OpenBSD src changes summary for 2015-10-12 ==========================================
bin/ksh bin/pax lib/libc lib/libssl libexec/comsat regress/usr.bin sbin/clri sbin/dump sbin/ping6 sbin/tunefs share/man sys/dev/pci sys/kern sys/net sys/net80211 usr.bin/biff usr.bin/calendar usr.bin/encrypt usr.bin/fstat usr.bin/ftp usr.bin/mandoc usr.bin/mesg usr.bin/mg usr.bin/skey usr.bin/tty usr.bin/who usr.sbin/ac usr.sbin/acpidump usr.sbin/config usr.sbin/eigrpctl usr.sbin/installboot usr.sbin/mailwrapper usr.sbin/mksuncd usr.sbin/mkuboot usr.sbin/ntpd usr.sbin/pwd_mkdb usr.sbin/relayctl usr.sbin/smtpd usr.sbin/sysmerge usr.sbin/tcpdump usr.sbin/zdump == bin =============================================================== 01/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/bin ksh ~ sh.1 > indent the builtin text a little, for naddy; (jmc@) pax ~ ar_io.c ~ pax.c > preservation modes can adjust setugid bits, so no pledge is possible. > Otherwise, lay the groundwork for whether a gzip program may be run or not. > After such a gzip program is started, pledge the program will not exec > again. Took a few iterations to get this going... it is looking good. > with guenther. (deraadt@) ~ ar_io.c > Revert the pledge() call on pax/ar_io.c for now. > A pledged program is not allowed to change user/group for others. > "I think that makes the most sense" @sthen (semarie@) ~ ar_io.c > reenable pledge(2) on pax, but only if pmode isn't in use or if action > shouldn't do things with filesystem. > ok deraadt@ millert@ (semarie@) == lib =============================================================== 02/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ sys/pledge.2 > make description of ERRORS more complete; > diff from Benny Lofgren <bl dash lists at lofgren dot biz>; > ok nicm@ (schwarze@) ~ sys/umask.2 > Make it clear that umask ignores everything but the rwx bits. > OK deraadt@ (millert@) ~ citrus/citrus_utf8.c > Make wcrtomb() more readable by weeding out range errors up front, > doing ASCII handling once rather than twice, and using <= rather > than ((&~)==) obfuscation (which already caused a bug in the past). > No functional change. > Joint work with and OK stsp@ semarie@ bentley@ (schwarze@) ~ gen/ttyname.c > When isatty() was switched to F_ISATTY, the inline copy in ttyname() > was forgotten. Just call isatty(). ok deraadt@ (naddy@) ~ sys/pledge.2 > Add details about a variety of semantics; going to keep adding and then > reevaluate the direction of this manual page a bit later. (deraadt@) ~ sys/pledge.2 > satisfy jmc! (deraadt@) libssl ~ src/crypto/evp/e_des.c ~ src/crypto/evp/e_des3.c > unifdef EVP_CHECK_DES_KEY: Ben Kaduk noticed it has a syntax error; that > error was present in the original 2004 commit, so it hasn't been used in > over 11 years, thus exceeding our deprecation requirements by over a > decade. > OpenSSL has chosen to *fix it*; we'll gladly watch it burn > ok jsing@ (guenther@) == libexec =========================================================== 03/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec comsat ~ comsat.c > Call pledge(2) after initial getsockname(2) to avoid "inet" addition. > From & OK deraadt@ (uebayasi@) == regress =========================================================== 04/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress usr.bin ~ mandoc/mdoc/Bl/Makefile + mandoc/mdoc/Bl/dash.out_utf8 > Use "-" rather than "\(hy" for the heads of .Bl -dash and -hyphen lists. > In UTF-8 output, that renders as ASCII HYPHEN-MINUS (U+002D) > rather than HYPHEN (U+2010), which looks better and matches groff. > In ASCII output, it makes no difference. > Suggested by naddy@. (schwarze@) == sbin ============================================================== 05/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin clri ~ clri.c > pledge "stdio" right after opening the device. The remainder is > is just read, write, fsync, and close. > ok doug (deraadt@) dump ~ optr.c > Annotate an pretty obvious signal race... no time to fix it now. (deraadt@) ping6 ~ ping6.8 ~ ping6.c > deprecate & remove -W option; ok florian (deraadt@) tunefs ~ tunefs.c > tunefs can pledge to only use "stdio", after it has opened the device. > ok doug (deraadt@) == share ============================================================= 06/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share man ~ man9/microtime.9 > remove useless quoting from .Fo arguments; forgotten diff found in my tree > (schwarze@) ~ man5/bsd.port.mk.5 > fix case of PACkAGE_REPOSITORY; remco at dpub nl > ^ (sthen@) ~ man9/style.9 > Parentheses are useless after "return", it's not a function. > There is no need to mop this up everywhere, but at least style(9) > should show modern rather than historic style. > OK millert@ tedu@ (schwarze@) == sys =============================================================== 07/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys dev/pci ~ if_iwm.c > Always initialise the index into iwm's tx queue array, fixing a > potential crash. This must have somehow been working by magic. > Fruther cleanup of QoS support in this driver is very much needed. > ok mpi@ (stsp@) kern ~ kern_pledge.c > Remove the "cmsg" attribute, as promised. Use "sendfd" or "recvfd", > depending on what you need. inet/inet6 cmsg's come through unmolested -- > that is something to consider later. (deraadt@) ~ kern_pledge.c > pledge "proc" request should allow setsid() (deraadt@) net ~ if_bridge.c > Introduce bridge_ifinput() to handle some repeated logic before > if_input() and to have a counterpart for bridge_ifenqueue() that helps > to understand the traffic/code flow in bridge better. The bridge > currently only puts a single packet on the input mbuf list, and > changing will need to undo part of this commit, but it still makes > sense to have a well-defined call for the ports receive path. > No functional change. > OK mpi@ (reyk@) ~ if.c > protect SIOCSLIFPHYTTL, SIOCSVNETID so only root can call them, and > return EPNOTSUPP for SIOCGLIFPHYTTL and SIOCGVNETID. all so drivers > dont have to do these checks themselves. > ok mikeb@ mpi@ (dlg@) ~ if_vxlan.c > dont need to do suser checks in ioctl paths cos if.c does them for us. > ok mikeb@ mpi@ (dlg@) ~ if.c > Unify link state change notification. > ok mikeb@ (mpi@) ~ if_var.h ~ if.c ~ if_ppp.c > the pattr argument to IFQ_ENQUEUE is unused, so let's get rid of it. > also the comment above IFQ_ENQUEUE that says the pattr argument is unused. > ok mpi@ (dlg@) net80211 ~ ieee80211_pae_output.c > the pattr argument to IFQ_ENQUEUE is unused, so let's get rid of it. > also the comment above IFQ_ENQUEUE that says the pattr argument is unused. > ok mpi@ (dlg@) == usr.bin =========================================================== 08/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin biff ~ biff.c > biff pledges to only do "stdio rpath fattr tty". (very small program.. > the actual order of use is tty, rpath, stdio or fattr) (deraadt@) ~ biff.c > these callers of ttyname() no longer need to pledge "tty" (deraadt@) calendar ~ calendars/calendar.holiday > Gahamas -> Bahamas; > from pgoyette (netbsd -r1.26) (jmc@) encrypt ~ Makefile > These no longer need to be static. The ramdisk's no longer reach-around > and use the one in the base install, but have their own copy. > ok millert sthen miod daniel (deraadt@) fstat ~ fstat.c > in fuser mode with -k or -s mode, kill(2) might be called and > route lookups won't be needed; so expand the pledge setup to handle > 3 codepaths. > from theo buehler (deraadt@) ftp ~ Makefile > ftp(1) was static for years, as a recovery seatbelt. These days > reliability has improved, and other repair methods are easier from > bsd.rd or whatnot. As a static binary ftp has limited ASLR, yet it has > 7 libraries... Making it non-static means the ASLR picture improves. > Let's see who moans first. > ok miod daniel (deraadt@) mandoc ~ html.c ~ main.c ~ man_term.c ~ man_validate.c ~ mandoc.c ~ mandocdb.c ~ mdoc.c ~ mdoc_html.c ~ mdoc_macro.c ~ mdoc_man.c ~ mdoc_term.c ~ mdoc_validate.c ~ out.c ~ roff.c ~ tbl_html.c ~ tbl_layout.c ~ tbl_term.c ~ term.c ~ term_ascii.c ~ term_ps.c ~ tree.c > To make the code more readable, delete 283 /* FALLTHROUGH */ comments > that were right between two adjacent case statement. Keep only > those 24 where the first case actually executes some code before > falling through to the next case. (schwarze@) ~ html.c > Fix an obvious bug found during the /* FALLTHROUGH */ cleanup: > ASCII_NBRSP has to be rendered as " ", not "-". (schwarze@) ~ mandocdb.c > Clear dform and dsec when exiting a first-level directory in treescan(). > Fixes a segfault reported by bentley@. > While here, do some style cleanup in the same function. (schwarze@) ~ mdoc_term.c > Use "-" rather than "\(hy" for the heads of .Bl -dash and -hyphen lists. > In UTF-8 output, that renders as ASCII HYPHEN-MINUS (U+002D) > rather than HYPHEN (U+2010), which looks better and matches groff. > In ASCII output, it makes no difference. > Suggested by naddy@. (schwarze@) ~ mandoc_aux.c > Check the right pointer against NULL; > fixing a pasto introduced in the previous commit; > found by Svyatoslav Mishyn <juef at openmailbox dot org> with cppcheck. > (schwarze@) ~ mandocdb.c > Garbage collect an unused variable, no functional change; > found by Svyatoslav Mishyn <juef at openmailbox dot org> with cppcheck. > (schwarze@) ~ mdoc_validate.c > Delete an assignment that is unconditionally overwritten two lines later; > found by Svyatoslav Mishyn <juef at openmailbox dot org> > with the clang static analyzer. (schwarze@) ~ mandocdb.c > pledge(2) for makewhatis(8): > Always needed: stdio rpath. > In addition when writing to an existing db: wpath cpath fattr. > In addition when creating a new db: proc exec. > Based on work by and OK bentley@, "get moving" deraadt@. (schwarze@) ~ main.c > plegde(2) for apropos(1), help(1), man(1), mandoc(1), and whatis(1): > Always needed: stdio rpath (to open multiple files and for .so) > In addition after starting the pager: tmppath (to clean up the temp files) > In addition before starting the pager: proc exec > Looks good to deraadt@. (schwarze@) mesg ~ mesg.c > same thing as biff, pledge "stdio rpath fattr tty" (deraadt@) ~ mesg.c > these callers of ttyname() no longer need to pledge "tty" (deraadt@) mg ~ mg.1 > Correctly mark-up some recent additions. ok jmc@ (lum@) ~ def.h ~ dired.c > Maintain a list of files marked for deletion while refreshing a dired > buffer. Previously, when refreshing the buffer the files marked for > deletion would be lost. > Since the relationship between the files that have been marked for > deletion and those that exist on disk is volatile, I have chosen to > implement the discovery of marked files during the refresh function as > opposed to maintaining a dired buffer specific list. (lum@) skey ~ skey.c > Pledge "stdio wpath tty"; "awesome" deraadt@ (tim@) tty ~ tty.c > ttyname() no longer does ioctl TIOCGETA, so pledge("tty") is no longer > needed here. ok deraadt@ (naddy@) who ~ who.c > ttyname() no longer does ioctl TIOCGETA, so pledge("tty") is no longer > needed here. ok deraadt@ (naddy@) == usr.sbin ========================================================== 09/09 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin ac ~ ac.c > pledge to only use "stdio rpath"; rpath is for readig the wtmp files. > ok doug (deraadt@) acpidump ~ acpidump.c > with the RPATH enforcement, acpidump(1) don't work anymore... > it needs rpath for reading /dev/mem (at least): > kvm_openfiles(NULL, NULL, NULL, O_RDONLY, NULL) > ok doug@ > fix the regression deraadt@ (semarie@) config ~ ukc.c > does not need ioctl.h (deraadt@) ~ main.c > pledge "stdio rpath wpath cpath"; all the path options are used > until the bitter end. (deraadt@) eigrpctl ~ eigrpctl.c > two leftovers string missed in tame->pledge conversion > ok jsg@ (semarie@) installboot ~ installboot.c ~ installboot.h ~ util.c > Check that the disk specified on the command line is the disk that > files are copied to. Error out with 'cross-device install' if not. > ok millert@, ok deraadt@ & jsing@ for previous version (krw@) mailwrapper ~ mailwrapper.c > surprisingly, this can pledge "stdio rpath exec" right at start. once > the config file is opened, it can pledge "stdio exec", and be on its > merry way to start the real MTA (deraadt@) mksuncd ~ mksuncd.c > pledge "stdio" after opening files, code is very similar to mkuboot > (deraadt@) mkuboot ~ mkuboot.c > fstat() of opened fd, rather than stat(), to avoid TOCTOU > ok jsg (deraadt@) ~ mkuboot.c > pledge "stdio" after opening up the input & output files. > ok jsg (deraadt@) ntpd ~ config.c ~ constraint.c ~ ntp.c ~ ntpd.c ~ ntpd.h > Move execution of the constraints from the ntp to the parent process. > This helps the ntp process to a) give a better pledge(2) and to b) > keep the promise of "saving the world again... on time" by removing > the delays that have been introduced by expensive constraint forks. > The new design offers better privsep but introduces a few more imsgs > and runs a little bit more code in the privileged parent. The > privileged code is minimal, carefully checked, and does not attempt to > "parse" any contents; the forked constraints instantly drop all > privileges and pledge to "stdio inet". > OK beck@ deraadt@ (reyk@) pwd_mkdb ~ Makefile > These no longer need to be static. The ramdisk's no longer reach-around > and use the one in the base install, but have their own copy. > ok millert sthen miod daniel (deraadt@) relayctl ~ relayctl.c > two leftovers string missed in tame->pledge conversion > ok jsg@ (semarie@) smtpd ~ makemap.c ~ smtpctl.c ~ smtpd.c ~ util.c > do not umask() [with the wrong umask] around mkstemp() calls, no matter > how broken other systems are. > ok guenther gilles (deraadt@) ~ smtp_session.c > add Date header when a session iniated locally doesn't add one > ok millert@, ok eric@ (gilles@) ~ enqueue.c > Add missing checks for write errors; OK eric@ (millert@) ~ queue_fs.c > do not call sync() when committing a message, it's not helping in any way > (gilles@) sysmerge ~ sysmerge.sh > Only remove existing sum files on trap handlers. > req. by semarie@ (ajacoutot@) ~ sysmerge.sh > Reverse the sm_error call in sm_trap. > pointed out by semarie@... I need some sleep :/ (ajacoutot@) tcpdump ~ print-802_11.c > Fix a copy-pasto: Check the correct bit for STBC beacon in HT OP element. > ok sthen@ (stsp@) zdump ~ zdump.c > pledge() "stdio" includes trusting open&read of the root-owned timezone > databases located at system paths (a reasonable bar had to be chosen; in > the future we can replace the interfaces, since this effort is identifying > them and placing their paths in a visble place), so this program only > needs "stdio" > ok doug (deraadt@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
