deraadt [Sun, 18 Oct 2015 03:17:48 +0000 (03:17 +0000)]
after kmem is open and setup, pledge "stdio rpath wpath cpath"
seems to be working. commiting to get feedback from people who crash.
deraadt [Sun, 18 Oct 2015 03:13:07 +0000 (03:13 +0000)]
Collapse some strange programmer style with too much abstraction.
deraadt [Sun, 18 Oct 2015 03:09:11 +0000 (03:09 +0000)]
With TIOCSTI supported in pledge "tty proc", csh is good enough to run
with pledge "stdio rpath wpath cpath fattr getpw proc exec tty". (Note
that ksh "emacs mode" is also a abus^Wconsumer of TIOCSTI, but we had
let that slide for a week since noone uses it...)
mmcc [Sun, 18 Oct 2015 03:04:11 +0000 (03:04 +0000)]
A whole buncha unsigned char casts for ctype function arguments.
ok guenther@
mmcc [Sun, 18 Oct 2015 02:39:04 +0000 (02:39 +0000)]
Use explicit_bzero() when the memory is freed directly afterward.
ok deraadt@
mmcc [Sun, 18 Oct 2015 02:30:53 +0000 (02:30 +0000)]
Use explicit_bzero() when the memory is freed directly afterward.
ok deraadt@
deraadt [Sun, 18 Oct 2015 01:53:31 +0000 (01:53 +0000)]
TIOCSTI and TIOCSCTTY; oops got the condition backwards.
deraadt [Sun, 18 Oct 2015 01:45:48 +0000 (01:45 +0000)]
better placement for dnssocket/dnsconnect
deraadt [Sun, 18 Oct 2015 01:32:05 +0000 (01:32 +0000)]
Describe dnssocket / dnsconnect arguments
doug [Sun, 18 Oct 2015 01:07:19 +0000 (01:07 +0000)]
Allow read/write access to /dev/tty when using "tty" pledge.
Without this change, you need "rpath" and "wpath" to open /dev/tty. Some
applications explicitly open /dev/tty, but deraadt@ found the most
common use is indirectly via readpassphrase().
tweak and ok deraadt@
pre-tweak ok millert@, semarie@
deraadt [Sun, 18 Oct 2015 00:36:20 +0000 (00:36 +0000)]
create libc stubs for dnssocket() and dnsconnect()
deraadt [Sun, 18 Oct 2015 00:05:59 +0000 (00:05 +0000)]
sync
deraadt [Sun, 18 Oct 2015 00:04:43 +0000 (00:04 +0000)]
Add two new system calls: dnssocket() and dnsconnect(). This creates a
SS_DNS tagged socket which has limited functionality (for example, you
cannot accept on them...) The libc resolver will switch to using these,
therefore pledge can identify a DNS transaction better.
ok tedu guenther kettenis beck and others
deraadt [Sat, 17 Oct 2015 23:50:04 +0000 (23:50 +0000)]
naddy asks me if __tfork should be allowed by "proc". yes!
We may need a better semantic later ("thread"?), but this allows
progress, and people can report their experiences.
deraadt [Sat, 17 Oct 2015 23:15:10 +0000 (23:15 +0000)]
connect() to an AF_UNIX socket is really read/write, so tell pledge this
is a RPATH|WPATH operation.
Discussed with doug and millert
deraadt [Sat, 17 Oct 2015 23:12:46 +0000 (23:12 +0000)]
Allow the nasty ioctl TIOCSTI in "tty", but also require the "proc"
permission. For now, we'll tighten it down further later.
deraadt [Sat, 17 Oct 2015 23:04:06 +0000 (23:04 +0000)]
better wording in a comment
deraadt [Sat, 17 Oct 2015 23:01:37 +0000 (23:01 +0000)]
Unify TIOCGPGRP/TIOCGWINSZ/TIOCGWINSZ behaviour regarding ENOTTY return.
(both "tty" and "ioctl" allow these; they should behave the same)
deraadt [Sat, 17 Oct 2015 22:58:30 +0000 (22:58 +0000)]
Allow TIOCSCTTY on tty devices, if the pledge says "tty id"
worked out with nicm
deraadt [Sat, 17 Oct 2015 22:54:23 +0000 (22:54 +0000)]
whitespace
guenther [Sat, 17 Oct 2015 22:40:54 +0000 (22:40 +0000)]
Rename SYSEXIT() to SYSCALL_END() for consistency with most other archs.
No change in resulting object files
ok millert@
gilles [Sat, 17 Oct 2015 22:24:36 +0000 (22:24 +0000)]
mailaddr_match() allows comparing two struct mailaddr taking into account
catchall and +-tags
ok millert@ and jung@ for util.c
guenther [Sat, 17 Oct 2015 21:48:42 +0000 (21:48 +0000)]
Move the last of the __DBINTERFACE_PRIVATE bits from <db.h> to libc's wrapper
and eliminate the now superfluous -D option
ok kettenis@ millert@
kettenis [Sat, 17 Oct 2015 21:41:12 +0000 (21:41 +0000)]
Fix the code that sets up the MCH BAR on systems where the (buggy) BIOS
doesn't do this for us. The code was poking registers on the wrong PCI
device. We were just lucky that it worked on most systems.
This should fix machines such as the Asus EeePC 701 and get rid of the
error: [drm:pid0:i915_gem_detect_bit_6_swizzle] *ERROR* Couldn't read from
MC HBAR. Disabling tiling.
messages on that machine.
naddy [Sat, 17 Oct 2015 21:34:07 +0000 (21:34 +0000)]
Tighten pledge: We only write to stdio and never to any files if
in cat mode (-c, zcat), or in test mode (-t), or if there are no
file arguments and there is no -o outfile. Due to fts(3) we require
rpath even for compress <in >out.
"seems sound" deraadt@
stsp [Sat, 17 Oct 2015 21:30:29 +0000 (21:30 +0000)]
Spell all "unexpected mode %u" panics in lower case, not just one of them.
jmc [Sat, 17 Oct 2015 21:11:42 +0000 (21:11 +0000)]
remove some unneccessary macros; from michael reed
jmc [Sat, 17 Oct 2015 21:06:23 +0000 (21:06 +0000)]
add missing underscore; from theo buehler
stsp [Sat, 17 Oct 2015 20:41:41 +0000 (20:41 +0000)]
Fix build with IFMEDIA_DEBUG defined; ok sthen@
deraadt [Sat, 17 Oct 2015 20:22:08 +0000 (20:22 +0000)]
PROTO_NORMAL for pledge(); ok guenther
bluhm [Sat, 17 Oct 2015 19:50:47 +0000 (19:50 +0000)]
login_token needs pledge "flock" now.
OK millert@
gilles [Sat, 17 Oct 2015 19:44:07 +0000 (19:44 +0000)]
makemap shout strip initial and trailing whitespaces using strip()
ok millert@, ok jung@
gilles [Sat, 17 Oct 2015 19:42:12 +0000 (19:42 +0000)]
document handling of comments in makemap
ok millert@, ok sunil@, ok jung@
mmcc [Sat, 17 Oct 2015 18:43:22 +0000 (18:43 +0000)]
Drop two useless defines.
ok nicm@
nicm [Sat, 17 Oct 2015 18:30:43 +0000 (18:30 +0000)]
Add pledge "stdio unix sendfd proc exec tty" to tmux client process,
"sendfd" is dropped after first message from the server.
mmcc [Sat, 17 Oct 2015 18:26:24 +0000 (18:26 +0000)]
Move a system header include from the global header (sh.h) into the
files that need it. No binary change.
"This looks fine" -nicm@
gilles [Sat, 17 Oct 2015 18:00:32 +0000 (18:00 +0000)]
both of these are deprecated
sunil [Sat, 17 Oct 2015 16:20:46 +0000 (16:20 +0000)]
Convert some fgetln to getline.
tested and ok gilles@
sunil [Sat, 17 Oct 2015 16:07:03 +0000 (16:07 +0000)]
Cleanup and simplify LMTP code.
Ok millert@ gilles@
sunil [Sat, 17 Oct 2015 16:03:20 +0000 (16:03 +0000)]
LMTP delivery requires "inet unix".
Ok millert@ gilles@
florian [Sat, 17 Oct 2015 15:43:31 +0000 (15:43 +0000)]
make usage() less horrible
doug [Sat, 17 Oct 2015 15:00:11 +0000 (15:00 +0000)]
Exit if a pledge call fails in non-interactive mode.
ok semarie@
tim [Sat, 17 Oct 2015 14:33:01 +0000 (14:33 +0000)]
Pledge; OK millert@ tobias@
gilles [Sat, 17 Oct 2015 13:35:45 +0000 (13:35 +0000)]
this file is deprecated
mmcc [Sat, 17 Oct 2015 13:32:46 +0000 (13:32 +0000)]
Change allocarray() to areallocarray(), a full reallocarray clone. All
the logic is already in aresize().
"Sure" nicm@
gilles [Sat, 17 Oct 2015 13:30:47 +0000 (13:30 +0000)]
remove unused variables
mmcc [Sat, 17 Oct 2015 13:27:55 +0000 (13:27 +0000)]
Copy alloc()'s overflow check to aresize().
Suggested by nicm@.
krw [Sat, 17 Oct 2015 13:27:08 +0000 (13:27 +0000)]
NUMBOOT is dead! Nuke the variables and abstractions that were used
to build boot blocks.
ok miod@
florian [Sat, 17 Oct 2015 13:08:14 +0000 (13:08 +0000)]
Implement -w maxwait now that the -w flag is free in ping6. Same
behaviour as ping(8).
reyk [Sat, 17 Oct 2015 13:07:07 +0000 (13:07 +0000)]
Do no accept fds on the control socket; including the restricted socket.
OK gilles@ eric@
florian [Sat, 17 Oct 2015 13:07:02 +0000 (13:07 +0000)]
move -V option before -v and remove one spurious newline, now in sync
with ping.
No object change.
gilles [Sat, 17 Oct 2015 13:06:03 +0000 (13:06 +0000)]
KNF
gilles [Sat, 17 Oct 2015 12:59:52 +0000 (12:59 +0000)]
our strip() function should use isspace()
ok jung@, ok millert@
florian [Sat, 17 Oct 2015 12:38:29 +0000 (12:38 +0000)]
Remove left over -N and -w. Adapt wording for the link local example.
Pointed out by, input & OK jmc
reyk [Sat, 17 Oct 2015 10:20:33 +0000 (10:20 +0000)]
Tighten up snmpd's control socket: do not allow users to terminate the
daemon by sending corrupted imsgs to snmpd. This is especially
important for the optional world-writeable restricted socket that is
used for AgentX. In particular, don't fatal() in the daemon when imsg
size checks on control messages fail, do stricter validation of
expected messages (even assert zero-length imsgs), don't continue and
close the control socket on suspicious input, print a debug log
message on error.
OK gilles@ "the rationale behind it is quite clear"
rpe [Sat, 17 Oct 2015 08:47:24 +0000 (08:47 +0000)]
Cleanup a bit.
OK krw@ halex@
semarie [Sat, 17 Oct 2015 07:51:10 +0000 (07:51 +0000)]
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when
asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls
fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several
with and ok doug@
deraadt [Sat, 17 Oct 2015 04:41:37 +0000 (04:41 +0000)]
The file(1) magic-parsing process was using pledge "stdio getpw proc recvfd"
early on, then a set of getpwnam/setresuid/... before quickly dropping to
"stdio recvfd". It receives fd's and runs the magic code on them in a
chroot'd "stdio" jail. We can do better than that.
Before the recent change, "proc" contained both the concepts of "forking"
and "setuid". "id" is now split out as a seperate request, and it is
exactly what this process needs momentarily. So this loses another window
of opportunity, in case we have a major bug in .... hmm, it'd have to be
in getpwnam....
ok tedu doug semarie gilles
deraadt [Sat, 17 Oct 2015 04:36:10 +0000 (04:36 +0000)]
smtpd starts rather robustly with a gigantic pledge request group (keep
in mind that a gigantic group is already < ~50% of POSIX). It then
grinds these down bit by bit as it sets up privsep for the various
processes. At startup, smtpd will need the new "id" request as well.
ok gilles tedu
deraadt [Sat, 17 Oct 2015 04:31:07 +0000 (04:31 +0000)]
Add pledge "id" support. This request permits setuid/seteuid/setresuid,
setgid/setegid/setresgid, setgroups, setlogin, and setpriority.
setrlimit and getpriority are also allowed (they are also in "proc")
some of these were previously permitted in "proc" but have been removed.
this seperation is intentional. "proc" is intended for reasoning about
the relationship of a process "with other processes", whereas "id" deals
the powerful/dangerous concept of unix ids. "id" will see some action
very soon.
ok gilles tedu semarie doug
jca [Sat, 17 Oct 2015 01:01:09 +0000 (01:01 +0000)]
route6d pledges to use only "stdio rpath wpath cpath inet route mcast"
ok deraadt@
jca [Sat, 17 Oct 2015 00:58:50 +0000 (00:58 +0000)]
Allow a few 'get' ioctls for pledge("route"). route6d will soon use this.
ok deraadt@
tedu [Sat, 17 Oct 2015 00:38:57 +0000 (00:38 +0000)]
don't need fcntl for non blocking socket, just ask for it upfront
schwarze [Sat, 17 Oct 2015 00:19:58 +0000 (00:19 +0000)]
Very tricky diff to fix macro interpretation and spacing around tabs
in .Bl -column; it took me more than a day to get this right.
Triggered by a loosely related bug report from tim@.
The lesson for you is: Use .Ta macros in .Bl -column, avoid tabs,
or you are in for surprises: The last word before a tab is not
interpreted as a macro (unless there is a blank in between), the
first word after a tab isn't either (unless there is a blank in
between), and a blank after a tab causes a leading blank in the
respective output cell. Yes, "blank", "tab", "blank tab" and "tab
blank" all have different semantics; if you write code relying on
that, good luck maintaining it afterwards...
mmcc [Fri, 16 Oct 2015 23:18:59 +0000 (23:18 +0000)]
Change x_do_ins()'s arg type from int to size_t for correctness's sake,
and to silence a compiler warning. Also remove its prototype, which is
directly above its definition.
ok tedu@
mmcc [Fri, 16 Oct 2015 23:13:35 +0000 (23:13 +0000)]
Move the overflow check to alloc() so that the link struct overhead can
never bite us.
Suggested by Theo Buehler, inspired by Bitrig's natano@.
ok tedu@
deraadt [Fri, 16 Oct 2015 23:09:53 +0000 (23:09 +0000)]
use daemon(), jca had the same diff in his tree
jca [Fri, 16 Oct 2015 23:00:01 +0000 (23:00 +0000)]
Also allow 6 as a miblen for NET_RT_DUMP, not all users specify a rtable.
ok deraadt@
deraadt [Fri, 16 Oct 2015 22:54:35 +0000 (22:54 +0000)]
pledge "stdio rpath wpath cpath getpw fattr flock"
deraadt [Fri, 16 Oct 2015 22:54:15 +0000 (22:54 +0000)]
pledge "stdio rpath wpath cpath fattr proc exec"
deraadt [Fri, 16 Oct 2015 22:53:32 +0000 (22:53 +0000)]
pledge "stdio rpath wpath cpath proc exec".
florian [Fri, 16 Oct 2015 22:47:12 +0000 (22:47 +0000)]
Remove RFC 4620 support. The RFC is experimental and this code plain
needs killing before the installed user base excedes 6. Minus 745 LOC.
This is getting in the way of a merge since it has it's tentacles all
over the place.
OK jca@, deraadt@
djm [Fri, 16 Oct 2015 22:32:22 +0000 (22:32 +0000)]
increase the minimum modulus that we will send or accept in
diffie-hellman-group-exchange to 2048 bits; ok markus@
deraadt [Fri, 16 Oct 2015 22:25:50 +0000 (22:25 +0000)]
Hoist clearing of FIOASYNC to much earlier, then getty can use
pledge "stdio rpath fattr proc exec tty".
schwarze [Fri, 16 Oct 2015 21:35:16 +0000 (21:35 +0000)]
Once apropos(1) or man(1) are done with database access, or if the
program was called as mandoc(1) in the first place, remove "flock"
from our pledge(2) before entering the parsers and formatters.
OK millert@ deraadt@
sthen [Fri, 16 Oct 2015 21:13:33 +0000 (21:13 +0000)]
Use SSL_get_version() not SSL_get_cipher_version(); the former gives the TLS
version used for the connection, the latter gives "the SSL/TLS protocol version
that first defined the cipher". Fixes "TLS version=TLSv1/SSLv3" in received/log
lines.
ok millert@ "I was going to commit this today, so yes definitely" ok gilles@
gilles [Fri, 16 Oct 2015 20:54:55 +0000 (20:54 +0000)]
add flock to pledge request, needed by delivery_filename
ok millert@
jca [Fri, 16 Oct 2015 20:43:27 +0000 (20:43 +0000)]
Unbreak route6d.
Instead of breaking sendmsg(2) by adding unneeded space to its cmsg
item, add space to the cmsg used by recvmsg(2), where it will be used
to get the incoming packet hop limit.
Reported by several over the last years, and more recently by 'bsdsx',
who tested it against NetBSD route6d. Also works against Quagga ripng.
ok deraadt@ sthen@
tedu [Fri, 16 Oct 2015 20:25:09 +0000 (20:25 +0000)]
save some file descriptors. instead of a pipe, use kevent to watch parent
tedu [Fri, 16 Oct 2015 20:12:06 +0000 (20:12 +0000)]
naddy would like the child to exit when the parent dies.
hook up a pipe between them and watch for eof in the child.
ajacoutot [Fri, 16 Oct 2015 20:12:00 +0000 (20:12 +0000)]
Missing local.
ok schwarze@
florian [Fri, 16 Oct 2015 20:11:59 +0000 (20:11 +0000)]
No longer talk about -b flag, it's gone.
ajacoutot [Fri, 16 Oct 2015 19:55:39 +0000 (19:55 +0000)]
Drop usage of TMPDIR.
While here, stop refering to /tmp/sysmerge.XXXXXXXXXX, that's a script
internal we don't need to know about.
deraadt [Fri, 16 Oct 2015 19:33:15 +0000 (19:33 +0000)]
sync
schwarze [Fri, 16 Oct 2015 19:21:05 +0000 (19:21 +0000)]
test mixing of tabs with Ta
mpi [Fri, 16 Oct 2015 19:07:24 +0000 (19:07 +0000)]
Make sched_barrier() use its own task queue to avoid deadlocks.
Prevent a deadlock from occuring when intr_barrier() is called from
a non-primary CPU in the watchdog task, also enqueued on ``systq''.
ok kettenis@
tedu [Fri, 16 Oct 2015 18:47:52 +0000 (18:47 +0000)]
life is simpler if all requests go in the fifo, and then just remove them
in the error case instead of duplicating code.
djm [Fri, 16 Oct 2015 18:40:49 +0000 (18:40 +0000)]
better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname
canonicalisation - treat them as already canonical and remove the
trailing '.' before matching ssh_config; ok markus@
tedu [Fri, 16 Oct 2015 18:38:53 +0000 (18:38 +0000)]
deraadt tells me i'm supposed to check if connect() actually worked.
tedu [Fri, 16 Oct 2015 18:29:05 +0000 (18:29 +0000)]
two phase handling for tcp so that slow connects don't stall the process
mmcc [Fri, 16 Oct 2015 18:21:43 +0000 (18:21 +0000)]
Cast isspace() argument to unsigned char.
ok jca@
florian [Fri, 16 Oct 2015 18:17:12 +0000 (18:17 +0000)]
Move -t and -w functionality to -a. Both flags are in the way for a
merge with ping(8). Let's see if we can shove every weird and special v6
functionality into -a.
suggested by and OK sthen@
mmcc [Fri, 16 Oct 2015 17:56:07 +0000 (17:56 +0000)]
Modernize allocation by:
* removing unneeded casts of void* return values
* replacing varied and creative error messages with the allocation
function's name
* replacing errx() with err() so that the errno string is reported
ok beck@, jung@, millert@
mmcc [Fri, 16 Oct 2015 17:14:04 +0000 (17:14 +0000)]
Cast iscntrl()'s arg to unsigned char.
ok nicm@
mmcc [Fri, 16 Oct 2015 17:07:24 +0000 (17:07 +0000)]
0 -> NULL when comparing with a char*.
ok dtucker@, djm@.
deraadt [Fri, 16 Oct 2015 17:03:31 +0000 (17:03 +0000)]
Repair the pty check for kernels without pty support.
tobias [Fri, 16 Oct 2015 16:54:38 +0000 (16:54 +0000)]
Check file sizes only for regular files. The current code breaks savecore
due to its kvm handling.
ok deraadt
bluhm [Fri, 16 Oct 2015 16:10:10 +0000 (16:10 +0000)]
Pledge the syslogd privsep process with "stdio rpath wpath cpath
inet dns getpw sendfd proc exec".
OK deraadt@
schwarze [Fri, 16 Oct 2015 15:54:55 +0000 (15:54 +0000)]
The hosts.lpd examples file does not contain a single example.
The file format is so simple that no example is needed.
All relevant documentation is already available
from the proper place, which is the lpd(8) manual.
Consequently, delete the empty file.
OK millert@ dcoppa@ beck@ deraadt@
nicm [Fri, 16 Oct 2015 15:39:14 +0000 (15:39 +0000)]
Allow PTMGET with "tty rpath wpath" but restrict only to /dev/ptm by
checking cdevsw. ok deraadt