From 609289ba7a225931e30aa26d51922ca9dc1c6d91 Mon Sep 17 00:00:00 2001 From: deraadt Date: Wed, 7 Oct 2015 03:47:43 +0000 Subject: [PATCH] Add the tame "exec" request. This allows processes which request "exec" to call execve(2), potentially fork(2) beforehands if they asked for "proc". Calling execve is what "shells" (ksh, tmux, etc) have as their primary purpose. But meantime, if such a shell has a nasty bug, we want to mitigate the process from opening a socket or calling 100+ other system calls. Unfortunately silver bullets are in short supply, so if our goal is to stay in a POSIX-y environment, we have to let shells call execve(). POSIX ate the world, so choices do we all have? Warning for many: silver bullets are even more rare in other OS ecosystems, so please accept this as a narrow lowering of the bar in a very raised environment. Commited from a machine running tame "proc exec" ksh, make, etc. --- sys/kern/kern_exec.c | 6 +++++- sys/kern/kern_exit.c | 12 ++---------- sys/kern/kern_tame.c | 19 ++++++++++++++++++- sys/sys/tame.h | 4 +++- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 3c52e1ae2f4..8c2287bc428 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.166 2015/10/02 15:49:22 deraadt Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.167 2015/10/07 03:47:43 deraadt Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -53,6 +53,7 @@ #include #include #include +#include #ifdef SYSVSHM #include #endif @@ -550,6 +551,9 @@ sys_execve(struct proc *p, void *v, register_t *retval) else atomic_clearbits_int(&pr->ps_flags, PS_SUGIDEXEC); + atomic_clearbits_int(&pr->ps_flags, PS_TAMED); + tame_dropwpaths(pr); + /* * deal with set[ug]id. * MNT_NOEXEC has already been used to disable s[ug]id. diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 8c15f8335db..bb9d1aaf774 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exit.c,v 1.152 2015/09/11 08:22:31 guenther Exp $ */ +/* $OpenBSD: kern_exit.c,v 1.153 2015/10/07 03:47:43 deraadt Exp $ */ /* $NetBSD: kern_exit.c,v 1.39 1996/04/22 01:38:25 christos Exp $ */ /* @@ -650,15 +650,7 @@ process_zap(struct process *pr) */ (void)chgproccnt(pr->ps_ucred->cr_ruid, -1); - if (pr->ps_tamepaths && --pr->ps_tamepaths->wl_ref == 0) { - struct whitepaths *wl = pr->ps_tamepaths; - int i; - - for (i = 0; i < wl->wl_count; i++) - free(wl->wl_paths[i].name, M_TEMP, wl->wl_paths[i].len); - free(wl, M_TEMP, wl->wl_size); - } - pr->ps_tamepaths = NULL; + tame_dropwpaths(pr); /* * Release reference to text vnode diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c index 40a2aa2b7dc..eda216a81e7 100644 --- a/sys/kern/kern_tame.c +++ b/sys/kern/kern_tame.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_tame.c,v 1.65 2015/10/06 18:35:09 deraadt Exp $ */ +/* $OpenBSD: kern_tame.c,v 1.66 2015/10/07 03:47:43 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -141,6 +141,8 @@ const u_int tame_syscalls[SYS_MAXSYSCALL] = { [SYS_sigsuspend] = TAME_PROC, [SYS_setrlimit] = TAME_PROC, + [SYS_execve] = TAME_EXEC, + [SYS_setgroups] = TAME_PROC, [SYS_setresgid] = TAME_PROC, [SYS_setresuid] = TAME_PROC, @@ -238,6 +240,7 @@ static const struct { { "ioctl", TAME_IOCTL }, { "tty", TAME_TTY }, { "proc", TAME_PROC }, + { "exec", TAME_EXEC }, { "cpath", TAME_CPATH }, { "abort", TAME_ABORT }, { "fattr", TAME_FATTR }, @@ -1115,6 +1118,20 @@ tame_dns_check(struct proc *p, in_port_t port) return (EPERM); } +void +tame_dropwpaths(struct process *pr) +{ + if (pr->ps_tamepaths && --pr->ps_tamepaths->wl_ref == 0) { + struct whitepaths *wl = pr->ps_tamepaths; + int i; + + for (i = 0; i < wl->wl_count; i++) + free(wl->wl_paths[i].name, M_TEMP, wl->wl_paths[i].len); + free(wl, M_TEMP, wl->wl_size); + } + pr->ps_tamepaths = NULL; +} + int canonpath(const char *input, char *buf, size_t bufsize) { diff --git a/sys/sys/tame.h b/sys/sys/tame.h index 8cfbd036b6a..738ebacf319 100644 --- a/sys/sys/tame.h +++ b/sys/sys/tame.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tame.h,v 1.10 2015/10/06 15:21:26 deraadt Exp $ */ +/* $OpenBSD: tame.h,v 1.11 2015/10/07 03:47:43 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -43,6 +43,7 @@ #define TAME_TTY 0x00010000 /* tty setting */ #define TAME_SENDFD 0x00020000 /* AF_UNIX CMSG fd sending */ #define TAME_RECVFD 0x00040000 /* AF_UNIX CMSG fd receiving */ +#define TAME_EXEC 0x00080000 /* execve, child is free of tame */ #define TAME_ABORT 0x08000000 /* SIGABRT instead of SIGKILL */ @@ -82,6 +83,7 @@ struct whitepaths { size_t len; } wl_paths[0]; }; +void tame_dropwpaths(struct process *); #endif /* _KERNEL */ -- 2.20.1