From e1a6e22610ac903571d6f6d9b3fe485ff45b5a75 Mon Sep 17 00:00:00 2001 From: beck Date: Sun, 5 Aug 2018 14:23:57 +0000 Subject: [PATCH] Decouple unveil from the pledge flags, by adding dedicated unveil flags to the namei args. This fixes a bug where chmod would be allowed when with only READ. This also allows some further cleanup of some awkward things like PLEDGE_STAT that will follow Lots of assistence from semarie@ - thanks! ok semarie@ --- sys/dev/diskmap.c | 3 ++- sys/kern/exec_elf.c | 3 ++- sys/kern/kern_exec.c | 3 ++- sys/kern/kern_ktrace.c | 3 ++- sys/kern/kern_unveil.c | 52 +++++++++++++++++++++++------------------ sys/kern/tty.c | 3 ++- sys/kern/tty_pty.c | 4 +++- sys/kern/vfs_syscalls.c | 37 +++++++++++++++++++++++++---- sys/sys/namei.h | 10 +++++++- sys/sys/proc.h | 6 ++--- 10 files changed, 87 insertions(+), 37 deletions(-) diff --git a/sys/dev/diskmap.c b/sys/dev/diskmap.c index d13763d5d78..bd7509c4284 100644 --- a/sys/dev/diskmap.c +++ b/sys/dev/diskmap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: diskmap.c,v 1.22 2018/07/04 12:42:30 mpi Exp $ */ +/* $OpenBSD: diskmap.c,v 1.23 2018/08/05 14:23:57 beck Exp $ */ /* * Copyright (c) 2009, 2010 Joel Sing @@ -85,6 +85,7 @@ diskmapioctl(dev_t dev, u_long cmd, caddr_t addr, int flag, struct proc *p) NDINIT(&ndp, 0, 0, UIO_SYSSPACE, devname, p); ndp.ni_pledge = PLEDGE_RPATH; + ndp.ni_unveil = UNVEIL_READ; if ((error = vn_open(&ndp, fp0->f_flag, 0)) != 0) goto invalid; diff --git a/sys/kern/exec_elf.c b/sys/kern/exec_elf.c index 4af0134b9b0..79cbce3f885 100644 --- a/sys/kern/exec_elf.c +++ b/sys/kern/exec_elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exec_elf.c,v 1.145 2018/07/20 21:57:26 deraadt Exp $ */ +/* $OpenBSD: exec_elf.c,v 1.146 2018/08/05 14:23:57 beck Exp $ */ /* * Copyright (c) 1996 Per Fogelstrom @@ -332,6 +332,7 @@ elf_load_file(struct proc *p, char *path, struct exec_package *epp, NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_SYSSPACE, path, p); nd.ni_pledge = PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_READ; if ((error = namei(&nd)) != 0) { return (error); } diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 0f71fb9d972..5e5c3de5f41 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.200 2018/07/20 21:57:26 deraadt Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.201 2018/08/05 14:23:57 beck Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -275,6 +275,7 @@ sys_execve(struct proc *p, void *v, register_t *retval) NDINIT(&nid, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), p); nid.ni_pledge = PLEDGE_EXEC; + nid.ni_unveil = UNVEIL_EXEC; /* * initialize the fields of the exec package. diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 7315d41b26d..39249d4118c 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_ktrace.c,v 1.98 2018/06/20 10:48:55 mpi Exp $ */ +/* $OpenBSD: kern_ktrace.c,v 1.99 2018/08/05 14:23:57 beck Exp $ */ /* $NetBSD: kern_ktrace.c,v 1.23 1996/02/09 18:59:36 christos Exp $ */ /* @@ -513,6 +513,7 @@ sys_ktrace(struct proc *p, void *v, register_t *retval) cred = p->p_ucred; NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, fname, p); nd.ni_pledge = PLEDGE_CPATH | PLEDGE_WPATH; + nd.ni_unveil = UNVEIL_CREATE | UNVEIL_WRITE; if ((error = vn_open(&nd, FWRITE|O_NOFOLLOW, 0)) != 0) return error; vp = nd.ni_vp; diff --git a/sys/kern/kern_unveil.c b/sys/kern/kern_unveil.c index 7e7b30fe753..a89f0b29514 100644 --- a/sys/kern/kern_unveil.c +++ b/sys/kern/kern_unveil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_unveil.c,v 1.10 2018/08/05 13:59:38 beck Exp $ */ +/* $OpenBSD: kern_unveil.c,v 1.11 2018/08/05 14:23:57 beck Exp $ */ /* * Copyright (c) 2017-2018 Bob Beck @@ -40,6 +40,11 @@ #define UNVEIL_MAX_VNODES 128 #define UNVEIL_MAX_NAMES 128 +#define UNVEIL_READ 0x01 +#define UNVEIL_WRITE 0x02 +#define UNVEIL_CREATE 0x04 +#define UNVEIL_EXEC 0x08 + static inline int unvname_compare(const struct unvname *n1, const struct unvname *n2) { @@ -50,7 +55,7 @@ unvname_compare(const struct unvname *n1, const struct unvname *n2) } struct unvname * -unvname_new(const char *name, size_t size, uint64_t flags) +unvname_new(const char *name, size_t size, u_char flags) { struct unvname *ret = malloc(sizeof(struct unvname), M_PROC, M_WAITOK); ret->un_name = malloc(size, M_PROC, M_WAITOK); @@ -118,7 +123,7 @@ unveil_delete_names(struct unveil *uv) } void -unveil_add_name(struct unveil *uv, char *name, uint64_t flags) +unveil_add_name(struct unveil *uv, char *name, u_char flags) { struct unvname *unvn; @@ -310,7 +315,7 @@ unveil_lookup(struct vnode *vp, struct proc *p) } int -unveil_parsepermissions(const char *permissions, uint64_t *perms) +unveil_parsepermissions(const char *permissions, u_char *perms) { size_t i = 0; char c; @@ -319,16 +324,16 @@ unveil_parsepermissions(const char *permissions, uint64_t *perms) while ((c = permissions[i++]) != '\0') { switch (c) { case 'r': - *perms |= PLEDGE_RPATH; + *perms |= UNVEIL_READ; break; case 'w': - *perms |= PLEDGE_WPATH; + *perms |= UNVEIL_WRITE; break; case 'x': - *perms |= PLEDGE_EXEC; + *perms |= UNVEIL_EXEC; break; case 'c': - *perms |= PLEDGE_CPATH; + *perms |= UNVEIL_CREATE; break; default: return -1; @@ -338,7 +343,7 @@ unveil_parsepermissions(const char *permissions, uint64_t *perms) } int -unveil_setflags(uint64_t *flags, uint64_t nflags) +unveil_setflags(u_char *flags, u_char nflags) { #if 0 if (((~(*flags)) & nflags) != 0) { @@ -403,7 +408,7 @@ unveil_add(struct proc *p, struct nameidata *ndp, const char *permissions) struct unveil *uv; int directory_add; int ret = EINVAL; - u_int64_t flags; + u_char flags; KASSERT(ISSET(ndp->ni_cnd.cn_flags, HASBUF)); /* must have SAVENAME */ @@ -530,9 +535,10 @@ unveil_add(struct proc *p, struct nameidata *ndp, const char *permissions) * XXX collapse down later once debug surely unneded */ int -unveil_flagmatch(struct nameidata *ni, uint64_t flags) +unveil_flagmatch(struct nameidata *ni, u_char flags) { if (flags == 0) { + /* XXX Fix this, you can do it better */ if (ni->ni_pledge & PLEDGE_STAT) { #ifdef DEBUG_UNVEIL printf("allowing stat/accesss for 0 flags"); @@ -552,34 +558,34 @@ unveil_flagmatch(struct nameidata *ni, uint64_t flags) CLR(ni->ni_pledge, PLEDGE_STATLIE); return 1; } - if (ni->ni_pledge & PLEDGE_RPATH) { - if ((flags & PLEDGE_RPATH) == 0) { + if (ni->ni_unveil & UNVEIL_READ) { + if ((flags & UNVEIL_READ) == 0) { #ifdef DEBUG_UNVEIL - printf("Pledge wants read but disallowed\n"); + printf("unveil lacks UNVEIL_READ\n"); #endif return 0; } } - if (ni->ni_pledge & PLEDGE_WPATH) { - if ((flags & PLEDGE_WPATH) == 0) { + if (ni->ni_unveil & UNVEIL_WRITE) { + if ((flags & UNVEIL_WRITE) == 0) { #ifdef DEBUG_UNVEIL - printf("Pledge wants write but disallowed\n"); + printf("unveil lacks UNVEIL_WRITE\n"); #endif return 0; } } - if (ni->ni_pledge & PLEDGE_EXEC) { - if ((flags & PLEDGE_EXEC) == 0) { + if (ni->ni_unveil & UNVEIL_EXEC) { + if ((flags & UNVEIL_EXEC) == 0) { #ifdef DEBUG_UNVEIL - printf("Pledge wants exec but disallowed\n"); + printf("unveil lacks UNVEIL_EXEC\n"); #endif return 0; } } - if (ni->ni_pledge & PLEDGE_CPATH) { - if ((flags & PLEDGE_CPATH) == 0) { + if (ni->ni_unveil & UNVEIL_CREATE) { + if ((flags & UNVEIL_CREATE) == 0) { #ifdef DEBUG_UNVEIL - printf("Pledge wants cpath but disallowed\n"); + printf("unveil lacks UNVEIL_CREATE\n"); #endif return 0; } diff --git a/sys/kern/tty.c b/sys/kern/tty.c index 3c380146368..64937306f00 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tty.c,v 1.141 2018/06/16 13:55:03 deraadt Exp $ */ +/* $OpenBSD: tty.c,v 1.142 2018/08/05 14:23:57 beck Exp $ */ /* $NetBSD: tty.c,v 1.68.4.2 1996/06/06 16:04:52 thorpej Exp $ */ /*- @@ -792,6 +792,7 @@ ttioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct proc *p) /* ensure user can open the real console */ NDINIT(&nid, LOOKUP, FOLLOW, UIO_SYSSPACE, "/dev/console", p); nid.ni_pledge = PLEDGE_RPATH | PLEDGE_WPATH; + nid.ni_unveil = UNVEIL_READ | UNVEIL_WRITE; error = namei(&nid); if (error) return (error); diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c index 3b17c5250f0..8df0683195c 100644 --- a/sys/kern/tty_pty.c +++ b/sys/kern/tty_pty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tty_pty.c,v 1.87 2018/06/18 09:15:05 mpi Exp $ */ +/* $OpenBSD: tty_pty.c,v 1.88 2018/08/05 14:23:57 beck Exp $ */ /* $NetBSD: tty_pty.c,v 1.33.4.1 1996/06/02 09:08:11 mrg Exp $ */ /* @@ -1117,6 +1117,7 @@ retry: NDINIT(&snd, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE, pti->pty_sn, p); snd.ni_pledge = PLEDGE_RPATH | PLEDGE_WPATH; + snd.ni_unveil = UNVEIL_READ | UNVEIL_WRITE; if ((error = namei(&snd)) != 0) goto bad; if ((snd.ni_vp->v_mount->mnt_flag & MNT_RDONLY) == 0) { @@ -1151,6 +1152,7 @@ retry: NDINIT(&snd, LOOKUP, NOFOLLOW|LOCKLEAF, UIO_SYSSPACE, pti->pty_sn, p); snd.ni_pledge = PLEDGE_RPATH | PLEDGE_WPATH; + snd.ni_unveil= UNVEIL_READ | UNVEIL_WRITE; /* now open it */ if ((error = ptm_vn_open(&snd)) != 0) goto bad; diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 0fdc307506b..7daa79f56f9 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_syscalls.c,v 1.300 2018/08/03 02:36:11 beck Exp $ */ +/* $OpenBSD: vfs_syscalls.c,v 1.301 2018/08/05 14:23:57 beck Exp $ */ /* $NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $ */ /* @@ -638,6 +638,7 @@ sys_statfs(struct proc *p, void *v, register_t *retval) NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); nd.ni_pledge = PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_READ; nd.ni_cnd.cn_flags |= BYPASSUNVEIL; if ((error = namei(&nd)) != 0) return (error); @@ -809,6 +810,7 @@ sys_chdir(struct proc *p, void *v, register_t *retval) NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), p); nd.ni_pledge = PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_READ; if ((error = change_dir(&nd, p)) != 0) return (error); p->p_p->ps_uvpcwd = nd.ni_unveil_match; @@ -992,6 +994,7 @@ doopenat(struct proc *p, int fd, const char *path, int oflags, mode_t mode, struct flock lf; struct nameidata nd; uint64_t ni_pledge = 0; + u_char ni_unveil = 0; if (oflags & (O_EXLOCK | O_SHLOCK)) { error = pledge_flock(p); @@ -1007,18 +1010,25 @@ doopenat(struct proc *p, int fd, const char *path, int oflags, mode_t mode, fdpunlock(fdp); flags = FFLAGS(oflags); - if (flags & FREAD) + if (flags & FREAD) { ni_pledge |= PLEDGE_RPATH; - if (flags & FWRITE) + ni_unveil |= UNVEIL_READ; + } + if (flags & FWRITE) { ni_pledge |= PLEDGE_WPATH; - if (oflags & O_CREAT) + ni_unveil |= UNVEIL_WRITE; + } + if (oflags & O_CREAT) { ni_pledge |= PLEDGE_CPATH; + ni_unveil |= UNVEIL_CREATE; + } cmode = ((mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT; if ((p->p_p->ps_flags & PS_PLEDGE)) cmode &= ACCESSPERMS; NDINITAT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, fd, path, p); nd.ni_pledge = ni_pledge; + nd.ni_unveil = ni_unveil; p->p_dupfd = -1; /* XXX check for fdopen */ if ((flags & O_TRUNC) && (flags & (O_EXLOCK | O_SHLOCK))) { localtrunc = 1; @@ -1383,6 +1393,7 @@ domknodat(struct proc *p, int fd, const char *path, mode_t mode, dev_t dev) return (EINVAL); NDINITAT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_DPATH; + nd.ni_unveil = UNVEIL_CREATE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -1519,6 +1530,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2, follow = (flag & AT_SYMLINK_FOLLOW) ? FOLLOW : NOFOLLOW; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd1, path1, p); nd.ni_pledge = PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_READ; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -1530,6 +1542,7 @@ dolinkat(struct proc *p, int fd1, const char *path1, int fd2, NDINITAT(&nd, CREATE, flags, UIO_USERSPACE, fd2, path2, p); nd.ni_pledge = PLEDGE_CPATH; + nd.ni_unveil = UNVEIL_CREATE; if ((error = namei(&nd)) != 0) goto out; if (nd.ni_vp) { @@ -1589,6 +1602,7 @@ dosymlinkat(struct proc *p, const char *upath, int fd, const char *link) goto out; NDINITAT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, fd, link, p); nd.ni_pledge = PLEDGE_CPATH; + nd.ni_unveil = UNVEIL_CREATE; if ((error = namei(&nd)) != 0) goto out; if (nd.ni_vp) { @@ -1648,6 +1662,7 @@ dounlinkat(struct proc *p, int fd, const char *path, int flag) NDINITAT(&nd, DELETE, LOCKPARENT | LOCKLEAF, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_CPATH; + nd.ni_unveil = UNVEIL_CREATE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -1795,6 +1810,7 @@ dofaccessat(struct proc *p, int fd, const char *path, int amode, int flag) NDINITAT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_RPATH | PLEDGE_STAT; + nd.ni_unveil = 0; /* XXX fix this when we fix PLEDGE_STAT */ if ((error = namei(&nd)) != 0) goto out; vp = nd.ni_vp; @@ -1865,6 +1881,7 @@ dofstatat(struct proc *p, int fd, const char *path, struct stat *buf, int flag) follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINITAT(&nd, LOOKUP, follow | LOCKLEAF, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_RPATH | PLEDGE_STAT; + nd.ni_unveil = 0; if ((error = namei(&nd)) != 0) return (error); error = vn_stat(nd.ni_vp, &sb, p); @@ -1923,6 +1940,7 @@ sys_pathconf(struct proc *p, void *v, register_t *retval) NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), p); nd.ni_pledge = PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_READ; if ((error = namei(&nd)) != 0) return (error); error = VOP_PATHCONF(nd.ni_vp, SCARG(uap, name), retval); @@ -1972,6 +1990,7 @@ doreadlinkat(struct proc *p, int fd, const char *path, char *buf, NDINITAT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_RPATH | PLEDGE_STAT; + nd.ni_unveil = 0; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -2035,6 +2054,7 @@ dochflagsat(struct proc *p, int fd, const char *path, u_int flags, int atflags) follow = (atflags & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_WRITE; if ((error = namei(&nd)) != 0) return (error); return (dovchflags(p, nd.ni_vp, flags)); @@ -2138,6 +2158,7 @@ dofchmodat(struct proc *p, int fd, const char *path, mode_t mode, int flag) follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_WRITE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -2237,6 +2258,7 @@ dofchownat(struct proc *p, int fd, const char *path, uid_t uid, gid_t gid, follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_CHOWN | PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_WRITE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -2289,6 +2311,7 @@ sys_lchown(struct proc *p, void *v, register_t *retval) NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_USERSPACE, SCARG(uap, path), p); nd.ni_pledge = PLEDGE_CHOWN | PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_WRITE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -2441,6 +2464,7 @@ doutimensat(struct proc *p, int fd, const char *path, follow = (flag & AT_SYMLINK_NOFOLLOW) ? NOFOLLOW : FOLLOW; NDINITAT(&nd, LOOKUP, follow, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_WRITE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -2588,6 +2612,7 @@ sys_truncate(struct proc *p, void *v, register_t *retval) NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); nd.ni_pledge = PLEDGE_FATTR | PLEDGE_RPATH; + nd.ni_unveil = UNVEIL_WRITE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -2713,6 +2738,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd, NDINITAT(&fromnd, DELETE, WANTPARENT | SAVESTART, UIO_USERSPACE, fromfd, from, p); fromnd.ni_pledge = PLEDGE_RPATH | PLEDGE_CPATH; + fromnd.ni_unveil = UNVEIL_READ | UNVEIL_CREATE; if ((error = namei(&fromnd)) != 0) return (error); fvp = fromnd.ni_vp; @@ -2726,6 +2752,7 @@ dorenameat(struct proc *p, int fromfd, const char *from, int tofd, NDINITAT(&tond, RENAME, flags, UIO_USERSPACE, tofd, to, p); tond.ni_pledge = PLEDGE_CPATH; + tond.ni_unveil = UNVEIL_CREATE; if ((error = namei(&tond)) != 0) { VOP_ABORTOP(fromnd.ni_dvp, &fromnd.ni_cnd); vrele(fromnd.ni_dvp); @@ -2819,6 +2846,7 @@ domkdirat(struct proc *p, int fd, const char *path, mode_t mode) NDINITAT(&nd, CREATE, LOCKPARENT | STRIPSLASHES, UIO_USERSPACE, fd, path, p); nd.ni_pledge = PLEDGE_CPATH; + nd.ni_unveil = UNVEIL_CREATE; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; @@ -2945,6 +2973,7 @@ sys_revoke(struct proc *p, void *v, register_t *retval) NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path), p); nd.ni_pledge = PLEDGE_RPATH | PLEDGE_TTY; + nd.ni_unveil = UNVEIL_READ; if ((error = namei(&nd)) != 0) return (error); vp = nd.ni_vp; diff --git a/sys/sys/namei.h b/sys/sys/namei.h index a7f8accdc3e..01cd786c9ed 100644 --- a/sys/sys/namei.h +++ b/sys/sys/namei.h @@ -1,4 +1,4 @@ -/* $OpenBSD: namei.h,v 1.35 2018/07/13 09:25:23 beck Exp $ */ +/* $OpenBSD: namei.h,v 1.36 2018/08/05 14:23:57 beck Exp $ */ /* $NetBSD: namei.h,v 1.11 1996/02/09 18:25:20 christos Exp $ */ /* @@ -59,6 +59,7 @@ struct nameidata { struct vnode *ni_startdir; /* starting directory */ struct vnode *ni_rootdir; /* logical root directory */ uint64_t ni_pledge; /* expected pledge for namei */ + u_char ni_unveil; /* required unveil flags for namei */ /* * Results: returned from/manipulated by lookup */ @@ -250,4 +251,11 @@ struct nchstats { { "ncs_dothits", CTLTYPE_QUAD }, \ { "nch_dotdothits", CTLTYPE_QUAD }, \ } + +/* Unveil flags for namei */ +#define UNVEIL_READ 0x01 +#define UNVEIL_WRITE 0x02 +#define UNVEIL_CREATE 0x04 +#define UNVEIL_EXEC 0x08 + #endif /* !_SYS_NAMEI_H_ */ diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 59eae616ab8..6f088a5b67d 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.254 2018/07/28 18:07:26 deraadt Exp $ */ +/* $OpenBSD: proc.h,v 1.255 2018/08/05 14:23:57 beck Exp $ */ /* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */ /*- @@ -130,7 +130,7 @@ struct tusage { struct unvname { char *un_name; size_t un_namesize; - uint64_t un_flags; + u_char un_flags; RBT_ENTRY(unvnmae) un_rbt; }; @@ -424,7 +424,7 @@ struct unveil { struct vnode *uv_vp; struct unvname_rbt uv_names; struct rwlock uv_lock; - u_int64_t uv_flags; + u_char uv_flags; }; struct uidinfo { -- 2.20.1