On Wed, Apr 27, 2016 at 12:01:17AM -0700, steve latif wrote:
> Updated diff:
> Added proc to the pledge list to deal with the system() in html.c
semarie's test case is still broken with the new patch (exec promise
missing).
> I missed system() as its not mentioned in the man page for pledge(2)
> Including a second diff to add system() to the man page.
>
> I wrote a script to test out different combinations of command line options.
> I went through the output of nm, readelf and the source code.
> steve
>
>
> On Sun, Apr 24, 2016 at 12:36 AM, Sebastien Marie <sema...@openbsd.org> wrote:
> > On Sat, Apr 23, 2016 at 08:40:55PM +0200, David Dahlberg wrote:
> >>
> >> Attached is a patch that has a first pledge after setlocale, and a
> >> second call the command line parsing, which removes write access.
> >
> > for me, the first pledge call is superflous: it didn't really add gain
> > to the program.
> >
> > pledging ports should be keep simple diffs: it will be more simple later
> > for merging with port updates (because all the checks should be redone
> > in case of feature additions or changes...)
> >
> >> I bid somebody with better C skills in using debuggers and reading
> >> symbols than me to check, whether this should be sufficient. Steve,
> >> didn't you volunteer? ;-)
> >
> > I already pointed system(3) call in html.c (requiring "proc exec").
> >
> > $ tree -R -L 2 -H .
> > Abort trap (core dumped)
> >
> > the system(3) call occurs with the combinaison of these 3 options. It is
> > why dynamic approch is really hard to be exhaustive.
> >
> >
> > Please don't send patches if you aren't confident in your pledge
> > promises: devs will not have time to check and review all the code to be
> > sure that promises you pledge are good.
> >
> > Considers also that once bad promises are commited, the port could
> > become unusable for others users, and the problem could be more
> > important if it isn't catched in -current and bad promises goes to
> > -stable (more work for devs). And users of the port will be angry about
> > pledge(2) and you.
> > --
> > Sebastien Marie
> >
> Index: patches/patch-tree_c
> ===================================================================
> RCS file: patches/patch-tree_c
> diff -N patches/patch-tree_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-tree_c 27 Apr 2016 05:47:44 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +--- tree.c.orig Wed Apr 23 14:38:24 2014
> ++++ tree.c Sun Apr 24 22:31:03 2016
> +@@ -103,6 +103,11 @@ int main(int argc, char **argv)
> + dirs[0] = 0;
> + Level = -1;
> +
> ++ if (pledge("stdio rpath cpath wpath proc", NULL) == -1){
> ++ fprintf(stderr, "%s: pledge\n", argv[0]);
> ++ exit(1);
> ++ }
> ++
> + setlocale(LC_CTYPE, "");
> + setlocale(LC_COLLATE, "");
> +
> Index: pledge.2
> ===================================================================
> RCS file: /cvs/src/lib/libc/sys/pledge.2,v
> retrieving revision 1.32
> diff -u -p -r1.32 pledge.2
> --- pledge.2 13 Apr 2016 14:24:30 -0000 1.32
> +++ pledge.2 27 Apr 2016 03:20:10 -0000
> @@ -438,7 +438,8 @@ Allows the following process relationshi
> .Xr setpriority 2 ,
> .Xr setrlimit 2 ,
> .Xr setpgid 2 ,
> -.Xr setsid 2 .
> +.Xr setsid 2 ,
> +.Xr system 3 .
> .It Va "exec"
> Allows a process to call
> .Xr execve 2 .
