sendfd" or "recvfd",
depending on what you need. inet/inet6 cmsg's come through unmolested --
that is something to consider later.
deraadt [Mon, 12 Oct 2015 21:40:38 +0000 (21:40 +0000)]
Add details about a variety of semantics; going to keep adding and then
reevaluate the direction of this manual page a bit later.
millert [Mon, 12 Oct 2015 21:32:27 +0000 (21:32 +0000)]
Add missing checks for write errors; OK eric@
schwarze [Mon, 12 Oct 2015 21:25:36 +0000 (21:25 +0000)]
Delete an assignment that is unconditionally overwritten two lines later;
found by Svyatoslav Mishyn <juef at openmailbox dot org>
with the clang static analyzer.
schwarze [Mon, 12 Oct 2015 21:16:32 +0000 (21:16 +0000)]
Garbage collect an unused variable, no functional change;
found by Svyatoslav Mishyn <juef at openmailbox dot org> with cppcheck.
schwarze [Mon, 12 Oct 2015 21:09:08 +0000 (21:09 +0000)]
Check the right pointer against NULL;
fixing a pasto introduced in the previous commit;
found by Svyatoslav Mishyn <juef at openmailbox dot org> with cppcheck.
krw [Mon, 12 Oct 2015 20:52:20 +0000 (20:52 +0000)]
Check that the disk specified on the command line is the disk that
files are copied to. Error out with 'cross-device install' if not.
ok millert@, ok deraadt@ & jsing@ for previous version
gilles [Mon, 12 Oct 2015 20:16:31 +0000 (20:16 +0000)]
add Date header when a session iniated locally doesn't add one
ok millert@, ok eric@
deraadt [Mon, 12 Oct 2015 20:03:24 +0000 (20:03 +0000)]
these callers of ttyname() no longer need to pledge "tty"
naddy [Mon, 12 Oct 2015 19:56:47 +0000 (19:56 +0000)]
ttyname() no longer does ioctl TIOCGETA, so pledge("tty") is no longer
needed here. ok deraadt@
naddy [Mon, 12 Oct 2015 19:53:58 +0000 (19:53 +0000)]
When isatty() was switched to F_ISATTY, the inline copy in ttyname()
was forgotten. Just call isatty(). ok deraadt@
lum [Mon, 12 Oct 2015 19:08:39 +0000 (19:08 +0000)]
Maintain a list of files marked for deletion while refreshing a dired
buffer. Previously, when refreshing the buffer the files marked for
deletion would be lost.
Since the relationship between the files that have been marked for
deletion and those that exist on disk is volatile, I have chosen to
implement the discovery of marked files during the refresh function as
opposed to maintaining a dired buffer specific list.
deraadt [Mon, 12 Oct 2015 18:32:18 +0000 (18:32 +0000)]
deprecate & remove -W option; ok florian
ajacoutot [Mon, 12 Oct 2015 18:25:16 +0000 (18:25 +0000)]
Reverse the sm_error call in sm_trap.
pointed out by semarie@... I need some sleep :/
ajacoutot [Mon, 12 Oct 2015 18:13:59 +0000 (18:13 +0000)]
Only remove existing sum files on trap handlers.
req. by semarie@
millert [Mon, 12 Oct 2015 17:51:55 +0000 (17:51 +0000)]
Make it clear that umask ignores everything but the rwx bits.
OK deraadt@
schwarze [Mon, 12 Oct 2015 17:50:51 +0000 (17:50 +0000)]
Make wcrtomb() more readable by weeding out range errors up front,
doing ASCII handling once rather than twice, and using <= rather
than ((&~)==) obfuscation (which already caused a bug in the past).
No functional change.
Joint work with and OK stsp@ semarie@ bentley@
schwarze [Mon, 12 Oct 2015 17:20:53 +0000 (17:20 +0000)]
Parentheses are useless after "return", it's not a function.
There is no need to mop this up everywhere, but at least style(9)
should show modern rather than historic style.
OK millert@ tedu@
uebayasi [Mon, 12 Oct 2015 16:54:30 +0000 (16:54 +0000)]
Call pledge(2) after initial getsockname(2) to avoid "inet" addition.
From & OK deraadt@
deraadt [Mon, 12 Oct 2015 16:39:07 +0000 (16:39 +0000)]
ftp(1) was static for years, as a recovery seatbelt. These days
reliability has improved, and other repair methods are easier from
bsd.rd or whatnot. As a static binary ftp has limited ASLR, yet it has
7 libraries... Making it non-static means the ASLR picture improves.
Let's see who moans first.
ok miod daniel
deraadt [Mon, 12 Oct 2015 16:01:53 +0000 (16:01 +0000)]
kvm_mkdb & dev_mkdb are quite similar. pledge "stdio rpath wpath cpath"
except kvm_mkdb also does "getpw".
schwarze [Mon, 12 Oct 2015 15:59:26 +0000 (15:59 +0000)]
pledge wasn't called pledge in 5.8, and it was disabled;
issue noticed by tim@, solution suggested by deraadt@
deraadt [Mon, 12 Oct 2015 15:56:58 +0000 (15:56 +0000)]
pledge "stdio rpath wpath cpath"; all the path options are used
until the bitter end.
schwarze [Mon, 12 Oct 2015 15:27:53 +0000 (15:27 +0000)]
Use "-" rather than "\(hy" for the heads of .Bl -dash and -hyphen lists.
In UTF-8 output, that renders as ASCII HYPHEN-MINUS (U+002D)
rather than HYPHEN (U+2010), which looks better and matches groff.
In ASCII output, it makes no difference.
Suggested by naddy@.
deraadt [Mon, 12 Oct 2015 15:12:44 +0000 (15:12 +0000)]
Annotate an pretty obvious signal race... no time to fix it now.
tim [Mon, 12 Oct 2015 14:33:13 +0000 (14:33 +0000)]
Pledge "stdio wpath tty"; "awesome" deraadt@
deraadt [Mon, 12 Oct 2015 14:09:32 +0000 (14:09 +0000)]
in fuser mode with -k or -s mode, kill(2) might be called and
route lookups won't be needed; so expand the pledge setup to handle
3 codepaths.
from theo buehler
semarie [Mon, 12 Oct 2015 14:01:06 +0000 (14:01 +0000)]
reenable pledge(2) on pax, but only if pmode isn't in use or if action
shouldn't do things with filesystem.
ok deraadt@ millert@
deraadt [Mon, 12 Oct 2015 13:53:40 +0000 (13:53 +0000)]
These no longer need to be static. The ramdisk's no longer reach-around
and use the one in the base install, but have their own copy.
ok millert sthen miod daniel
dlg [Mon, 12 Oct 2015 13:17:58 +0000 (13:17 +0000)]
the pattr argument to IFQ_ENQUEUE is unused, so let's get rid of it.
also the comment above IFQ_ENQUEUE that says the pattr argument is unused.
ok mpi@
stsp [Mon, 12 Oct 2015 13:01:50 +0000 (13:01 +0000)]
Fix a copy-pasto: Check the correct bit for STBC beacon in HT OP element.
ok sthen@
jmc [Mon, 12 Oct 2015 12:34:42 +0000 (12:34 +0000)]
indent the builtin text a little, for naddy;
semarie [Mon, 12 Oct 2015 12:17:36 +0000 (12:17 +0000)]
two leftovers string missed in tame->pledge conversion
ok jsg@
mpi [Mon, 12 Oct 2015 11:32:39 +0000 (11:32 +0000)]
Unify link state change notification.
ok mikeb@
dlg [Mon, 12 Oct 2015 10:51:49 +0000 (10:51 +0000)]
dont need to do suser checks in ioctl paths cos if.c does them for us.
ok mikeb@ mpi@
dlg [Mon, 12 Oct 2015 10:49:40 +0000 (10:49 +0000)]
protect SIOCSLIFPHYTTL, SIOCSVNETID so only root can call them, and
return EPNOTSUPP for SIOCGLIFPHYTTL and SIOCGVNETID. all so drivers
dont have to do these checks themselves.
ok mikeb@ mpi@
sthen [Mon, 12 Oct 2015 10:27:22 +0000 (10:27 +0000)]
fix case of PACkAGE_REPOSITORY; remco at dpub nl
^
reyk [Mon, 12 Oct 2015 10:03:25 +0000 (10:03 +0000)]
Introduce bridge_ifinput() to handle some repeated logic before
if_input() and to have a counterpart for bridge_ifenqueue() that helps
to understand the traffic/code flow in bridge better. The bridge
currently only puts a single packet on the input mbuf list, and
changing will need to undo part of this commit, but it still makes
sense to have a well-defined call for the ports receive path.
No functional change.
OK mpi@
stsp [Mon, 12 Oct 2015 10:01:27 +0000 (10:01 +0000)]
Always initialise the index into iwm's tx queue array, fixing a
potential crash. This must have somehow been working by magic.
Fruther cleanup of QoS support in this driver is very much needed.
ok mpi@
semarie [Mon, 12 Oct 2015 09:28:54 +0000 (09:28 +0000)]
Revert the pledge() call on pax/ar_io.c for now.
A pledged program is not allowed to change user/group for others.
"I think that makes the most sense" @sthen
deraadt [Mon, 12 Oct 2015 07:58:19 +0000 (07:58 +0000)]
do not umask() [with the wrong umask] around mkstemp() calls, no matter
how broken other systems are.
ok guenther gilles
lum [Mon, 12 Oct 2015 07:55:52 +0000 (07:55 +0000)]
Correctly mark-up some recent additions. ok jmc@
deraadt [Mon, 12 Oct 2015 07:45:48 +0000 (07:45 +0000)]
pledge "stdio" after opening files, code is very similar to mkuboot
reyk [Mon, 12 Oct 2015 06:50:08 +0000 (06:50 +0000)]
Move execution of the constraints from the ntp to the parent process.
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@
jmc [Mon, 12 Oct 2015 06:33:21 +0000 (06:33 +0000)]
Gahamas -> Bahamas;
from pgoyette (netbsd -r1.26)
deraadt [Mon, 12 Oct 2015 06:24:28 +0000 (06:24 +0000)]
pledge "stdio" after opening up the input & output files.
ok jsg
guenther [Mon, 12 Oct 2015 06:05:52 +0000 (06:05 +0000)]
unifdef EVP_CHECK_DES_KEY: Ben Kaduk noticed it has a syntax error; that
error was present in the original 2004 commit, so it hasn't been used in
over 11 years, thus exceeding our deprecation requirements by over a decade.
OpenSSL has chosen to *fix it*; we'll gladly watch it burn
ok jsing@
deraadt [Mon, 12 Oct 2015 06:00:57 +0000 (06:00 +0000)]
same thing as biff, pledge "stdio rpath fattr tty"
deraadt [Mon, 12 Oct 2015 05:59:43 +0000 (05:59 +0000)]
biff pledges to only do "stdio rpath fattr tty". (very small program..
the actual order of use is tty, rpath, stdio or fattr)
deraadt [Mon, 12 Oct 2015 05:54:18 +0000 (05:54 +0000)]
fstat() of opened fd, rather than stat(), to avoid TOCTOU
ok jsg
deraadt [Mon, 12 Oct 2015 05:05:24 +0000 (05:05 +0000)]
preservation modes can adjust setugid bits, so no pledge is possible.
Otherwise, lay the groundwork for whether a gzip program may be run or not.
After such a gzip program is started, pledge the program will not exec
again. Took a few iterations to get this going... it is looking good.
with guenther.
deraadt [Mon, 12 Oct 2015 04:43:30 +0000 (04:43 +0000)]
does not need ioctl.h
semarie [Mon, 12 Oct 2015 04:02:57 +0000 (04:02 +0000)]
with the RPATH enforcement, acpidump(1) don't work anymore...
it needs rpath for reading /dev/mem (at least):
kvm_openfiles(NULL, NULL, NULL, O_RDONLY, NULL)
ok doug@
fix the regression deraadt@
deraadt [Mon, 12 Oct 2015 02:02:00 +0000 (02:02 +0000)]
pledge to only use "stdio rpath"; rpath is for readig the wtmp files.
ok doug
deraadt [Mon, 12 Oct 2015 02:01:15 +0000 (02:01 +0000)]
tunefs can pledge to only use "stdio", after it has opened the device.
ok doug
deraadt [Mon, 12 Oct 2015 01:43:52 +0000 (01:43 +0000)]
pledge "stdio" right after opening the device. The remainder is
is just read, write, fsync, and close.
ok doug
deraadt [Mon, 12 Oct 2015 01:40:09 +0000 (01:40 +0000)]
pledge() "stdio" includes trusting open&read of the root-owned timezone
databases located at system paths (a reasonable bar had to be chosen; in
the future we can replace the interfaces, since this effort is identifying
them and placing their paths in a visble place), so this program only
needs "stdio"
ok doug
schwarze [Mon, 12 Oct 2015 01:17:08 +0000 (01:17 +0000)]
make description of ERRORS more complete;
diff from Benny Lofgren <bl dash lists at lofgren dot biz>;
ok nicm@
schwarze [Mon, 12 Oct 2015 00:49:34 +0000 (00:49 +0000)]
remove useless quoting from .Fo arguments; forgotten diff found in my tree
schwarze [Mon, 12 Oct 2015 00:32:37 +0000 (00:32 +0000)]
Clear dform and dsec when exiting a first-level directory in treescan().
Fixes a segfault reported by bentley@.
While here, do some style cleanup in the same function.
schwarze [Mon, 12 Oct 2015 00:14:41 +0000 (00:14 +0000)]
Fix an obvious bug found during the /* FALLTHROUGH */ cleanup:
ASCII_NBRSP has to be rendered as " ", not "-".
schwarze [Mon, 12 Oct 2015 00:07:27 +0000 (00:07 +0000)]
To make the code more readable, delete 283 /* FALLTHROUGH */ comments
that were right between two adjacent case statement. Keep only
those 24 where the first case actually executes some code before
falling through to the next case.
bluhm [Sun, 11 Oct 2015 23:51:26 +0000 (23:51 +0000)]
Pass unsigned char to isdigit(3).
From Michael McConville; OK guenther@
deraadt [Sun, 11 Oct 2015 23:29:56 +0000 (23:29 +0000)]
fix regression: ttyname() failure not handled right
deraadt [Sun, 11 Oct 2015 23:13:02 +0000 (23:13 +0000)]
pledge_ioctl_check() will do the killing if neccessary; if it returns,
that is an errno to pass up to the calling system call instead. test
case is "who < /dev/null", via ttyname().
espie [Sun, 11 Oct 2015 23:01:32 +0000 (23:01 +0000)]
now that tsort has a clean structure, do more specific pledge() calls.
okay deraadt@
schwarze [Sun, 11 Oct 2015 21:59:48 +0000 (21:59 +0000)]
Drop tags containing a blank character:
They don't work, they break other tags in weird ways, and even
if they could be made to work, they would be mostly useless.
Issue reported by naddy@, thanks.
schwarze [Sun, 11 Oct 2015 21:30:02 +0000 (21:30 +0000)]
Do not insert whitespace into syntax displays, it's just confusing,
except at the one place where it is indeed helpful.
Add some missing .Cm macros.
Remove some useless escaping, one needless .Xo, and an empty .No.
Triggered by a much smaller patch from guenther@.
OK jmc@ guenther@
schwarze [Sun, 11 Oct 2015 21:23:24 +0000 (21:23 +0000)]
Fix empty .No macros, use .Pf to prefix delimiters to macros.
Based on a patch from guenther@, tweaked by me.
OK jmc@ guenther@