From 5c5d783283c9458e365e37184bd964f0ac3ed5aa Mon Sep 17 00:00:00 2001 From: deraadt Date: Mon, 18 Jul 2022 17:45:46 +0000 Subject: [PATCH] Delete the YPACTIVE toggling code when "getpw" code access/open are done to /var/run/ypbind.lock. "getpw" is now only allows ypconnect(2) and the minimum unveil bypasses. Still allow open/acesss to file for a little while, because getpwent/getgrent/etc were opening it unconditionally to hint for YPACTIVE. That code should be deleted before 7.2 --- sys/kern/kern_pledge.c | 99 ++++++++++++------------------------------ sys/sys/pledge.h | 3 +- 2 files changed, 28 insertions(+), 74 deletions(-) diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index 76ee799627f..c3e62d4a751 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.288 2022/07/17 04:29:38 deraadt Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.289 2022/07/18 17:45:46 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -169,28 +169,16 @@ const uint64_t pledge_syscalls[SYS_MAXSYSCALL] = { [SYS_pwrite] = PLEDGE_STDIO, [SYS_pwritev] = PLEDGE_STDIO, [SYS_recvmsg] = PLEDGE_STDIO, - [SYS_recvfrom] = PLEDGE_STDIO | PLEDGE_YPACTIVE, + [SYS_recvfrom] = PLEDGE_STDIO, [SYS_ftruncate] = PLEDGE_STDIO, [SYS_lseek] = PLEDGE_STDIO, [SYS_fpathconf] = PLEDGE_STDIO, -#if 1 - [SYS_pad_mquery] = PLEDGE_STDIO, - [SYS_pad_mmap] = PLEDGE_STDIO, - [SYS_pad_pread] = PLEDGE_STDIO, - [SYS_pad_preadv] = PLEDGE_STDIO, - [SYS_pad_pwrite] = PLEDGE_STDIO, - [SYS_pad_pwritev] = PLEDGE_STDIO, - [SYS_pad_ftruncate] = PLEDGE_STDIO, - [SYS_pad_lseek] = PLEDGE_STDIO, - [SYS_pad_truncate] = PLEDGE_WPATH, -#endif - /* * Address selection required a network pledge ("inet", * "unix", "dns". */ - [SYS_sendto] = PLEDGE_STDIO | PLEDGE_YPACTIVE, + [SYS_sendto] = PLEDGE_STDIO, /* * Address specification required a network pledge ("inet", @@ -361,17 +349,17 @@ const uint64_t pledge_syscalls[SYS_MAXSYSCALL] = { [SYS_lchown] = PLEDGE_CHOWN, [SYS_fchown] = PLEDGE_CHOWN, - [SYS_socket] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS | PLEDGE_YPACTIVE, - [SYS_connect] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS | PLEDGE_YPACTIVE, - [SYS_bind] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS | PLEDGE_YPACTIVE, - [SYS_getsockname] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS | PLEDGE_YPACTIVE, + [SYS_socket] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS, + [SYS_connect] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS, + [SYS_bind] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS, + [SYS_getsockname] = PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS, [SYS_listen] = PLEDGE_INET | PLEDGE_UNIX, [SYS_accept4] = PLEDGE_INET | PLEDGE_UNIX, [SYS_accept] = PLEDGE_INET | PLEDGE_UNIX, [SYS_getpeername] = PLEDGE_INET | PLEDGE_UNIX, - [SYS_flock] = PLEDGE_FLOCK | PLEDGE_YPACTIVE, + [SYS_flock] = PLEDGE_FLOCK, [SYS_ypconnect] = PLEDGE_GETPW, @@ -655,16 +643,15 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath) ni->ni_cnd.cn_flags |= BYPASSUNVEIL; return (0); } - - /* XXX delete chunk after ypconnect() is established */ - /* when avoiding YP mode, getpw* functions touch this */ - if (ni->ni_pledge == PLEDGE_RPATH && + /* + * XXX delete before 7.2. + * Old static binaries may try this file in getpwent and friends + */ + if ((ni->ni_pledge == PLEDGE_RPATH) && + (pledge & PLEDGE_GETPW) && strcmp(path, "/var/run/ypbind.lock") == 0) { - if (pledge & PLEDGE_GETPW) { - ni->ni_cnd.cn_flags |= BYPASSUNVEIL; - return (0); - } else - return (pledge_fail(p, error, PLEDGE_GETPW)); + ni->ni_cnd.cn_flags |= BYPASSUNVEIL; + return (0); } break; case SYS_open: @@ -723,27 +710,15 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath) } } + /* + * XXX delete before 7.2. + * Old static binaries may try this file in getpwent and friends + */ if ((ni->ni_pledge == PLEDGE_RPATH) && - (pledge & PLEDGE_GETPW)) { - /* XXX delete chunk after ypconnect() is established */ - if (strcmp(path, "/var/run/ypbind.lock") == 0) { - /* - * XXX - * The current hack for YP support in "getpw" - * is to enable some "inet" features until - * next pledge call. - */ - mtx_enter(&p->p_p->ps_mtx); - p->p_p->ps_pledge |= PLEDGE_YPACTIVE; - mtx_leave(&p->p_p->ps_mtx); - ni->ni_cnd.cn_flags |= BYPASSUNVEIL; - return (0); - } - if (strncmp(path, "/var/yp/binding/", - sizeof("/var/yp/binding/") - 1) == 0) { - ni->ni_cnd.cn_flags |= BYPASSUNVEIL; - return (0); - } + (pledge & PLEDGE_GETPW) && + strcmp(path, "/var/run/ypbind.lock") == 0) { + ni->ni_cnd.cn_flags |= BYPASSUNVEIL; + return (0); } /* tzset() needs these. */ @@ -1084,7 +1059,7 @@ pledge_sendit(struct proc *p, const void *to) if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return (0); - if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS | PLEDGE_YPACTIVE))) + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX | PLEDGE_DNS))) return (0); /* may use address */ if (to == NULL) return (0); /* behaves just like write */ @@ -1418,7 +1393,7 @@ pledge_sockopt(struct proc *p, int set, int level, int optname) } } - if ((pledge & (PLEDGE_INET|PLEDGE_UNIX|PLEDGE_DNS|PLEDGE_YPACTIVE)) == 0) + if ((pledge & (PLEDGE_INET|PLEDGE_UNIX|PLEDGE_DNS)) == 0) return pledge_fail(p, EPERM, PLEDGE_INET); /* In use by some service libraries */ switch (level) { @@ -1442,25 +1417,6 @@ pledge_sockopt(struct proc *p, int set, int level, int optname) } } - /* YP may do these requests */ - if (pledge & PLEDGE_YPACTIVE) { - switch (level) { - case IPPROTO_IP: - switch (optname) { - case IP_PORTRANGE: - return (0); - } - break; - - case IPPROTO_IPV6: - switch (optname) { - case IPV6_PORTRANGE: - return (0); - } - break; - } - } - if ((pledge & (PLEDGE_INET|PLEDGE_UNIX)) == 0) return pledge_fail(p, EPERM, PLEDGE_INET); switch (level) { @@ -1558,8 +1514,7 @@ pledge_socket(struct proc *p, int domain, unsigned int state) return (0); case AF_INET: case AF_INET6: - if (ISSET(pledge, PLEDGE_INET) || - ISSET(pledge, PLEDGE_YPACTIVE)) + if (ISSET(pledge, PLEDGE_INET)) return 0; return pledge_fail(p, EPERM, PLEDGE_INET); diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h index 49b13ee0f30..f569cde4339 100644 --- a/sys/sys/pledge.h +++ b/sys/sys/pledge.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pledge.h,v 1.44 2022/07/17 04:29:37 deraadt Exp $ */ +/* $OpenBSD: pledge.h,v 1.45 2022/07/18 17:45:46 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -69,7 +69,6 @@ * to track program behaviours which have been observed. */ #define PLEDGE_USERSET 0x0fffffffffffffffULL -#define PLEDGE_YPACTIVE 0x8000000000000000ULL /* YP use detected and allowed */ #ifdef PLEDGENAMES static const struct { -- 2.20.1