From 696e0573961a3b55379b2d00710e8a213379dbb2 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Wed, 7 Jun 2017 20:53:59 +0000
Subject: [PATCH] Add an acct(5) flag for pledge violations.  Then lastcomm(1)
 shows when something went wrong.  This allows to monitor whether the system
 is under attack and that the attack has been prevented by OpenBSD pledge(2).
 OK deraadt@ millert@ jmc@

---
 lib/libc/sys/pledge.2       | 14 ++++++++++++--
 sys/kern/kern_pledge.c      |  4 +++-
 sys/sys/acct.h              |  3 ++-
 usr.bin/lastcomm/lastcomm.1 | 12 ++++++++----
 usr.bin/lastcomm/lastcomm.c |  3 ++-
 5 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/lib/libc/sys/pledge.2 b/lib/libc/sys/pledge.2
index 6527891168e..1eacec949aa 100644
--- a/lib/libc/sys/pledge.2
+++ b/lib/libc/sys/pledge.2
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pledge.2,v 1.42 2017/05/30 16:46:04 deraadt Exp $
+.\" $OpenBSD: pledge.2,v 1.43 2017/06/07 20:53:59 bluhm Exp $
 .\"
 .\" Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 30 2017 $
+.Dd $Mdocdate: June 7 2017 $
 .Dt PLEDGE 2
 .Os
 .Sh NAME
@@ -46,6 +46,16 @@ can reduce the abilities further, but abilities can never be regained.
 A process which attempts a restricted operation is killed with an uncatchable
 .Dv SIGABRT ,
 delivering a core file if possible.
+A process currently running with pledge has state
+.Sq p
+in
+.Xr ps 1
+output; a process that was terminated due to a pledge violation
+is accounted by
+.Xr lastcomm 1
+with the
+.Sq P
+flag.
 .Pp
 A
 .Fa promises
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index d25eb9df103..a23b8d21d28 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.211 2017/06/03 04:34:41 tb Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.212 2017/06/07 20:53:59 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -32,6 +32,7 @@
 #include <sys/mman.h>
 #include <sys/sysctl.h>
 #include <sys/ktrace.h>
+#include <sys/acct.h>
 
 #include <sys/ioctl.h>
 #include <sys/termios.h>
@@ -581,6 +582,7 @@ pledge_fail(struct proc *p, int error, uint64_t code)
 		}
 	printf("%s(%d): syscall %d \"%s\"\n", p->p_p->ps_comm, p->p_p->ps_pid,
 	    p->p_pledge_syscall, codes);
+	p->p_p->ps_acflag |= APLEDGE;
 #ifdef KTRACE
 	if (KTRPOINT(p, KTR_PLEDGE))
 		ktrpledge(p, error, code, p->p_pledge_syscall);
diff --git a/sys/sys/acct.h b/sys/sys/acct.h
index d55b036fba8..efcb03e2411 100644
--- a/sys/sys/acct.h
+++ b/sys/sys/acct.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: acct.h,v 1.5 2012/07/16 15:20:38 deraadt Exp $	*/
+/*	$OpenBSD: acct.h,v 1.6 2017/06/07 20:53:59 bluhm Exp $	*/
 /*	$NetBSD: acct.h,v 1.16 1995/03/26 20:23:52 jtc Exp $	*/
 
 /*-
@@ -61,6 +61,7 @@ struct acct {
 #define	ACOMPAT	0x04		/* used compatibility mode */
 #define	ACORE	0x08		/* dumped core */
 #define	AXSIG	0x10		/* killed by a signal */
+#define	APLEDGE	0x20		/* killed due to pledge violation */
 	u_int8_t  ac_flag;	/* accounting flags */
 };
 
diff --git a/usr.bin/lastcomm/lastcomm.1 b/usr.bin/lastcomm/lastcomm.1
index aaf3890d633..12b0156e648 100644
--- a/usr.bin/lastcomm/lastcomm.1
+++ b/usr.bin/lastcomm/lastcomm.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: lastcomm.1,v 1.16 2007/05/31 19:20:11 jmc Exp $
+.\"	$OpenBSD: lastcomm.1,v 1.17 2017/06/07 20:53:59 bluhm Exp $
 .\"	$NetBSD: lastcomm.1,v 1.5 1995/10/22 01:43:41 ghudson Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)lastcomm.1	8.1 (Berkeley) 6/6/93
 .\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: June 7 2017 $
 .Dt LASTCOMM 1
 .Os
 .Sh NAME
@@ -112,9 +112,13 @@ indicates the command was run in PDP-11 compatibility mode
 .Sq D
 indicates the command terminated with the generation of a
 .Pa core
-file, and
+file,
 .Sq X
-indicates the command was terminated with a signal.
+indicates the command was terminated with a signal, and
+.Sq P
+indicates the command was terminated due to a
+.Xr pledge 2
+violation.
 .Sh FILES
 .Bl -tag -width /var/account/acct -compact
 .It Pa /var/account/acct
diff --git a/usr.bin/lastcomm/lastcomm.c b/usr.bin/lastcomm/lastcomm.c
index 59efe5bdc02..155b270d7b3 100644
--- a/usr.bin/lastcomm/lastcomm.c
+++ b/usr.bin/lastcomm/lastcomm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lastcomm.c,v 1.24 2017/03/11 18:33:21 guenther Exp $	*/
+/*	$OpenBSD: lastcomm.c,v 1.25 2017/06/07 20:53:59 bluhm Exp $	*/
 /*	$NetBSD: lastcomm.c,v 1.9 1995/10/22 01:43:42 ghudson Exp $	*/
 
 /*
@@ -173,6 +173,7 @@ flagbits(int f)
 	BIT(ACOMPAT, 'C');
 	BIT(ACORE, 'D');
 	BIT(AXSIG, 'X');
+	BIT(APLEDGE, 'P');
 	*p = '\0';
 	return (flags);
 }
-- 
2.20.1