From 48d5baab488d060ca530a81473f04ff202973199 Mon Sep 17 00:00:00 2001 From: deraadt Date: Mon, 5 Oct 2015 23:59:11 +0000 Subject: [PATCH] During getopt(), an optional file may be opened. After that, tame "stdio" works. Time for some commentary! tame became possible because syslog(3) in openbsd uses a system call -- sendsyslog(2) -- which does not require an elaborate dance opening an AF_UNIX socket and using connect() or send() to deliver to a "/dev/log" unix socket in the filesystem. sendsyslog(2) was invented to ensure the stack-protector's __stack_smash_handler() can gaurantee delivery of failure messages to syslogd(8) in harsh conditions -- such as file descriptor exhaustion or inside chroot(2). Now it also works in tame(2)'d proceses, since sendsyslog(2) is always allowed. Our syslog(3) needs no elaborate socket code, therefore piles of software does not have an inate need for socket(2), connect(2), send(2), nor access to the filesystem. syslog(3) remains fully compatible otherwise. How does the stack protector report an error in fully capsicum'd program? Or in some other Linux protection mechanism, if someone protectes a program too far and takes sockets away, how do they see the stack protector working? You can have nice things when the underlying rules change. --- usr.bin/logger/logger.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr.bin/logger/logger.c b/usr.bin/logger/logger.c index 41d6e1fc569..01b8eb1f104 100644 --- a/usr.bin/logger/logger.c +++ b/usr.bin/logger/logger.c @@ -1,4 +1,4 @@ -/* $OpenBSD: logger.c,v 1.14 2015/04/18 18:28:37 deraadt Exp $ */ +/* $OpenBSD: logger.c,v 1.15 2015/10/05 23:59:11 deraadt Exp $ */ /* $NetBSD: logger.c,v 1.4 1994/12/22 06:27:00 jtc Exp $ */ /* @@ -37,6 +37,7 @@ #include #include #include +#include #define SYSLOG_NAMES #include @@ -92,6 +93,9 @@ main(int argc, char *argv[]) openlog(tag ? tag : getlogin(), logflags, 0); (void) fclose(stdout); + if (tame("stdio", NULL) == -1) + err(1, "tame"); + /* log input line if appropriate */ if (argc > 0) { char *p, *endp; -- 2.20.1