From 4c738cc8dfcda4dd9f8b01ab736a275a5eeb36f7 Mon Sep 17 00:00:00 2001 From: deraadt Date: Fri, 9 Oct 2015 01:24:57 +0000 Subject: [PATCH] tame -> pledge conversion, in libc. I should crank libc, but am cheating hoping things go well. The old symbol is faked via a stupid stub function, until next major crank when it can be removed. I am expecting guenther to scream at me. --- lib/libc/Symbols.list | 6 ++++-- lib/libc/sys/Makefile.inc | 12 ++++++------ lib/libc/sys/{tame.2 => pledge.2} | 22 +++++++++++----------- lib/libc/sys/tame.c | 17 +++++++++++++++++ 4 files changed, 38 insertions(+), 19 deletions(-) rename lib/libc/sys/{tame.2 => pledge.2} (97%) create mode 100644 lib/libc/sys/tame.c diff --git a/lib/libc/Symbols.list b/lib/libc/Symbols.list index 45f2cfb78f0..87186ac0f22 100644 --- a/lib/libc/Symbols.list +++ b/lib/libc/Symbols.list @@ -162,8 +162,9 @@ _thread_sys_nfssvc _thread_sys_open _thread_sys_openat _thread_sys_pathconf -_thread_sys_pipe2 _thread_sys_pipe +_thread_sys_pipe2 +_thread_sys_pledge _thread_sys_poll _thread_sys_ppoll _thread_sys_pread @@ -354,8 +355,9 @@ nfssvc open openat pathconf -pipe2 pipe +pipe2 +pledge poll posix_madvise ppoll diff --git a/lib/libc/sys/Makefile.inc b/lib/libc/sys/Makefile.inc index b3d83a013c3..50413efb932 100644 --- a/lib/libc/sys/Makefile.inc +++ b/lib/libc/sys/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.130 2015/09/13 17:08:03 guenther Exp $ +# $OpenBSD: Makefile.inc,v 1.131 2015/10/09 01:24:57 deraadt Exp $ # $NetBSD: Makefile.inc,v 1.35 1995/10/16 23:49:07 jtc Exp $ # @(#)Makefile.inc 8.1 (Berkeley) 6/17/93 @@ -17,7 +17,7 @@ SRCS+= posix_madvise.c w_fork.c # with old syscall interfaces. SRCS+= ftruncate.c lseek.c mquery.c mmap.c ptrace.c semctl.c truncate.c \ timer_create.c timer_delete.c timer_getoverrun.c timer_gettime.c \ - timer_settime.c pread.c preadv.c pwrite.c pwritev.c + timer_settime.c pread.c preadv.c pwrite.c pwritev.c tame.c # stack protector helper functions SRCS+= stack_protector.c @@ -45,7 +45,7 @@ ASM= __get_tcb.o __getcwd.o __semctl.o __set_tcb.o __syscall.o \ mknod.o mknodat.o mlock.o mlockall.o mount.o mprotect.o \ msgctl.o msgget.o msgrcv.o msgsnd.o msync.o munlock.o \ munlockall.o munmap.o nanosleep.o nfssvc.o \ - open.o openat.o pathconf.o pipe.o pipe2.o \ + open.o openat.o pathconf.o pipe.o pipe2.o pledge.o \ poll.o ppoll.o profil.o pselect.o \ quotactl.o read.o readlink.o readlinkat.o readv.o reboot.o \ recvfrom.o recvmsg.o rename.o renameat.o revoke.o rmdir.o \ @@ -56,7 +56,7 @@ ASM= __get_tcb.o __getcwd.o __semctl.o __set_tcb.o __syscall.o \ settimeofday.o setuid.o shmat.o shmctl.o shmdt.o \ shmget.o shutdown.o sigaction.o sigaltstack.o socket.o \ socketpair.o stat.o statfs.o swapctl.o symlink.o symlinkat.o \ - sync.o sysarch.o sysctl.o tame.o umask.o unlink.o unlinkat.o \ + sync.o sysarch.o sysctl.o umask.o unlink.o unlinkat.o \ unmount.o utimensat.o utimes.o utrace.o wait4.o write.o writev.o SRCS+= ${SRCS_${MACHINE_CPU}} @@ -142,7 +142,7 @@ MAN+= __get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \ mincore.2 minherit.2 mkdir.2 mkfifo.2 mknod.2 mlock.2 \ mlockall.2 mmap.2 mount.2 mprotect.2 mquery.2 msgctl.2 \ msgget.2 msgrcv.2 msgsnd.2 msync.2 munmap.2 nanosleep.2 \ - nfssvc.2 open.2 pathconf.2 pipe.2 poll.2 profil.2 \ + nfssvc.2 open.2 pathconf.2 pipe.2 pledge.2 poll.2 profil.2 \ ptrace.2 quotactl.2 read.2 readlink.2 reboot.2 recv.2 \ rename.2 revoke.2 rmdir.2 sched_yield.2 select.2 semctl.2 semget.2 \ semop.2 send.2 setgroups.2 setpgid.2 setregid.2 \ @@ -150,7 +150,7 @@ MAN+= __get_tcb.2 __thrsigdivert.2 __thrsleep.2 _exit.2 accept.2 \ shmctl.2 shmget.2 shutdown.2 sigaction.2 sigaltstack.2 sigpending.2 \ sigprocmask.2 sigreturn.2 sigsuspend.2 socket.2 \ socketpair.2 stat.2 statfs.2 swapctl.2 symlink.2 \ - sync.2 sysarch.2 syscall.2 tame.2 truncate.2 umask.2 unlink.2 \ + sync.2 sysarch.2 syscall.2 truncate.2 umask.2 unlink.2 \ utimes.2 utrace.2 vfork.2 wait.2 write.2 MLINKS+=__get_tcb.2 __set_tcb.2 diff --git a/lib/libc/sys/tame.2 b/lib/libc/sys/pledge.2 similarity index 97% rename from lib/libc/sys/tame.2 rename to lib/libc/sys/pledge.2 index 5357435c6c8..578f3e4a515 100644 --- a/lib/libc/sys/tame.2 +++ b/lib/libc/sys/pledge.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tame.2,v 1.31 2015/10/04 20:47:16 djm Exp $ +.\" $OpenBSD: pledge.2,v 1.1 2015/10/09 01:24:57 deraadt Exp $ .\" .\" Copyright (c) 2015 Nicholas Marriott .\" @@ -14,16 +14,16 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 4 2015 $ -.Dt TAME 2 +.Dd $Mdocdate: October 9 2015 $ +.Dt PLEDGE 2 .Os .Sh NAME -.Nm tame +.Nm pledge .Nd restrict system operations .Sh SYNOPSIS .In unistd.h .Ft int -.Fn tame "const char *request" "const char *paths[]" +.Fn pledge "const char *request" "const char *paths[]" .Sh DESCRIPTION The current process is forced into a restricted-service operating mode. A few subsets are available, roughly described as computation, memory @@ -36,11 +36,11 @@ or .Ar paths . .Pp Use of -.Fn tame +.Fn pledge in an application will require at least some study and understanding of the interfaces called. Subsequent calls to -.Fn tame +.Fn pledge can reduce the abilities further, but abilities can never be regained. .Pp A process which attempts a restricted operation is killed with @@ -149,7 +149,7 @@ support: .Xr uname 3 , system sensor readings. .Pp -.It Xr tame 2 +.It Xr pledge 2 Can only reduce permissions; can only set a list of .Pa paths once. @@ -419,7 +419,7 @@ All other paths will return .Sh RETURN VALUES .Rv -std .Sh ERRORS -.Fn tame +.Fn pledge will fail if: .Bl -tag -width Er .It Bq Er EFAULT @@ -445,12 +445,12 @@ The limit in the system as released is 262144 bytes .El .Sh HISTORY The -.Fn tame +.Fn pledge system call appeared in .Ox 5.8 . .Sh CAVEATS It is not possible to .Xr systrace 4 a -.Fn tame +.Fn pledge program. diff --git a/lib/libc/sys/tame.c b/lib/libc/sys/tame.c new file mode 100644 index 00000000000..4774a17afeb --- /dev/null +++ b/lib/libc/sys/tame.c @@ -0,0 +1,17 @@ +/* $OpenBSD: tame.c,v 1.1 2015/10/09 01:24:57 deraadt Exp $ */ +/* + * Written by Artur Grabowski Public Domain + */ + +#include +#include +#include + +int tame(const char *req, const char **paths); + +int +tame(const char *req, const char **paths) +{ + return (pledge(req, paths)); +} +DEF_WEAK(mquery); -- 2.20.1