openbsd
9 years agotame "stdio rpath getpw". getpw is for user_from_uid(), which is a libc
deraadt [Wed, 7 Oct 2015 14:05:07 +0000 (14:05 +0000)]
tame "stdio rpath getpw". getpw is for user_from_uid(), which is a libc
cache on top of the getpw* functions.
ok semarie, who didn't spot the getpw need :)

9 years agogetaddrinfo_async() shouldn't unconditionally intialize the resolver
deraadt [Wed, 7 Oct 2015 13:59:34 +0000 (13:59 +0000)]
getaddrinfo_async() shouldn't unconditionally intialize the resolver
via _asr_use_resolver().  If the hint specifies for AI_NUMERICHOST,
create a transient lookup context which won't try to open /etc/reslov.conf
ok eric guenther

9 years agogetaddrinfo() should not res_init() unconditionally, but allow lower
deraadt [Wed, 7 Oct 2015 13:57:12 +0000 (13:57 +0000)]
getaddrinfo() should not res_init() unconditionally, but allow lower
layers to decide.  The request could be AI_NUMERICHOST.  [And the process
could be tame()-constrained to not open /etc/resolv.conf]
ok eric guenther

9 years agoinclude <sys/time.h> for gettimeofday(2)
bcook [Wed, 7 Oct 2015 13:20:48 +0000 (13:20 +0000)]
include <sys/time.h> for gettimeofday(2)

9 years agorn_inithead() offset argument is now specified in byte, missed in previous.
mpi [Wed, 7 Oct 2015 11:57:44 +0000 (11:57 +0000)]
rn_inithead() offset argument is now specified in byte, missed in previous.

9 years agoMake rtable_get() private to ensure it won't be used outside of
mpi [Wed, 7 Oct 2015 11:39:49 +0000 (11:39 +0000)]
Make rtable_get() private to ensure it won't be used outside of
net/rtable.c.  This will ease the introduction of rtable_put().

Routing tables are mapped to a tuple (idx, af) so the public API
should as much as possible require these two keys.

ok dlg@

9 years agoInitialize the routing table before domains.
mpi [Wed, 7 Oct 2015 10:50:35 +0000 (10:50 +0000)]
Initialize the routing table before domains.

The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.

This put the rtable* layer at the same level of the if* level.  These
two subsystem are organized around the two global data structure used
in the network stack:

- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.

This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups.  This allows us to keep, or move
towards, AF-free route and rtable layers.

While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().

ok claudio@, mikeb@

9 years agoCorrect handling of enum attributes with g++
jsg [Wed, 7 Oct 2015 10:26:23 +0000 (10:26 +0000)]
Correct handling of enum attributes with g++

gcc and g++ can currently have different ideas on the size of a
packed enum type:

enum __attribute__((packed)) foo { a = 0, b};

gcc: 1
g++: 4

enum foo { a = 0, b} __attribute__((packed));

gcc: 1
g++: 1

The first format is actually the preferred one according to the
documentation.
https://gcc.gnu.org/onlinedocs/gcc-4.2.1/gcc/Type-Attributes.html
g++ will accept the first format and silently not actually choose a
smaller size.

This was responsible for memory corruption with recent versions
of Mesa where c and c++ code share a header with a packed enum type.

The problem was reported in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=39219
and fixed in gcc >= 4.3.6 in rev 144284.
This was after the switch from gplv2 but it's a trivial one line change.

ok guenther@ deraadt@ kettenis@

9 years agoIn i915_gem_fault(), move the "out" label after the switch state such that we
kettenis [Wed, 7 Oct 2015 09:53:00 +0000 (09:53 +0000)]
In i915_gem_fault(), move the "out" label after the switch state such that we
don't interpret one of the VM_PAGER_XXX return values as an unhandled errno
value and return the intended code instead of VM_PAGER_ERROR.

ok jsg@

9 years agoCouple of memory leaks in error paths, from Frederik Vanderstraeten.
nicm [Wed, 7 Oct 2015 09:52:58 +0000 (09:52 +0000)]
Couple of memory leaks in error paths, from Frederik Vanderstraeten.

9 years agoMove route entry debug helpers where they belong.
mpi [Wed, 7 Oct 2015 08:58:01 +0000 (08:58 +0000)]
Move route entry debug helpers where they belong.

9 years agoMove the reference counting of a newly created route entry inside
mpi [Wed, 7 Oct 2015 08:43:36 +0000 (08:43 +0000)]
Move the reference counting of a newly created route entry inside
rtable_insert().

inputs and ok bluhm@

9 years agoDo not call bpf_catchpacket() if another CPU detached a file from the
mpi [Wed, 7 Oct 2015 08:41:01 +0000 (08:41 +0000)]
Do not call bpf_catchpacket() if another CPU detached a file from the
corresponding interface.

bfp_tap() and _bpf_mtap() are mostly run without the KERNEL_LOCK.  The
use of SRPs in these functions gives us the guarantees that manipulated
BPF descriptors are alive but not the associated interface desctiptor!
And indeed they can be cleared by another CPU running bpf_detachd().

Prevent a race reported by Hrvoje Popovski when closing tcpdump(8) with
an IPL_MPSAFE ix(4).

ok mikeb@, dlg@, deraadt@

9 years agotame "stdio rpath". could go crazy and handle the non-filename case,
deraadt [Wed, 7 Oct 2015 07:00:01 +0000 (07:00 +0000)]
tame "stdio rpath".  could go crazy and handle the non-filename case,
but i am feeling some fatigue.

9 years agotame "stdio rpath" initially. if no files, go to tame "stdio".
deraadt [Wed, 7 Oct 2015 06:55:10 +0000 (06:55 +0000)]
tame "stdio rpath" initially.  if no files, go to tame "stdio".

9 years agotame "stdio rpath getpw" before getpwuid and opening, then tame "stdio"
deraadt [Wed, 7 Oct 2015 06:51:50 +0000 (06:51 +0000)]
tame "stdio rpath getpw" before getpwuid and opening, then tame "stdio"

9 years agotame "stdio rpath wpath cpath tmppath tty". "tty" is the important part
deraadt [Wed, 7 Oct 2015 06:44:01 +0000 (06:44 +0000)]
tame "stdio rpath wpath cpath tmppath tty".  "tty" is the important part
here, permitting use of readpassphrase()

9 years agotame "stdio rpath wpath cpath" covers mkstemp (O_RDONLY|O_CREAT),
deraadt [Wed, 7 Oct 2015 06:43:15 +0000 (06:43 +0000)]
tame "stdio rpath wpath cpath" covers mkstemp (O_RDONLY|O_CREAT),
mkdtemp(), and unlink()

9 years agotame "stdio". It would take some doing for this to contain a bug, but
deraadt [Wed, 7 Oct 2015 06:39:16 +0000 (06:39 +0000)]
tame "stdio".  It would take some doing for this to contain a bug, but
just in case -- now it can barely do anything when it goes wrong.

9 years agotame "stdio". I doubt there is a bug in the environment parsing code.
deraadt [Wed, 7 Oct 2015 06:35:19 +0000 (06:35 +0000)]
tame "stdio".  I doubt there is a bug in the environment parsing code.
But if there is, and this program is taken control of, it is quite limited
in the system calls it can do.

9 years agotame "stdio rpath wpath cpath" handles all the cases of opening files
deraadt [Wed, 7 Oct 2015 06:33:31 +0000 (06:33 +0000)]
tame "stdio rpath wpath cpath" handles all the cases of opening files

9 years agopatch(1) can move to "stdio rpath wpath cpath tmppath fattr proc exec"
deraadt [Wed, 7 Oct 2015 06:29:26 +0000 (06:29 +0000)]
patch(1) can move to "stdio rpath wpath cpath tmppath fattr proc exec"
(adding proc exec), now that "exec" has arrived in the kernel.  This
permits the dangerous game of feeding ed-style diffs with popen() via
/bin/ed.  Shocked yet?  Your mission, should you choose to accept it,
is to replace this code with an builtin ed-style patcher, maybe cribbing
code from ed itself.

I'm sorry, but we can't fix the entire world all at once.  Noone loves
deprecating standarized features as much as we do, but there are some
lines.  Maybe if people become aware of how crappy the implimentations
of some standard features are, they could help decide the path.

9 years agotame "stdio rpath"
deraadt [Wed, 7 Oct 2015 06:18:00 +0000 (06:18 +0000)]
tame "stdio rpath"

9 years agotame "stdio rpath"
deraadt [Wed, 7 Oct 2015 06:15:51 +0000 (06:15 +0000)]
tame "stdio rpath"

9 years agotame "stdio rpath wpath cpath" or a more mundane "stdio rpath", depending
deraadt [Wed, 7 Oct 2015 06:00:33 +0000 (06:00 +0000)]
tame "stdio rpath wpath cpath" or a more mundane "stdio rpath", depending
on which arguments the programs are run under.
ok doug

9 years agotame "stdio rpath wpath". rpath is for localtime() and mktime(),
deraadt [Wed, 7 Oct 2015 05:59:36 +0000 (05:59 +0000)]
tame "stdio rpath wpath".  rpath is for localtime() and mktime(),
while wpath is for logwtmp(), a bit pessimistically since it is not clear
what could happen.
This is done AFTER the time is potentially set, since settimeofday() is
not available to us.  Improvements and tests would be welcome.

9 years agotame "stdio rpath wpath cpath proc exec tty". proc and exec because ed
deraadt [Wed, 7 Oct 2015 05:37:42 +0000 (05:37 +0000)]
tame "stdio rpath wpath cpath proc exec tty".  proc and exec because ed
it is a shell (it has a !command).  tty because it uses TIOCGWINSZ in
a SIGWINCH handler.

9 years agotame "stdio inet rpath cpath wpath proc" seems to be sufficient for
deraadt [Wed, 7 Oct 2015 05:21:41 +0000 (05:21 +0000)]
tame "stdio inet rpath cpath wpath proc" seems to be sufficient for
all the wading in here.  "proc" is for the speed command, which fork()'s.
ok doug

9 years agomove from tame "ioctl" to tame "tty", which provides a better fit for
deraadt [Wed, 7 Oct 2015 05:08:27 +0000 (05:08 +0000)]
move from tame "ioctl" to tame "tty", which provides a better fit for
this program which uses tcgetattr().  the tcsetattr() calls are outside
the tame regions.

9 years agotame "stdio getpw rpath wpath tty". "tty" allows this to use
deraadt [Wed, 7 Oct 2015 04:05:24 +0000 (04:05 +0000)]
tame "stdio getpw rpath wpath tty".  "tty" allows this to use
readpassphrase().

9 years agoWe continue our tour through obscure BSD <word escapes me>. This stdio-based
deraadt [Wed, 7 Oct 2015 04:03:57 +0000 (04:03 +0000)]
We continue our tour through obscure BSD <word escapes me>.   This stdio-based
program may open files arbitrarily, so tame "stdio rpath" it from the start.

9 years agotame "stdio rpath" at the start, then potentially some files are opened.
deraadt [Wed, 7 Oct 2015 04:00:45 +0000 (04:00 +0000)]
tame "stdio rpath" at the start, then potentially some files are opened.
After that, tame "stdio" because that's all this program does.

9 years agotame "stdio rpath wpath cpath" to cover all the file opening cases.
deraadt [Wed, 7 Oct 2015 03:50:10 +0000 (03:50 +0000)]
tame "stdio rpath wpath cpath" to cover all the file opening cases.
ok doug

9 years agotame "stdio rpath" for when paths are specified; otherwise tame "stdio"
deraadt [Wed, 7 Oct 2015 03:49:41 +0000 (03:49 +0000)]
tame "stdio rpath" for when paths are specified; otherwise tame "stdio"
for the stdin case.
ok doug

9 years agoAdd the tame "exec" request. This allows processes which request
deraadt [Wed, 7 Oct 2015 03:47:43 +0000 (03:47 +0000)]
Add the tame "exec" request.  This allows processes which request
"exec" to call execve(2), potentially fork(2) beforehands if they
asked for "proc".  Calling execve is what "shells" (ksh, tmux, etc)
have as their primary purpose.  But meantime, if such a shell has a
nasty bug, we want to mitigate the process from opening a socket or
calling 100+ other system calls.  Unfortunately silver bullets are in
short supply, so if our goal is to stay in a POSIX-y environment, we
have to let shells call execve().  POSIX ate the world, so choices do
we all have?
Warning for many: silver bullets are even more rare in other OS
ecosystems, so please accept this as a narrow lowering of the bar in a
very raised environment.
Commited from a machine running tame "proc exec" ksh, make, etc.

9 years agoAdd initial support for installing UEFI boot files to a GTP EFI System
krw [Wed, 7 Oct 2015 03:06:46 +0000 (03:06 +0000)]
Add initial support for installing UEFI boot files to a GTP EFI System
Partition. Further work to be done in-tree.

ok deraadt@

9 years agodon't try to change tun device flags if they are already what
djm [Wed, 7 Oct 2015 00:54:06 +0000 (00:54 +0000)]
don't try to change tun device flags if they are already what
we need; makes it possible to use tun/tap networking as non-
root user if device permissions and interface flags are
pre-established; based on patch by Ossi Herrala

9 years agoNote permissions for the crc32() code adapted from Hacker's Delight.
krw [Wed, 7 Oct 2015 00:04:57 +0000 (00:04 +0000)]
Note permissions for the crc32() code adapted from Hacker's Delight.

Prompted by deraadt@.

9 years agoobvious tame "stdio". For those not keeping score, this is another
deraadt [Tue, 6 Oct 2015 23:01:43 +0000 (23:01 +0000)]
obvious tame "stdio".  For those not keeping score, this is another
program which has had string mismanagement bugs before, probably
of the exploitable fashion.. if used in the wrong kind of script..

9 years agotame "stdio rpath" if we have new files to open, otherwise tame "stdio".
deraadt [Tue, 6 Oct 2015 22:58:24 +0000 (22:58 +0000)]
tame "stdio rpath" if we have new files to open, otherwise tame "stdio".

9 years agoobvious tame "stdio"
deraadt [Tue, 6 Oct 2015 22:55:51 +0000 (22:55 +0000)]
obvious tame "stdio"

9 years agoRemove an old and broken test snippet, from Michael McConville. ok millert
nicm [Tue, 6 Oct 2015 21:35:16 +0000 (21:35 +0000)]
Remove an old and broken test snippet, from Michael McConville. ok millert

9 years agoDrop the silly and distracting ACCEPT and REJECT macros, from Michael
nicm [Tue, 6 Oct 2015 21:21:39 +0000 (21:21 +0000)]
Drop the silly and distracting ACCEPT and REJECT macros, from Michael
McConville. No binary change. ok millert tedu

9 years agoMove tree.c protos into tree.h, from Michael McConville, ok millert
nicm [Tue, 6 Oct 2015 21:19:06 +0000 (21:19 +0000)]
Move tree.c protos into tree.h, from Michael McConville, ok millert

9 years agooops, mistaken commit, spotted by naddy
deraadt [Tue, 6 Oct 2015 21:17:01 +0000 (21:17 +0000)]
oops, mistaken commit, spotted by naddy

9 years ago0xffffffff is 32 bits, not 24 bits
matthew [Tue, 6 Oct 2015 20:49:32 +0000 (20:49 +0000)]
0xffffffff is 32 bits, not 24 bits

ok deraadt

9 years agoWith growing functionality, the synopsis became long and confusing.
schwarze [Tue, 6 Oct 2015 18:46:05 +0000 (18:46 +0000)]
With growing functionality, the synopsis became long and confusing.
The syntax of some subcommands has almost nothing in common with the
syntax of others.  So split the synopsis to make it more readable.
"if you feel it helps, go for it"  jmc@ ajacoutot@

9 years agouse ellipsis for arguments that can be repeated;
schwarze [Tue, 6 Oct 2015 18:35:55 +0000 (18:35 +0000)]
use ellipsis for arguments that can be repeated;
ok ajacoutot@ jmc@

9 years agoA process should be able to do sigpending for itself
deraadt [Tue, 6 Oct 2015 18:35:09 +0000 (18:35 +0000)]
A process should be able to do sigpending for itself

9 years agomodernize style: "return" is not a function; ok cmp(1)
schwarze [Tue, 6 Oct 2015 18:30:43 +0000 (18:30 +0000)]
modernize style: "return" is not a function; ok cmp(1)

9 years agoFor TAME_PROC, allow setrlimit()
deraadt [Tue, 6 Oct 2015 18:15:02 +0000 (18:15 +0000)]
For TAME_PROC, allow setrlimit()

9 years agofix flowsrc spec, ok florian, thx ingo!
benno [Tue, 6 Oct 2015 17:23:21 +0000 (17:23 +0000)]
fix flowsrc spec, ok florian, thx ingo!

9 years agoWhen "proc" is requested, allow setpgid() and sigsuspend().
deraadt [Tue, 6 Oct 2015 17:05:30 +0000 (17:05 +0000)]
When "proc" is requested, allow setpgid() and sigsuspend().
Also the combination of "proc tty" needs to permit TIOCSPGRP.

This is the start at minimum semantics required by processes which
work on process groups, sessions, ttys.

9 years agowe're running rm. call it rm too.
tedu [Tue, 6 Oct 2015 16:51:15 +0000 (16:51 +0000)]
we're running rm. call it rm too.

9 years agoupdate "cmsg" tests: it lost TAME_SELF flag.
semarie [Tue, 6 Oct 2015 15:45:31 +0000 (15:45 +0000)]
update "cmsg" tests: it lost TAME_SELF flag.

9 years agoMove from tame "cmsg" to tame "sendfd" or "recvfd", depending on which
deraadt [Tue, 6 Oct 2015 15:39:44 +0000 (15:39 +0000)]
Move from tame "cmsg" to tame "sendfd" or "recvfd", depending on which
way the process moves fd's.

9 years agoadd some tests for rpath, wpath, cpath
semarie [Tue, 6 Oct 2015 15:24:54 +0000 (15:24 +0000)]
add some tests for rpath, wpath, cpath

9 years agoAdd new "tty" request, which allows TIOCGETA, TIOCGPGRP, TIOCGWINSZ,
deraadt [Tue, 6 Oct 2015 15:21:26 +0000 (15:21 +0000)]
Add new "tty" request, which allows TIOCGETA, TIOCGPGRP, TIOCGWINSZ,
TIOCSBRK, TIOCCDTR, TIOCSETA, TIOCSETAW, and TIOCSETAF on tty
vnodes. This helps programs which call tcsetattr(), tcgetattr(), or
readpassphrase().  Especially the latter - tame's goal is to satisfy
the libc requirements of security-sensitive programs.

Remove TIOCSETAF from the basic "ioctl" request, because it is a "set"
option. "ioctl" is slowly turning into a "request information, cannot
set options" package.

Split the "cmsg" request into "sendfd" and "recvfd".  Non-SCM_RIGHTS
messages are currently flowing through freely and we'll need to think
about that.  This split lets us more strictly describe what our many
fd-passing programs will do.

9 years agoMake sure that tx_buffer->next_eop is properly set before we bump the number
kettenis [Tue, 6 Oct 2015 15:21:16 +0000 (15:21 +0000)]
Make sure that tx_buffer->next_eop is properly set before we bump the number
of available descriptors, such that the interrupt handler doesn't attempt
to complete partially initialized descriptors.  Seems to fix the watchdog
timeouts reported by various people.

Tested by Mattieu Baptiste and Gregor Best.
ok mikeb@

9 years agoRemove the -C option that converts an S/Key database to the new format. It has
tim [Tue, 6 Oct 2015 15:09:08 +0000 (15:09 +0000)]
Remove the -C option that converts an S/Key database to the new format. It has
been 13 years since the new format was introduced.

OK millert@

9 years agoDon't burden keycrunch_{md5,sha1,rmd160}() with identical code to prepare a
tim [Tue, 6 Oct 2015 15:07:45 +0000 (15:07 +0000)]
Don't burden keycrunch_{md5,sha1,rmd160}() with identical code to prepare a
buffer based on whether they are called by keycrunch() or f(). Instead let
keycrunch() and f() take care of this themselves.

OK millert@

9 years agoUpdate path in comment; OK millert@
tim [Tue, 6 Oct 2015 15:06:29 +0000 (15:06 +0000)]
Update path in comment; OK millert@

9 years agoclear out some more legacy code and whatnot
tedu [Tue, 6 Oct 2015 14:58:37 +0000 (14:58 +0000)]
clear out some more legacy code and whatnot

9 years agoRework the tame cmsg handler to make it work both ways. While on recv one
claudio [Tue, 6 Oct 2015 14:55:41 +0000 (14:55 +0000)]
Rework the tame cmsg handler to make it work both ways. While on recv one
mbuf blob with all the cmsgs inside while on send cmsgs in an mbuf chain,
one mbuf per message. Adjust the calls accordingly.
Putting it in so deraadt@ can move forward.

9 years agormdir() is just a CPATH operation; remove RPATH marker that snuck in.
deraadt [Tue, 6 Oct 2015 14:39:07 +0000 (14:39 +0000)]
rmdir() is just a CPATH operation; remove RPATH marker that snuck in.

9 years agoMake sure that all padding bytes in cmsgs are actually zero by memset
claudio [Tue, 6 Oct 2015 14:38:32 +0000 (14:38 +0000)]
Make sure that all padding bytes in cmsgs are actually zero by memset
CMSG_SIZE(len) bytes of the mbuf.

9 years agooops, namei was never allowing through valid CPATH operations
deraadt [Tue, 6 Oct 2015 14:38:23 +0000 (14:38 +0000)]
oops, namei was never allowing through valid CPATH operations

9 years agoAdd getrusage() to the TAME_SELF catagory.
deraadt [Tue, 6 Oct 2015 14:02:49 +0000 (14:02 +0000)]
Add getrusage() to the TAME_SELF catagory.

9 years agoFix buf leak in error path. ok gilles@ eric@
stsp [Tue, 6 Oct 2015 14:02:25 +0000 (14:02 +0000)]
Fix buf leak in error path. ok gilles@ eric@

9 years agoonly modifies data, stdin to stdout, so tame "stdout"
deraadt [Tue, 6 Oct 2015 13:49:33 +0000 (13:49 +0000)]
only modifies data, stdin to stdout, so tame "stdout"

9 years agouse tame "stdio rpath wpath cpath fattr". There is some timezone
deraadt [Tue, 6 Oct 2015 13:48:34 +0000 (13:48 +0000)]
use tame "stdio rpath wpath cpath fattr".  There is some timezone
database stuff here which goes further than most programs, but the
neccessary files are readable using "rpath".

9 years agosimple tame "stdio rpath"
deraadt [Tue, 6 Oct 2015 13:47:08 +0000 (13:47 +0000)]
simple tame "stdio rpath"

9 years agotame "stdio rpath" before opening the file, tame "stdio" after that
deraadt [Tue, 6 Oct 2015 13:29:56 +0000 (13:29 +0000)]
tame "stdio rpath" before opening the file, tame "stdio" after that

9 years agoprefer limits.h over sys/limits.h
bcook [Tue, 6 Oct 2015 12:54:24 +0000 (12:54 +0000)]
prefer limits.h over sys/limits.h

ok deraadt@

9 years agoSimple update for pdf, from file 5.x.
nicm [Tue, 6 Oct 2015 09:29:13 +0000 (09:29 +0000)]
Simple update for pdf, from file 5.x.

9 years agoMake iwm(4) set the MAC address the same way other wireless drivers do.
stsp [Tue, 6 Oct 2015 09:12:00 +0000 (09:12 +0000)]
Make iwm(4) set the MAC address the same way other wireless drivers do.
ok mpi@

9 years agowe don't need this temporary buffer since we're going to strdup() it right
gilles [Tue, 6 Oct 2015 08:51:35 +0000 (08:51 +0000)]
we don't need this temporary buffer since we're going to strdup() it right
away anyways

ok eric@

9 years agoAnother simple update for xwindows, from 5.x.
nicm [Tue, 6 Oct 2015 08:51:00 +0000 (08:51 +0000)]
Another simple update for xwindows, from 5.x.

9 years agoLog the matched offset (and the new offset) instead of just of the new
nicm [Tue, 6 Oct 2015 08:20:10 +0000 (08:20 +0000)]
Log the matched offset (and the new offset) instead of just of the new
offset (as if it was where the match was found).

9 years agossh and ssl key file magic, from file 5.x.
nicm [Tue, 6 Oct 2015 08:13:03 +0000 (08:13 +0000)]
ssh and ssl key file magic, from file 5.x.

9 years agoAnother simple update from file 5.x.
nicm [Tue, 6 Oct 2015 08:12:30 +0000 (08:12 +0000)]
Another simple update from file 5.x.

9 years agofix snprintf() error checking in token expansion code, these can't possibly
gilles [Tue, 6 Oct 2015 06:44:47 +0000 (06:44 +0000)]
fix snprintf() error checking in token expansion code, these can't possibly
fail but it's no excuse for getting the checks wrong.

spotted by qualys

9 years agofix chdir() call for the sake of correctness
gilles [Tue, 6 Oct 2015 06:07:28 +0000 (06:07 +0000)]
fix chdir() call for the sake of correctness

reported by qualys

9 years agofix values passed to umask(), they should be octal.
gilles [Tue, 6 Oct 2015 06:04:46 +0000 (06:04 +0000)]
fix values passed to umask(), they should be octal.
the permissions are even more restrictive than they should.

misc bug reported by qualys

9 years agodo not need ioctl.h
deraadt [Tue, 6 Oct 2015 06:03:11 +0000 (06:03 +0000)]
do not need ioctl.h

9 years agoObvious tame "stdio rpath wpath cpath" to a program I will never use.
deraadt [Tue, 6 Oct 2015 05:51:01 +0000 (05:51 +0000)]
Obvious tame "stdio rpath wpath cpath" to a program I will never use.

9 years agofix reallocarray() constructs to always use temporary variable
gilles [Tue, 6 Oct 2015 05:48:34 +0000 (05:48 +0000)]
fix reallocarray() constructs to always use temporary variable

9 years agoEnable ioctl() in the "rw" request, to support FIONREAD/FIONBIO easier
deraadt [Tue, 6 Oct 2015 05:42:12 +0000 (05:42 +0000)]
Enable ioctl() in the "rw" request, to support FIONREAD/FIONBIO easier
for the stdio/libevent usage case.  Further ioctl commands are narrowly
checked as before.
ok djm guenther semarie

9 years agothese do not use ioctl.h
deraadt [Tue, 6 Oct 2015 03:29:49 +0000 (03:29 +0000)]
these do not use ioctl.h

9 years agostruct knote's kn_sdata needs to be the same type as struct kevent's data
guenther [Tue, 6 Oct 2015 03:29:35 +0000 (03:29 +0000)]
struct knote's kn_sdata needs to be the same type as struct kevent's data

ok deraadt@

9 years agotame "stdio getpw"
deraadt [Tue, 6 Oct 2015 03:27:25 +0000 (03:27 +0000)]
tame "stdio getpw"
discussed with guenther

9 years agodata processing stdin to stdout; tame "stdout"
deraadt [Tue, 6 Oct 2015 03:26:31 +0000 (03:26 +0000)]
data processing stdin to stdout; tame "stdout"

9 years agounfortunately tame "stdio" can only happen well after the sequence of:
deraadt [Tue, 6 Oct 2015 03:25:02 +0000 (03:25 +0000)]
unfortunately tame "stdio" can only happen well after the sequence of:
utmp parsing, tty opening, setresgid to drop privs.  it only protects
a basic io loop.
discussed with doug

9 years agoadapt to recent sshkey_parse_private_fileblob() API change
djm [Tue, 6 Oct 2015 01:20:59 +0000 (01:20 +0000)]
adapt to recent sshkey_parse_private_fileblob() API change

9 years agoThe performance hit for -fstack-protector-all is worth it here.
deraadt [Tue, 6 Oct 2015 00:30:30 +0000 (00:30 +0000)]
The performance hit for -fstack-protector-all is worth it here.
ok gilles

9 years agoAppears that tame "stdio getpw rpath" will satisfy all code paths.
deraadt [Tue, 6 Oct 2015 00:24:20 +0000 (00:24 +0000)]
Appears that tame "stdio getpw rpath" will satisfy all code paths.

9 years agoDuring getopt(), an optional file may be opened. After that, tame "stdio"
deraadt [Mon, 5 Oct 2015 23:59:11 +0000 (23:59 +0000)]
During getopt(), an optional file may be opened.  After that, tame "stdio"
works.

Time for some commentary!  tame became possible because syslog(3) in
openbsd uses a system call -- sendsyslog(2) -- which does not require
an elaborate dance opening an AF_UNIX socket and using connect() or
send() to deliver to a "/dev/log" unix socket in the filesystem.
sendsyslog(2) was invented to ensure the stack-protector's
__stack_smash_handler() can gaurantee delivery of failure messages to
syslogd(8) in harsh conditions -- such as file descriptor exhaustion
or inside chroot(2).  Now it also works in tame(2)'d proceses, since
sendsyslog(2) is always allowed.  Our syslog(3) needs no elaborate
socket code, therefore piles of software does not have an inate need
for socket(2), connect(2), send(2), nor access to the filesystem.
syslog(3) remains fully compatible otherwise.

How does the stack protector report an error in fully capsicum'd
program?  Or in some other Linux protection mechanism, if someone
protectes a program too far and takes sockets away, how do they see
the stack protector working?

You can have nice things when the underlying rules change.

9 years agotame "stdio rpath wpath cpath", because this program reads and creates
deraadt [Mon, 5 Oct 2015 23:42:40 +0000 (23:42 +0000)]
tame "stdio rpath wpath cpath", because this program reads and creates
files, using stdio.   It does nothing else.

9 years agoRemove EXTERN from lex.h and put the definitions in lex.c, from Michael
nicm [Mon, 5 Oct 2015 23:32:15 +0000 (23:32 +0000)]
Remove EXTERN from lex.h and put the definitions in lex.c, from Michael
McConville.

9 years agoRemove EXTERN from table.h and put the definitions in table.c, from
nicm [Mon, 5 Oct 2015 23:26:58 +0000 (23:26 +0000)]
Remove EXTERN from table.h and put the definitions in table.c, from
Michael McConville.