mpi [Thu, 8 Oct 2015 08:41:58 +0000 (08:41 +0000)]
Use the radix API directly and get rid of the function pointers. There
is no point in keeping an unused level of abstraction.
ok mikeb@, claudio@
sthen [Thu, 8 Oct 2015 08:29:21 +0000 (08:29 +0000)]
add comment, suggested by reyk
sthen [Thu, 8 Oct 2015 08:17:30 +0000 (08:17 +0000)]
Link the result of each mps_getbulkreq() to the end of the previous list
and not the start of it. Fixes getbulk requests for multiple OIDs.
From Gerhard Roth, ok blambert@
sthen [Thu, 8 Oct 2015 07:26:34 +0000 (07:26 +0000)]
use correct return value for IP-MIB::ipForwarding, tweak/ok uebayasi@
jmc [Thu, 8 Oct 2015 07:22:02 +0000 (07:22 +0000)]
trailing whitespace;
deraadt [Thu, 8 Oct 2015 04:39:24 +0000 (04:39 +0000)]
Try again. Both -R and -p prevent use of tame, but other cases can use it.
deraadt [Thu, 8 Oct 2015 03:00:46 +0000 (03:00 +0000)]
sync
beck [Thu, 8 Oct 2015 02:42:58 +0000 (02:42 +0000)]
Rip the guts out of another gibbering horror of a time comparison function, and
mark it as #ifndef LIBRESSL_INTERNAL at least we don't use this.
ok jsing@
beck [Thu, 8 Oct 2015 02:29:11 +0000 (02:29 +0000)]
revert previous accidental commit
beck [Thu, 8 Oct 2015 02:26:31 +0000 (02:26 +0000)]
Spelling in comment
deraadt [Thu, 8 Oct 2015 00:07:20 +0000 (00:07 +0000)]
ah, fchflags. We will come back to this issue later
beck [Wed, 7 Oct 2015 23:33:38 +0000 (23:33 +0000)]
Add tls_peer_cert_notbefore and tls_peer_cert_notafter to expose peer certificate
validity times for tls connections.
ok jsing@
beck [Wed, 7 Oct 2015 23:25:45 +0000 (23:25 +0000)]
Allow us to get cipher and version even if there is not a peer certificate.
ok doug@
deraadt [Wed, 7 Oct 2015 20:26:16 +0000 (20:26 +0000)]
In theory, bgpd should be happy with tame "stdio unix route recvfd".
Let's hear from people's experiences by commiting it.
deraadt [Wed, 7 Oct 2015 20:25:40 +0000 (20:25 +0000)]
use new tame "route" feature when possible
deraadt [Wed, 7 Oct 2015 20:25:22 +0000 (20:25 +0000)]
use fatal() instead of err(); from benno
deraadt [Wed, 7 Oct 2015 19:52:54 +0000 (19:52 +0000)]
Split out routing sysctl's from tame "inet", and put them into the
new tame "route" request. Now routing daemons and tools (such as arp),
can narrowly ask for either feature. One thing remains available in
both cases -- support for getifaddr()'s, since libc and programs often
use that in close association with socket creation.
ok benno sthen beck, some discussion with renato
millert [Wed, 7 Oct 2015 19:25:42 +0000 (19:25 +0000)]
Use getline(3) rather than fgetln(3). OK gilles@
deraadt [Wed, 7 Oct 2015 18:29:35 +0000 (18:29 +0000)]
one simple free, ok mpi
another not so simple free, repaired by mpi
krw [Wed, 7 Oct 2015 18:02:06 +0000 (18:02 +0000)]
Add initial support for UEFI/GPT installs to install script. Original
diff from rpe@.
ok deraadt@ yasuoka@
deraadt [Wed, 7 Oct 2015 18:00:06 +0000 (18:00 +0000)]
use tame "stdio rpath tty", for ttyname(). from Rob Pierce, who chose to
do this using ktrace step by step. not the method i recommend, because
it requires 100% coverage via feature tests. better to read the code and
understand everything being called, then make decisions.
jmc [Wed, 7 Oct 2015 17:52:38 +0000 (17:52 +0000)]
"..." implies optional, so no need for []; from michael reed
semarie [Wed, 7 Oct 2015 17:27:35 +0000 (17:27 +0000)]
from previous commit: "ioctl" is used for grab ttyname(0)
with a function's name like that "tty" should be a better request (more strict)
pointed by and ok deraadt@
millert [Wed, 7 Oct 2015 16:53:00 +0000 (16:53 +0000)]
Be explicit that the user is responsible for freeing the line buffer
and show this in the example.
semarie [Wed, 7 Oct 2015 16:11:40 +0000 (16:11 +0000)]
enable tame(2) in who(1).
some refactor to grab ttyname(0) early and use it later.
gradually drop tame requests when no more needed.
"ioctl" is used for grab ttyname(0)
"rpath" is for -T and -u flag, that used stat(2) to get terminal status
initial patch from deraadt with help from guenther
ok deraadt@
djm [Wed, 7 Oct 2015 15:59:12 +0000 (15:59 +0000)]
include PubkeyAcceptedKeyTypes in ssh -G config dump
deraadt [Wed, 7 Oct 2015 15:47:56 +0000 (15:47 +0000)]
tame "stdio cpath". The cpath is for rmdir(). Tame bundles all the system
calls that create/destroy filesystem paths in the "cpath" request.
deraadt [Wed, 7 Oct 2015 15:44:58 +0000 (15:44 +0000)]
We cannot tame if -R is specified, because mknod and mkfifo may be called.
But in other cases, we can use tame "stdio rpath wpath cpath fattr", including
for the historical -r option.
deraadt [Wed, 7 Oct 2015 14:52:45 +0000 (14:52 +0000)]
easy size for free(); ok mpi
deraadt [Wed, 7 Oct 2015 14:49:04 +0000 (14:49 +0000)]
easy free sizes; ok mpi
sobrado [Wed, 7 Oct 2015 14:45:30 +0000 (14:45 +0000)]
UsePrivilegeSeparation defaults to sandbox now.
ok djm@
deraadt [Wed, 7 Oct 2015 14:37:11 +0000 (14:37 +0000)]
tame "stdio rpath wpath cpath" to support use of freopen() with "w"
deraadt [Wed, 7 Oct 2015 14:36:07 +0000 (14:36 +0000)]
tame "stdio inet rpath wpath cpath" supports all the functions of tftp.
deraadt [Wed, 7 Oct 2015 14:35:19 +0000 (14:35 +0000)]
tame "stdio rpath". no uid/user resolution happening here.
deraadt [Wed, 7 Oct 2015 14:34:34 +0000 (14:34 +0000)]
tame "stdio wpath cpath", since tee creates & writes to a list of files
ok semarie
deraadt [Wed, 7 Oct 2015 14:17:18 +0000 (14:17 +0000)]
tame "stdio cpath rpath fattr", unless mkdir -m is passed a mode which
has setuid/setgid/sticky bits.
ok semarie
deraadt [Wed, 7 Oct 2015 14:16:09 +0000 (14:16 +0000)]
Oops, not quite ready for tame() here. People need time to update
their kernels, before it starts using the new "exec" primitive.
HINT: everyone, update your kernels, tame is coming to make really soon.
deraadt [Wed, 7 Oct 2015 14:14:30 +0000 (14:14 +0000)]
*** empty log message ***
deraadt [Wed, 7 Oct 2015 14:13:23 +0000 (14:13 +0000)]
tame "stdio rpath", for the open with O_RDONLY.
ok semarie
deraadt [Wed, 7 Oct 2015 14:12:42 +0000 (14:12 +0000)]
tame "stdio rpath", satisfies the fopen cases
ok semarie
deraadt [Wed, 7 Oct 2015 14:10:50 +0000 (14:10 +0000)]
tame "stdio rpath", which covers readlink() and realpath()
ok semarie
deraadt [Wed, 7 Oct 2015 14:06:26 +0000 (14:06 +0000)]
tame "stdio"; username information does not use getpw
deraadt [Wed, 7 Oct 2015 14:05:07 +0000 (14:05 +0000)]
tame "stdio rpath getpw". getpw is for user_from_uid(), which is a libc
cache on top of the getpw* functions.
ok semarie, who didn't spot the getpw need :)
deraadt [Wed, 7 Oct 2015 13:59:34 +0000 (13:59 +0000)]
getaddrinfo_async() shouldn't unconditionally intialize the resolver
via _asr_use_resolver(). If the hint specifies for AI_NUMERICHOST,
create a transient lookup context which won't try to open /etc/reslov.conf
ok eric guenther
deraadt [Wed, 7 Oct 2015 13:57:12 +0000 (13:57 +0000)]
getaddrinfo() should not res_init() unconditionally, but allow lower
layers to decide. The request could be AI_NUMERICHOST. [And the process
could be tame()-constrained to not open /etc/resolv.conf]
ok eric guenther
bcook [Wed, 7 Oct 2015 13:20:48 +0000 (13:20 +0000)]
include <sys/time.h> for gettimeofday(2)
mpi [Wed, 7 Oct 2015 11:57:44 +0000 (11:57 +0000)]
rn_inithead() offset argument is now specified in byte, missed in previous.
mpi [Wed, 7 Oct 2015 11:39:49 +0000 (11:39 +0000)]
Make rtable_get() private to ensure it won't be used outside of
net/rtable.c. This will ease the introduction of rtable_put().
Routing tables are mapped to a tuple (idx, af) so the public API
should as much as possible require these two keys.
ok dlg@
mpi [Wed, 7 Oct 2015 10:50:35 +0000 (10:50 +0000)]
Initialize the routing table before domains.
The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.
This put the rtable* layer at the same level of the if* level. These
two subsystem are organized around the two global data structure used
in the network stack:
- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.
This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups. This allows us to keep, or move
towards, AF-free route and rtable layers.
While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().
ok claudio@, mikeb@
jsg [Wed, 7 Oct 2015 10:26:23 +0000 (10:26 +0000)]
Correct handling of enum attributes with g++
gcc and g++ can currently have different ideas on the size of a
packed enum type:
enum __attribute__((packed)) foo { a = 0, b};
gcc: 1
g++: 4
enum foo { a = 0, b} __attribute__((packed));
gcc: 1
g++: 1
The first format is actually the preferred one according to the
documentation.
https://gcc.gnu.org/onlinedocs/gcc-4.2.1/gcc/Type-Attributes.html
g++ will accept the first format and silently not actually choose a
smaller size.
This was responsible for memory corruption with recent versions
of Mesa where c and c++ code share a header with a packed enum type.
The problem was reported in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=39219
and fixed in gcc >= 4.3.6 in rev 144284.
This was after the switch from gplv2 but it's a trivial one line change.
ok guenther@ deraadt@ kettenis@
kettenis [Wed, 7 Oct 2015 09:53:00 +0000 (09:53 +0000)]
In i915_gem_fault(), move the "out" label after the switch state such that we
don't interpret one of the VM_PAGER_XXX return values as an unhandled errno
value and return the intended code instead of VM_PAGER_ERROR.
ok jsg@
nicm [Wed, 7 Oct 2015 09:52:58 +0000 (09:52 +0000)]
Couple of memory leaks in error paths, from Frederik Vanderstraeten.
mpi [Wed, 7 Oct 2015 08:58:01 +0000 (08:58 +0000)]
Move route entry debug helpers where they belong.
mpi [Wed, 7 Oct 2015 08:43:36 +0000 (08:43 +0000)]
Move the reference counting of a newly created route entry inside
rtable_insert().
inputs and ok bluhm@
mpi [Wed, 7 Oct 2015 08:41:01 +0000 (08:41 +0000)]
Do not call bpf_catchpacket() if another CPU detached a file from the
corresponding interface.
bfp_tap() and _bpf_mtap() are mostly run without the KERNEL_LOCK. The
use of SRPs in these functions gives us the guarantees that manipulated
BPF descriptors are alive but not the associated interface desctiptor!
And indeed they can be cleared by another CPU running bpf_detachd().
Prevent a race reported by Hrvoje Popovski when closing tcpdump(8) with
an IPL_MPSAFE ix(4).
ok mikeb@, dlg@, deraadt@
deraadt [Wed, 7 Oct 2015 07:00:01 +0000 (07:00 +0000)]
tame "stdio rpath". could go crazy and handle the non-filename case,
but i am feeling some fatigue.
deraadt [Wed, 7 Oct 2015 06:55:10 +0000 (06:55 +0000)]
tame "stdio rpath" initially. if no files, go to tame "stdio".
deraadt [Wed, 7 Oct 2015 06:51:50 +0000 (06:51 +0000)]
tame "stdio rpath getpw" before getpwuid and opening, then tame "stdio"
deraadt [Wed, 7 Oct 2015 06:44:01 +0000 (06:44 +0000)]
tame "stdio rpath wpath cpath tmppath tty". "tty" is the important part
here, permitting use of readpassphrase()
deraadt [Wed, 7 Oct 2015 06:43:15 +0000 (06:43 +0000)]
tame "stdio rpath wpath cpath" covers mkstemp (O_RDONLY|O_CREAT),
mkdtemp(), and unlink()
deraadt [Wed, 7 Oct 2015 06:39:16 +0000 (06:39 +0000)]
tame "stdio". It would take some doing for this to contain a bug, but
just in case -- now it can barely do anything when it goes wrong.
deraadt [Wed, 7 Oct 2015 06:35:19 +0000 (06:35 +0000)]
tame "stdio". I doubt there is a bug in the environment parsing code.
But if there is, and this program is taken control of, it is quite limited
in the system calls it can do.
deraadt [Wed, 7 Oct 2015 06:33:31 +0000 (06:33 +0000)]
tame "stdio rpath wpath cpath" handles all the cases of opening files
deraadt [Wed, 7 Oct 2015 06:29:26 +0000 (06:29 +0000)]
patch(1) can move to "stdio rpath wpath cpath tmppath fattr proc exec"
(adding proc exec), now that "exec" has arrived in the kernel. This
permits the dangerous game of feeding ed-style diffs with popen() via
/bin/ed. Shocked yet? Your mission, should you choose to accept it,
is to replace this code with an builtin ed-style patcher, maybe cribbing
code from ed itself.
I'm sorry, but we can't fix the entire world all at once. Noone loves
deprecating standarized features as much as we do, but there are some
lines. Maybe if people become aware of how crappy the implimentations
of some standard features are, they could help decide the path.
deraadt [Wed, 7 Oct 2015 06:18:00 +0000 (06:18 +0000)]
tame "stdio rpath"
deraadt [Wed, 7 Oct 2015 06:15:51 +0000 (06:15 +0000)]
tame "stdio rpath"
deraadt [Wed, 7 Oct 2015 06:00:33 +0000 (06:00 +0000)]
tame "stdio rpath wpath cpath" or a more mundane "stdio rpath", depending
on which arguments the programs are run under.
ok doug
deraadt [Wed, 7 Oct 2015 05:59:36 +0000 (05:59 +0000)]
tame "stdio rpath wpath". rpath is for localtime() and mktime(),
while wpath is for logwtmp(), a bit pessimistically since it is not clear
what could happen.
This is done AFTER the time is potentially set, since settimeofday() is
not available to us. Improvements and tests would be welcome.
deraadt [Wed, 7 Oct 2015 05:37:42 +0000 (05:37 +0000)]
tame "stdio rpath wpath cpath proc exec tty". proc and exec because ed
it is a shell (it has a !command). tty because it uses TIOCGWINSZ in
a SIGWINCH handler.
deraadt [Wed, 7 Oct 2015 05:21:41 +0000 (05:21 +0000)]
tame "stdio inet rpath cpath wpath proc" seems to be sufficient for
all the wading in here. "proc" is for the speed command, which fork()'s.
ok doug
deraadt [Wed, 7 Oct 2015 05:08:27 +0000 (05:08 +0000)]
move from tame "ioctl" to tame "tty", which provides a better fit for
this program which uses tcgetattr(). the tcsetattr() calls are outside
the tame regions.
deraadt [Wed, 7 Oct 2015 04:05:24 +0000 (04:05 +0000)]
tame "stdio getpw rpath wpath tty". "tty" allows this to use
readpassphrase().
deraadt [Wed, 7 Oct 2015 04:03:57 +0000 (04:03 +0000)]
We continue our tour through obscure BSD <word escapes me>. This stdio-based
program may open files arbitrarily, so tame "stdio rpath" it from the start.
deraadt [Wed, 7 Oct 2015 04:00:45 +0000 (04:00 +0000)]
tame "stdio rpath" at the start, then potentially some files are opened.
After that, tame "stdio" because that's all this program does.
deraadt [Wed, 7 Oct 2015 03:50:10 +0000 (03:50 +0000)]
tame "stdio rpath wpath cpath" to cover all the file opening cases.
ok doug
deraadt [Wed, 7 Oct 2015 03:49:41 +0000 (03:49 +0000)]
tame "stdio rpath" for when paths are specified; otherwise tame "stdio"
for the stdin case.
ok doug
deraadt [Wed, 7 Oct 2015 03:47:43 +0000 (03:47 +0000)]
Add the tame "exec" request. This allows processes which request
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc". Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose. But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls. Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve(). POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.
krw [Wed, 7 Oct 2015 03:06:46 +0000 (03:06 +0000)]
Add initial support for installing UEFI boot files to a GTP EFI System
Partition. Further work to be done in-tree.
ok deraadt@
djm [Wed, 7 Oct 2015 00:54:06 +0000 (00:54 +0000)]
don't try to change tun device flags if they are already what
we need; makes it possible to use tun/tap networking as non-
root user if device permissions and interface flags are
pre-established; based on patch by Ossi Herrala
krw [Wed, 7 Oct 2015 00:04:57 +0000 (00:04 +0000)]
Note permissions for the crc32() code adapted from Hacker's Delight.
Prompted by deraadt@.
deraadt [Tue, 6 Oct 2015 23:01:43 +0000 (23:01 +0000)]
obvious tame "stdio". For those not keeping score, this is another
program which has had string mismanagement bugs before, probably
of the exploitable fashion.. if used in the wrong kind of script..
deraadt [Tue, 6 Oct 2015 22:58:24 +0000 (22:58 +0000)]
tame "stdio rpath" if we have new files to open, otherwise tame "stdio".
deraadt [Tue, 6 Oct 2015 22:55:51 +0000 (22:55 +0000)]
obvious tame "stdio"
nicm [Tue, 6 Oct 2015 21:35:16 +0000 (21:35 +0000)]
Remove an old and broken test snippet, from Michael McConville. ok millert
nicm [Tue, 6 Oct 2015 21:21:39 +0000 (21:21 +0000)]
Drop the silly and distracting ACCEPT and REJECT macros, from Michael
McConville. No binary change. ok millert tedu
nicm [Tue, 6 Oct 2015 21:19:06 +0000 (21:19 +0000)]
Move tree.c protos into tree.h, from Michael McConville, ok millert
deraadt [Tue, 6 Oct 2015 21:17:01 +0000 (21:17 +0000)]
oops, mistaken commit, spotted by naddy
matthew [Tue, 6 Oct 2015 20:49:32 +0000 (20:49 +0000)]
0xffffffff is 32 bits, not 24 bits
ok deraadt
schwarze [Tue, 6 Oct 2015 18:46:05 +0000 (18:46 +0000)]
With growing functionality, the synopsis became long and confusing.
The syntax of some subcommands has almost nothing in common with the
syntax of others. So split the synopsis to make it more readable.
"if you feel it helps, go for it" jmc@ ajacoutot@
schwarze [Tue, 6 Oct 2015 18:35:55 +0000 (18:35 +0000)]
use ellipsis for arguments that can be repeated;
ok ajacoutot@ jmc@
deraadt [Tue, 6 Oct 2015 18:35:09 +0000 (18:35 +0000)]
A process should be able to do sigpending for itself
schwarze [Tue, 6 Oct 2015 18:30:43 +0000 (18:30 +0000)]
modernize style: "return" is not a function; ok cmp(1)
deraadt [Tue, 6 Oct 2015 18:15:02 +0000 (18:15 +0000)]
For TAME_PROC, allow setrlimit()
benno [Tue, 6 Oct 2015 17:23:21 +0000 (17:23 +0000)]
fix flowsrc spec, ok florian, thx ingo!
deraadt [Tue, 6 Oct 2015 17:05:30 +0000 (17:05 +0000)]
When "proc" is requested, allow setpgid() and sigsuspend().
Also the combination of "proc tty" needs to permit TIOCSPGRP.
This is the start at minimum semantics required by processes which
work on process groups, sessions, ttys.
tedu [Tue, 6 Oct 2015 16:51:15 +0000 (16:51 +0000)]
we're running rm. call it rm too.
semarie [Tue, 6 Oct 2015 15:45:31 +0000 (15:45 +0000)]
update "cmsg" tests: it lost TAME_SELF flag.
deraadt [Tue, 6 Oct 2015 15:39:44 +0000 (15:39 +0000)]
Move from tame "cmsg" to tame "sendfd" or "recvfd", depending on which
way the process moves fd's.
semarie [Tue, 6 Oct 2015 15:24:54 +0000 (15:24 +0000)]
add some tests for rpath, wpath, cpath
deraadt [Tue, 6 Oct 2015 15:21:26 +0000 (15:21 +0000)]
Add new "tty" request, which allows TIOCGETA, TIOCGPGRP, TIOCGWINSZ,
TIOCSBRK, TIOCCDTR, TIOCSETA, TIOCSETAW, and TIOCSETAF on tty
vnodes. This helps programs which call tcsetattr(), tcgetattr(), or
readpassphrase(). Especially the latter - tame's goal is to satisfy
the libc requirements of security-sensitive programs.
Remove TIOCSETAF from the basic "ioctl" request, because it is a "set"
option. "ioctl" is slowly turning into a "request information, cannot
set options" package.
Split the "cmsg" request into "sendfd" and "recvfd". Non-SCM_RIGHTS
messages are currently flowing through freely and we'll need to think
about that. This split lets us more strictly describe what our many
fd-passing programs will do.