Re: Permit reading kern.somaxconn with unix pledge
Theo de Raadt writes: > I have reviewed all the pledge using programs in the tree, and I do not > see additional risk from this change. > > Who wants to take care of the commit? I'll snag it! > > Josh Rickmar wrote: > >> The kern.somaxconn sysctl was previously permitted under the inet >> pledge, which allowed pledged Go applications to listen on AF_INET and >> AF_INET6 domains. >> >> https://marc.info/?l=openbsd-tech=158069595809463=2 >> https://marc.info/?l=openbsd-cvs=158081099810301=2 >> >> But Go will also read this sysctl when only using unix domain sockets. >> The patch below additionally permits reading this sysctl if the unix >> pledge is granted. >> >> Note that for this to be tested and useful (where useful means not >> running with the inet pledge), Go's net package also needs a patch: >> https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81 >> >> diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src >> blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b >> file + sys/kern/kern_pledge.c >> --- sys/kern/kern_pledge.c >> +++ sys/kern/kern_pledge.c >> @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo >> return (0); >> } >> >> -if ((p->p_p->ps_pledge & PLEDGE_INET)) { >> +if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) { >> if (miblen == 2 && /* kern.somaxconn */ >> mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN) >> return (0); >>
Re: Permit reading kern.somaxconn with unix pledge
I have reviewed all the pledge using programs in the tree, and I do not see additional risk from this change. Who wants to take care of the commit? Josh Rickmar wrote: > The kern.somaxconn sysctl was previously permitted under the inet > pledge, which allowed pledged Go applications to listen on AF_INET and > AF_INET6 domains. > > https://marc.info/?l=openbsd-tech=158069595809463=2 > https://marc.info/?l=openbsd-cvs=158081099810301=2 > > But Go will also read this sysctl when only using unix domain sockets. > The patch below additionally permits reading this sysctl if the unix > pledge is granted. > > Note that for this to be tested and useful (where useful means not > running with the inet pledge), Go's net package also needs a patch: > https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81 > > diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src > blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b > file + sys/kern/kern_pledge.c > --- sys/kern/kern_pledge.c > +++ sys/kern/kern_pledge.c > @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo > return (0); > } > > - if ((p->p_p->ps_pledge & PLEDGE_INET)) { > + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) { > if (miblen == 2 && /* kern.somaxconn */ > mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN) > return (0); >
Re: Permit reading kern.somaxconn with unix pledge
On Mon, Feb 01, 2021 at 08:18:53PM +, Josh Rickmar wrote: > The kern.somaxconn sysctl was previously permitted under the inet > pledge, which allowed pledged Go applications to listen on AF_INET and > AF_INET6 domains. > > https://marc.info/?l=openbsd-tech=158069595809463=2 > https://marc.info/?l=openbsd-cvs=158081099810301=2 > > But Go will also read this sysctl when only using unix domain sockets. > The patch below additionally permits reading this sysctl if the unix > pledge is granted. > > Note that for this to be tested and useful (where useful means not > running with the inet pledge), Go's net package also needs a patch: > https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81 > > diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src > blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b > file + sys/kern/kern_pledge.c > --- sys/kern/kern_pledge.c > +++ sys/kern/kern_pledge.c > @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo > return (0); > } > > - if ((p->p_p->ps_pledge & PLEDGE_INET)) { > + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) { > if (miblen == 2 && /* kern.somaxconn */ > mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN) > return (0); Ping. The necessary Go patch just landed in their development branch, and should appear in Go 1.17 at the very latest.
Permit reading kern.somaxconn with unix pledge
The kern.somaxconn sysctl was previously permitted under the inet pledge, which allowed pledged Go applications to listen on AF_INET and AF_INET6 domains. https://marc.info/?l=openbsd-tech=158069595809463=2 https://marc.info/?l=openbsd-cvs=158081099810301=2 But Go will also read this sysctl when only using unix domain sockets. The patch below additionally permits reading this sysctl if the unix pledge is granted. Note that for this to be tested and useful (where useful means not running with the inet pledge), Go's net package also needs a patch: https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81 diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b file + sys/kern/kern_pledge.c --- sys/kern/kern_pledge.c +++ sys/kern/kern_pledge.c @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo return (0); } - if ((p->p_p->ps_pledge & PLEDGE_INET)) { + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) { if (miblen == 2 && /* kern.somaxconn */ mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN) return (0);