openbsd
9 years agoNUMBOOT is dead! Nuke the variables and abstractions that were used
krw [Sat, 17 Oct 2015 13:27:08 +0000 (13:27 +0000)]
NUMBOOT is dead! Nuke the variables and abstractions that were used
to build boot blocks.

ok miod@

9 years agoImplement -w maxwait now that the -w flag is free in ping6. Same
florian [Sat, 17 Oct 2015 13:08:14 +0000 (13:08 +0000)]
Implement -w maxwait now that the -w flag is free in ping6. Same
behaviour as ping(8).

9 years agoDo no accept fds on the control socket; including the restricted socket.
reyk [Sat, 17 Oct 2015 13:07:07 +0000 (13:07 +0000)]
Do no accept fds on the control socket; including the restricted socket.

OK gilles@ eric@

9 years agomove -V option before -v and remove one spurious newline, now in sync
florian [Sat, 17 Oct 2015 13:07:02 +0000 (13:07 +0000)]
move -V option before -v and remove one spurious newline, now in sync
with ping.
No object change.

9 years agoKNF
gilles [Sat, 17 Oct 2015 13:06:03 +0000 (13:06 +0000)]
KNF

9 years agoour strip() function should use isspace()
gilles [Sat, 17 Oct 2015 12:59:52 +0000 (12:59 +0000)]
our strip() function should use isspace()

ok jung@, ok millert@

9 years agoRemove left over -N and -w. Adapt wording for the link local example.
florian [Sat, 17 Oct 2015 12:38:29 +0000 (12:38 +0000)]
Remove left over -N and -w. Adapt wording for the link local example.
Pointed out by, input & OK jmc

9 years agoTighten up snmpd's control socket: do not allow users to terminate the
reyk [Sat, 17 Oct 2015 10:20:33 +0000 (10:20 +0000)]
Tighten up snmpd's control socket: do not allow users to terminate the
daemon by sending corrupted imsgs to snmpd.  This is especially
important for the optional world-writeable restricted socket that is
used for AgentX.  In particular, don't fatal() in the daemon when imsg
size checks on control messages fail, do stricter validation of
expected messages (even assert zero-length imsgs), don't continue and
close the control socket on suspicious input, print a debug log
message on error.

OK gilles@ "the rationale behind it is quite clear"

9 years agoCleanup a bit.
rpe [Sat, 17 Oct 2015 08:47:24 +0000 (08:47 +0000)]
Cleanup a bit.

OK krw@ halex@

9 years agoadd "tty" for several subcommands of openssl
semarie [Sat, 17 Oct 2015 07:51:10 +0000 (07:51 +0000)]
add "tty" for several subcommands of openssl

it is needed in order to let libssl UI_* function plays with echo on/off when
asking for password on terminal.

passwd subcommand needs additionnal "wpath cpath" in order to let it calls
fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).

problem reported by several
with and ok doug@

9 years agoThe file(1) magic-parsing process was using pledge "stdio getpw proc recvfd"
deraadt [Sat, 17 Oct 2015 04:41:37 +0000 (04:41 +0000)]
The file(1) magic-parsing process was using pledge "stdio getpw proc recvfd"
early on, then a set of getpwnam/setresuid/... before quickly dropping to
"stdio recvfd".  It receives fd's and runs the magic code on them in a
chroot'd "stdio" jail.  We can do better than that.

Before the recent change, "proc" contained both the concepts of "forking"
and "setuid".  "id" is now split out as a seperate request, and it is
exactly what this process needs momentarily.  So this loses another window
of opportunity, in case we have a major bug in .... hmm, it'd have to be
in getpwnam....

ok tedu doug semarie gilles

9 years agosmtpd starts rather robustly with a gigantic pledge request group (keep
deraadt [Sat, 17 Oct 2015 04:36:10 +0000 (04:36 +0000)]
smtpd starts rather robustly with a gigantic pledge request group (keep
in mind that a gigantic group is already < ~50% of POSIX).  It then
grinds these down bit by bit as it sets up privsep for the various
processes.  At startup, smtpd will need the new "id" request as well.
ok gilles tedu

9 years agoAdd pledge "id" support. This request permits setuid/seteuid/setresuid,
deraadt [Sat, 17 Oct 2015 04:31:07 +0000 (04:31 +0000)]
Add pledge "id" support.  This request permits setuid/seteuid/setresuid,
setgid/setegid/setresgid, setgroups, setlogin, and setpriority.

setrlimit and getpriority are also allowed (they are also in "proc")

some of these were previously permitted in "proc" but have been removed.
this seperation is intentional.  "proc" is intended for reasoning about
the relationship of a process "with other processes", whereas "id" deals
the powerful/dangerous concept of unix ids.  "id" will see some action
very soon.

ok gilles tedu semarie doug

9 years agoroute6d pledges to use only "stdio rpath wpath cpath inet route mcast"
jca [Sat, 17 Oct 2015 01:01:09 +0000 (01:01 +0000)]
route6d pledges to use only "stdio rpath wpath cpath inet route mcast"

ok deraadt@

9 years agoAllow a few 'get' ioctls for pledge("route"). route6d will soon use this.
jca [Sat, 17 Oct 2015 00:58:50 +0000 (00:58 +0000)]
Allow a few 'get' ioctls for pledge("route").  route6d will soon use this.

ok deraadt@

9 years agodon't need fcntl for non blocking socket, just ask for it upfront
tedu [Sat, 17 Oct 2015 00:38:57 +0000 (00:38 +0000)]
don't need fcntl for non blocking socket, just ask for it upfront

9 years agoVery tricky diff to fix macro interpretation and spacing around tabs
schwarze [Sat, 17 Oct 2015 00:19:58 +0000 (00:19 +0000)]
Very tricky diff to fix macro interpretation and spacing around tabs
in .Bl -column; it took me more than a day to get this right.
Triggered by a loosely related bug report from tim@.

The lesson for you is:  Use .Ta macros in .Bl -column, avoid tabs,
or you are in for surprises:  The last word before a tab is not
interpreted as a macro (unless there is a blank in between), the
first word after a tab isn't either (unless there is a blank in
between), and a blank after a tab causes a leading blank in the
respective output cell.  Yes, "blank", "tab", "blank tab" and "tab
blank" all have different semantics; if you write code relying on
that, good luck maintaining it afterwards...

9 years agoChange x_do_ins()'s arg type from int to size_t for correctness's sake,
mmcc [Fri, 16 Oct 2015 23:18:59 +0000 (23:18 +0000)]
Change x_do_ins()'s arg type from int to size_t for correctness's sake,
and to silence a compiler warning. Also remove its prototype, which is
directly above its definition.

ok tedu@

9 years agoMove the overflow check to alloc() so that the link struct overhead can
mmcc [Fri, 16 Oct 2015 23:13:35 +0000 (23:13 +0000)]
Move the overflow check to alloc() so that the link struct overhead can
never bite us.

Suggested by Theo Buehler, inspired by Bitrig's natano@.

ok tedu@

9 years agouse daemon(), jca had the same diff in his tree
deraadt [Fri, 16 Oct 2015 23:09:53 +0000 (23:09 +0000)]
use daemon(), jca had the same diff in his tree

9 years agoAlso allow 6 as a miblen for NET_RT_DUMP, not all users specify a rtable.
jca [Fri, 16 Oct 2015 23:00:01 +0000 (23:00 +0000)]
Also allow 6 as a miblen for NET_RT_DUMP, not all users specify a rtable.

ok deraadt@

9 years agopledge "stdio rpath wpath cpath getpw fattr flock"
deraadt [Fri, 16 Oct 2015 22:54:35 +0000 (22:54 +0000)]
pledge "stdio rpath wpath cpath getpw fattr flock"

9 years agopledge "stdio rpath wpath cpath fattr proc exec"
deraadt [Fri, 16 Oct 2015 22:54:15 +0000 (22:54 +0000)]
pledge "stdio rpath wpath cpath fattr proc exec"

9 years agopledge "stdio rpath wpath cpath proc exec".
deraadt [Fri, 16 Oct 2015 22:53:32 +0000 (22:53 +0000)]
pledge "stdio rpath wpath cpath proc exec".

9 years agoRemove RFC 4620 support. The RFC is experimental and this code plain
florian [Fri, 16 Oct 2015 22:47:12 +0000 (22:47 +0000)]
Remove RFC 4620 support. The RFC is experimental and this code plain
needs killing before the installed user base excedes 6. Minus 745 LOC.
This is getting in the way of a merge since it has it's tentacles all
over the place.
OK jca@, deraadt@

9 years agoincrease the minimum modulus that we will send or accept in
djm [Fri, 16 Oct 2015 22:32:22 +0000 (22:32 +0000)]
increase the minimum modulus that we will send or accept in
diffie-hellman-group-exchange to 2048 bits; ok markus@

9 years agoHoist clearing of FIOASYNC to much earlier, then getty can use
deraadt [Fri, 16 Oct 2015 22:25:50 +0000 (22:25 +0000)]
Hoist clearing of FIOASYNC to much earlier, then getty can use
pledge "stdio rpath fattr proc exec tty".

9 years agoOnce apropos(1) or man(1) are done with database access, or if the
schwarze [Fri, 16 Oct 2015 21:35:16 +0000 (21:35 +0000)]
Once apropos(1) or man(1) are done with database access, or if the
program was called as mandoc(1) in the first place, remove "flock"
from our pledge(2) before entering the parsers and formatters.
OK millert@ deraadt@

9 years agoUse SSL_get_version() not SSL_get_cipher_version(); the former gives the TLS
sthen [Fri, 16 Oct 2015 21:13:33 +0000 (21:13 +0000)]
Use SSL_get_version() not SSL_get_cipher_version(); the former gives the TLS
version used for the connection, the latter gives "the SSL/TLS protocol version
that first defined the cipher". Fixes "TLS version=TLSv1/SSLv3" in received/log
lines.

ok millert@ "I was going to commit this today, so yes definitely" ok gilles@

9 years agoadd flock to pledge request, needed by delivery_filename
gilles [Fri, 16 Oct 2015 20:54:55 +0000 (20:54 +0000)]
add flock to pledge request, needed by delivery_filename

ok millert@

9 years agoUnbreak route6d.
jca [Fri, 16 Oct 2015 20:43:27 +0000 (20:43 +0000)]
Unbreak route6d.

Instead of breaking sendmsg(2) by adding unneeded space to its cmsg
item, add space to the cmsg used by recvmsg(2), where it will be used
to get the incoming packet hop limit.

Reported by several over the last years, and more recently by 'bsdsx',
who tested it against NetBSD route6d.  Also works against Quagga ripng.

ok deraadt@ sthen@

9 years agosave some file descriptors. instead of a pipe, use kevent to watch parent
tedu [Fri, 16 Oct 2015 20:25:09 +0000 (20:25 +0000)]
save some file descriptors. instead of a pipe, use kevent to watch parent

9 years agonaddy would like the child to exit when the parent dies.
tedu [Fri, 16 Oct 2015 20:12:06 +0000 (20:12 +0000)]
naddy would like the child to exit when the parent dies.
hook up a pipe between them and watch for eof in the child.

9 years agoMissing local.
ajacoutot [Fri, 16 Oct 2015 20:12:00 +0000 (20:12 +0000)]
Missing local.

ok schwarze@

9 years agoNo longer talk about -b flag, it's gone.
florian [Fri, 16 Oct 2015 20:11:59 +0000 (20:11 +0000)]
No longer talk about -b flag, it's gone.

9 years agoDrop usage of TMPDIR.
ajacoutot [Fri, 16 Oct 2015 19:55:39 +0000 (19:55 +0000)]
Drop usage of TMPDIR.
While here, stop refering to /tmp/sysmerge.XXXXXXXXXX, that's a script
internal we don't need to know about.

9 years agosync
deraadt [Fri, 16 Oct 2015 19:33:15 +0000 (19:33 +0000)]
sync

9 years agotest mixing of tabs with Ta
schwarze [Fri, 16 Oct 2015 19:21:05 +0000 (19:21 +0000)]
test mixing of tabs with Ta

9 years agoMake sched_barrier() use its own task queue to avoid deadlocks.
mpi [Fri, 16 Oct 2015 19:07:24 +0000 (19:07 +0000)]
Make sched_barrier() use its own task queue to avoid deadlocks.

Prevent a deadlock from occuring when intr_barrier() is called from
a non-primary CPU in the watchdog task, also enqueued on ``systq''.

ok kettenis@

9 years agolife is simpler if all requests go in the fifo, and then just remove them
tedu [Fri, 16 Oct 2015 18:47:52 +0000 (18:47 +0000)]
life is simpler if all requests go in the fifo, and then just remove them
in the error case instead of duplicating code.

9 years agobetter handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname
djm [Fri, 16 Oct 2015 18:40:49 +0000 (18:40 +0000)]
better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname
canonicalisation - treat them as already canonical and remove the
trailing '.' before matching ssh_config; ok markus@

9 years agoderaadt tells me i'm supposed to check if connect() actually worked.
tedu [Fri, 16 Oct 2015 18:38:53 +0000 (18:38 +0000)]
deraadt tells me i'm supposed to check if connect() actually worked.

9 years agotwo phase handling for tcp so that slow connects don't stall the process
tedu [Fri, 16 Oct 2015 18:29:05 +0000 (18:29 +0000)]
two phase handling for tcp so that slow connects don't stall the process

9 years agoCast isspace() argument to unsigned char.
mmcc [Fri, 16 Oct 2015 18:21:43 +0000 (18:21 +0000)]
Cast isspace() argument to unsigned char.

ok jca@

9 years agoMove -t and -w functionality to -a. Both flags are in the way for a
florian [Fri, 16 Oct 2015 18:17:12 +0000 (18:17 +0000)]
Move -t and -w functionality to -a. Both flags are in the way for a
merge with ping(8). Let's see if we can shove every weird and special v6
functionality into -a.
suggested by and OK sthen@

9 years agoModernize allocation by:
mmcc [Fri, 16 Oct 2015 17:56:07 +0000 (17:56 +0000)]
Modernize allocation by:

 * removing unneeded casts of void* return values
 * replacing varied and creative error messages with the allocation
   function's name
 * replacing errx() with err() so that the errno string is reported

ok beck@, jung@, millert@

9 years agoCast iscntrl()'s arg to unsigned char.
mmcc [Fri, 16 Oct 2015 17:14:04 +0000 (17:14 +0000)]
Cast iscntrl()'s arg to unsigned char.

ok nicm@

9 years ago0 -> NULL when comparing with a char*.
mmcc [Fri, 16 Oct 2015 17:07:24 +0000 (17:07 +0000)]
0 -> NULL when comparing with a char*.

ok dtucker@, djm@.

9 years agoRepair the pty check for kernels without pty support.
deraadt [Fri, 16 Oct 2015 17:03:31 +0000 (17:03 +0000)]
Repair the pty check for kernels without pty support.

9 years agoCheck file sizes only for regular files. The current code breaks savecore
tobias [Fri, 16 Oct 2015 16:54:38 +0000 (16:54 +0000)]
Check file sizes only for regular files. The current code breaks savecore
due to its kvm handling.

ok deraadt

9 years agoPledge the syslogd privsep process with "stdio rpath wpath cpath
bluhm [Fri, 16 Oct 2015 16:10:10 +0000 (16:10 +0000)]
Pledge the syslogd privsep process with "stdio rpath wpath cpath
inet dns getpw sendfd proc exec".
OK deraadt@

9 years agoThe hosts.lpd examples file does not contain a single example.
schwarze [Fri, 16 Oct 2015 15:54:55 +0000 (15:54 +0000)]
The hosts.lpd examples file does not contain a single example.
The file format is so simple that no example is needed.
All relevant documentation is already available
from the proper place, which is the lpd(8) manual.
Consequently, delete the empty file.
OK millert@ dcoppa@ beck@ deraadt@

9 years agoAllow PTMGET with "tty rpath wpath" but restrict only to /dev/ptm by
nicm [Fri, 16 Oct 2015 15:39:14 +0000 (15:39 +0000)]
Allow PTMGET with "tty rpath wpath" but restrict only to /dev/ptm by
checking cdevsw. ok deraadt

9 years agosave request length in cache. naddy noticed we weren't getting any hits.
tedu [Fri, 16 Oct 2015 15:35:05 +0000 (15:35 +0000)]
save request length in cache. naddy noticed we weren't getting any hits.

9 years agoRemove pointless externs - the structs are declared in the same files a
jsing [Fri, 16 Oct 2015 15:15:39 +0000 (15:15 +0000)]
Remove pointless externs - the structs are declared in the same files a
few lines above.

9 years agoExpand DECLARE_ASN1_ALLOC_FUNCTIONS and DECLARE_ASN1_FUNCTIONS_const
jsing [Fri, 16 Oct 2015 15:12:30 +0000 (15:12 +0000)]
Expand DECLARE_ASN1_ALLOC_FUNCTIONS and DECLARE_ASN1_FUNCTIONS_const
macros. The only change in the generated assembly is due to line numbering.

9 years agoRemove pointless uses of DECLARE_ASN1_ENCODE_FUNCTIONS_const.
jsing [Fri, 16 Oct 2015 15:09:28 +0000 (15:09 +0000)]
Remove pointless uses of DECLARE_ASN1_ENCODE_FUNCTIONS_const.

DECLARE_ASN1_FUNCTIONS_const already includes this macro so using both
means we end up with duplicate function prototypes and externs.

9 years agowrap a long line
deraadt [Fri, 16 Oct 2015 14:45:16 +0000 (14:45 +0000)]
wrap a long line

9 years agoFix use of pointer value after BIO_free, and remove senseless NULL checks.
beck [Fri, 16 Oct 2015 14:23:22 +0000 (14:23 +0000)]
Fix use of pointer value after BIO_free, and remove senseless NULL checks.
ok bcook@

9 years agoAlways allow a r/w opening of /dev/null though the namei check. This
deraadt [Fri, 16 Oct 2015 14:20:48 +0000 (14:20 +0000)]
Always allow a r/w opening of /dev/null though the namei check.  This
pattern is common, especially because of daemon(3) usage.  Will probably
help some daemons move their pledge() calls further upwards.
ok doug,

9 years agougly white space
deraadt [Fri, 16 Oct 2015 14:13:52 +0000 (14:13 +0000)]
ugly white space

9 years agodelete pledge_bind_check() function and remove pledge_bind_check() call from sys_bind().
semarie [Fri, 16 Oct 2015 14:04:11 +0000 (14:04 +0000)]
delete pledge_bind_check() function and remove pledge_bind_check() call from sys_bind().

bind(2) still require PLEDGE_INET or PLEDGE_UNIX in order to be called, due to
SYS_bind entry in pledge_syscalls array. The diff restores also the ability for
PLEDGE_UNIX to call bind(2) (pledge_bind_check function missed that).

problem spotted by doug@
OK deraadt@

9 years agoPlace TIOCSTI reminder block better
deraadt [Fri, 16 Oct 2015 14:00:37 +0000 (14:00 +0000)]
Place TIOCSTI reminder block better

9 years agoFor "tty" pledges, treat TIOCGPGRP and TIOCGWINSZ like TIOCGETA -
deraadt [Fri, 16 Oct 2015 13:59:58 +0000 (13:59 +0000)]
For "tty" pledges, treat TIOCGPGRP and TIOCGWINSZ like TIOCGETA -
returning ENOTTY instead of killing the process.

9 years agoMerge nlist out of boundary access fix with other nlist implementations.
tobias [Fri, 16 Oct 2015 13:54:45 +0000 (13:54 +0000)]
Merge nlist out of boundary access fix with other nlist implementations.
While at it, merge style and typo fixes back into nlist(3), too.

ok deraadt, jsing, millert

9 years agoPut tls_config_verify_client_optional() in the right place.
jsing [Fri, 16 Oct 2015 13:49:53 +0000 (13:49 +0000)]
Put tls_config_verify_client_optional() in the right place.

9 years agoFix tpyo.
jsing [Fri, 16 Oct 2015 13:48:44 +0000 (13:48 +0000)]
Fix tpyo.

9 years agoImplement real "flock" request and add it to userland programs that
millert [Fri, 16 Oct 2015 13:37:43 +0000 (13:37 +0000)]
Implement real "flock" request and add it to userland programs that
use pledge and file locking.  OK deraadt@

9 years agoactually include the prerequisite dependency for BIO instead of doing nastyness
beck [Fri, 16 Oct 2015 12:41:29 +0000 (12:41 +0000)]
actually include the prerequisite dependency for BIO instead of doing nastyness

9 years agoIf a DOWN route entry is passed to a L2 output function, be dumb and
mpi [Fri, 16 Oct 2015 12:36:02 +0000 (12:36 +0000)]
If a DOWN route entry is passed to a L2 output function, be dumb and
simply use it.

In most of the cases doing a route lookup at this point is a noop as
it will return you the same DOWN entry you already have.

The exception is the case where the route has been removed from tree
since your kernel looked for it.  So what?  It's just a blue packet.

Note that this "exception" can only happen if your sending path does
not run under the KERNEL_LOCK.

ok mikeb@

9 years agoPut some iwm(4) debug code into #ifdef IWM_DEBUG.
stsp [Fri, 16 Oct 2015 12:17:58 +0000 (12:17 +0000)]
Put some iwm(4) debug code into #ifdef IWM_DEBUG.
ok mpi@

9 years agoClean up iwm(4) scanning logic a bit: Reset sc_scanband in callers of
stsp [Fri, 16 Oct 2015 12:17:38 +0000 (12:17 +0000)]
Clean up iwm(4) scanning logic a bit: Reset sc_scanband in callers of
iwm_mvm_scan_request() and always call ieee80211_end_scan() when done.
ok mpi@

9 years agoOops, committed old version of previous diff with a typo in it: NLL -> NULL
stsp [Fri, 16 Oct 2015 10:29:55 +0000 (10:29 +0000)]
Oops, committed old version of previous diff with a typo in it: NLL -> NULL

9 years agoIn iwm(4), correctly size and map the mbuf used for large firmware commands.
stsp [Fri, 16 Oct 2015 10:04:56 +0000 (10:04 +0000)]
In iwm(4), correctly size and map the mbuf used for large firmware commands.
Fixes occasional firmware errors while bringing the interface up or scanning.
ok phessler@

9 years agoDon't free after calling paste_set but do after evbuffer_add, from Theo
nicm [Fri, 16 Oct 2015 07:43:29 +0000 (07:43 +0000)]
Don't free after calling paste_set but do after evbuffer_add, from Theo
Buehler.

9 years agoValidate parsed ELF values to prevent out of boundary accesses.
tobias [Fri, 16 Oct 2015 07:40:12 +0000 (07:40 +0000)]
Validate parsed ELF values to prevent out of boundary accesses.
While at it, return proper return value when encountering a stripped
binary. Instead of -1 (illegal file), it should be the amount of symbols
that were tried to be resolved.

ok millert

9 years agoDisable !-command to escape to a shell. You are supposed to play, press
tobias [Fri, 16 Oct 2015 07:37:46 +0000 (07:37 +0000)]
Disable !-command to escape to a shell. You are supposed to play, press
^Z, or open up another terminal if there is something else to do.

ok deraadt

9 years agoAdd native support for ed-style diffs. No need to pledge "proc exec" anymore.
tobias [Fri, 16 Oct 2015 07:33:47 +0000 (07:33 +0000)]
Add native support for ed-style diffs. No need to pledge "proc exec" anymore.

ok deraadt

9 years agodoug and I think the kernel has enough features to support
deraadt [Fri, 16 Oct 2015 07:01:53 +0000 (07:01 +0000)]
doug and I think the kernel has enough features to support
pledge "stdio rpath wpath cpath getpw proc exec tty" now.
It will be hard to drop many of those features unless cu becomes
privsep for the "upload" commands.

9 years agoFIOSETOWN/FIOGETOWN were added to "ioctl", but study finds no programs
deraadt [Fri, 16 Oct 2015 06:42:02 +0000 (06:42 +0000)]
FIOSETOWN/FIOGETOWN were added to "ioctl", but study finds no programs
currently needing them.  delete 'em for now.
ok doug

9 years agoAdd TIOCCBRK and TIOCSDTR to the whitelist for pledge ioctl.
doug [Fri, 16 Oct 2015 06:40:53 +0000 (06:40 +0000)]
Add TIOCCBRK and TIOCSDTR to the whitelist for pledge ioctl.

cu(1) uses these.

ok deraadt@

9 years agoPledge support for the parent/resolver in identd(8).
doug [Fri, 16 Oct 2015 05:55:23 +0000 (05:55 +0000)]
Pledge support for the parent/resolver in identd(8).

This limits the resolver to just "stdio getpw" or "stdio getpw rpath"
depending on whether ~/.noident files are checked.

The child/listener cannot use pledge yet because it calls a sysctl that
hasn't been whitelisted.

"commit" deraadt@

9 years agoPledge for ftp(1) in non-interactive mode.
doug [Fri, 16 Oct 2015 05:35:19 +0000 (05:35 +0000)]
Pledge for ftp(1) in non-interactive mode.

We will iterate and remove some of the pledges in the future.  This is
conservative for now.

Tested by sthen@ and myself.
ok deraadt@

9 years agoRemove -B from EXAMPLES; reminded by jmc@
miod [Fri, 16 Oct 2015 04:20:54 +0000 (04:20 +0000)]
Remove -B from EXAMPLES; reminded by jmc@

9 years agoAdd allocarray(), an overflow-safe allocation function.
mmcc [Fri, 16 Oct 2015 03:17:56 +0000 (03:17 +0000)]
Add allocarray(), an overflow-safe allocation function.

We avoided reallocation support because it demands more fancy footwork
to deal with the prepended link struct.

This has been on my mind for a while, and a 2010 security review of mksh
by the Android security team's Chris Palmer suggested it.

ok nicm@. Also discussed with millert@ and tedu@.

9 years agosync
deraadt [Fri, 16 Oct 2015 03:05:25 +0000 (03:05 +0000)]
sync

9 years agofine tune the logging some more
tedu [Fri, 16 Oct 2015 02:09:31 +0000 (02:09 +0000)]
fine tune the logging some more

9 years agosimplify logging functions. once a daemon, always a daemon
tedu [Fri, 16 Oct 2015 01:58:28 +0000 (01:58 +0000)]
simplify logging functions. once a daemon, always a daemon

9 years agosafety check that we're dealing with the filter we expect
tedu [Fri, 16 Oct 2015 01:55:19 +0000 (01:55 +0000)]
safety check that we're dealing with the filter we expect

9 years agomost things should be static
tedu [Fri, 16 Oct 2015 01:50:39 +0000 (01:50 +0000)]
most things should be static

9 years agoexit(1) is better for the impossible condition
tedu [Fri, 16 Oct 2015 01:37:14 +0000 (01:37 +0000)]
exit(1) is better for the impossible condition

9 years agofix some signed/unsigned integer type mismatches in format
djm [Thu, 15 Oct 2015 23:51:40 +0000 (23:51 +0000)]
fix some signed/unsigned integer type mismatches in format
strings; reported by Nicholas Lemonias

9 years agoDo not abuse .Nm for emphasis;
schwarze [Thu, 15 Oct 2015 23:46:20 +0000 (23:46 +0000)]
Do not abuse .Nm for emphasis;
patch from Michael Reed <m dot reed at mykolab dot com>.
Also drop .Tn while here.

9 years agoDelete two preprocessor constants that are no longer used.
schwarze [Thu, 15 Oct 2015 23:35:38 +0000 (23:35 +0000)]
Delete two preprocessor constants that are no longer used.
Patch from Michael Reed <m dot reed at mykolab dot com>.

9 years agoargument to sshkey_from_private() and sshkey_demote() can't be NULL
djm [Thu, 15 Oct 2015 23:08:23 +0000 (23:08 +0000)]
argument to sshkey_from_private() and sshkey_demote() can't be NULL

9 years agoAfter spawning, the parent can pledge "stdio rpath wpath cpath"
deraadt [Thu, 15 Oct 2015 23:06:46 +0000 (23:06 +0000)]
After spawning, the parent can pledge "stdio rpath wpath cpath"
from rob pierce

9 years agoRemove three distracting aliases for NULL.
mmcc [Thu, 15 Oct 2015 22:53:50 +0000 (22:53 +0000)]
Remove three distracting aliases for NULL.

ok nicm@

9 years agoSimplify the part of args() that is handling .Bl -column phrases:
schwarze [Thu, 15 Oct 2015 22:45:07 +0000 (22:45 +0000)]
Simplify the part of args() that is handling .Bl -column phrases:
Delete manual "Ta" handling because macro handling should
not be done in an argument parser but should be left to the
macro parsers, which exist anyway and work well.
No functional change, minus 40 lines of code.

Confusing and redundant code found while investigating
an old bug report from tim@.

9 years agoWhen blk_full() handles an .It line in .Bl -column and indirectly
schwarze [Thu, 15 Oct 2015 22:27:09 +0000 (22:27 +0000)]
When blk_full() handles an .It line in .Bl -column and indirectly
calls phrase_ta() to handle a .Ta child macro, advance the body
pointer accordingly, such that a subsequent tab character rewinds
the right body block and doesn't fail an assertion.  That happened
when there was nothing between the .Ta and the tab character.
Bug reported by tim@ some time ago.

9 years agoit is perhaps better style to not call close() on -1, even if harmless
tedu [Thu, 15 Oct 2015 22:21:28 +0000 (22:21 +0000)]
it is perhaps better style to not call close() on -1, even if harmless