Re: [Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-23 Thread Christian Weisgerber 
On 2015-11-22, "trondd"  wrote:

> I haven't seen much discussion about applying pledge to ports, so I
> thought I'd
> find out how people feel about it.

Reluctant. Very reluctant.

You may remember that by and large we stopped adding strl* patches
to ports, because they become a maintenance burden when not accepted
upstream and there is a real risk of introducing bugs.

I am very worried about people sprinkling pledge() over ports with
the result that programs die with pledge violations when a user
runs the program slightly differently than the maintainer.  We have
added pledge() to a few popular decompressors because these are a
potential attack vector against the package building machines, and
it took sthen@ and me three attempts to get right an ostensibly
simple program like xz.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: [Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-22 Thread trondd 
On Sun, November 22, 2015 7:43 pm, Theo de Raadt wrote:
>> So I'm reading that as "Yes, but only if you know what you're doing."
>
> You can't just pick pledges; you also have to put them in the right
> place.
>
> You have the wrong pledge arguments, because you are calling pledge
> at the wrong place.
>

One mistake I made...  Was that I wanted pledge as soon as possible, and
forgot the init/main program structure that pledge is designed to work
*with*.  Then I didn't question the results.  Well, that's a benefit of
putting it out there.  I can learn.  And hopefully others do, too.

Tim.

Re: [Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-22 Thread Theo de Raadt 
> One mistake I made...  Was that I wanted pledge as soon as possible, and
> forgot the init/main program structure that pledge is designed to work
> *with*.  Then I didn't question the results.  Well, that's a benefit of
> putting it out there.  I can learn.  And hopefully others do, too.

"pledge as soon as possible" is a design mistake.

The source tree is full of examples showing that this won't work;
less than half of them pledge at the start.

Re: [Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-22 Thread Theo de Raadt 
> So I'm reading that as "Yes, but only if you know what you're doing."

You can't just pick pledges; you also have to put them in the right
place.

You have the wrong pledge arguments, because you are calling pledge
at the wrong place.

Re: [Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-22 Thread trondd 
On Sun, November 22, 2015 4:23 pm, Theo de Raadt wrote:
> That diff is completely wrong.
>
> The addition of "prot_exec" to a pledge should result in some
> significant questions.
>
> You can't pledge a program if you don't understand what it is doing,
> and why.
>
> Misapplication of pledge like this will result in a nightmare.
>
>
>> > I haven't seen much discussion about applying pledge to ports, so I
>> > thought I'd
>> > find out how people feel about it.
>>

So I'm reading that as "Yes, but only if you know what you're doing."

>> > I can see downsides to this such as, ports maintainers not necessarily
>> being
>> > involved in the development of the port and having a lower
>> understanding
>> > of the
>> > code as compared to OBSD developers with base code

I guess I fell into my own caveat.  Also, thanks for the additional
pointers off-list.

Tim.

Re: [Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-22 Thread Joerg Jung 
On Sun, Nov 22, 2015 at 12:38:22PM -0500, trondd wrote:
> ...And I meant for this to go to ports.  Sorry.
> 
>  Original Message 
> Subject: [PATCH] pledge x11/wmii (and other ports?)
> From:tro...@kagu-tsuchi.com
> Date:Sun, November 22, 2015 12:24 pm
> To:  m...@openbsd.org
> --
> 
> I haven't seen much discussion about applying pledge to ports, so I
> thought I'd
> find out how people feel about it.

I like it.
 
> I chose to start with x11/wmii because
> a) It's no longer officially developed so (other than updating the port to
> the
> last release) it's not going to change.
> b) I might be the only one left who uses it.

Yes.  I'm pretty sure you are ;)

However, I would consider github sunaku/wmii the "new" upstream, so
maybe try to push the patches there as and gently ask for release.

> I've been running it pledged since it was tame.
> 
> I can see downsides to this such as, ports maintainers not necessarily being
> involved in the development of the port and having a lower understanding
> of the
> code as compared to OBSD developers with base code, or not having the ability
> to reorganize or change the code in a way that improves it for pledge.
> 
> Tim.
> 
> 
> Index: Makefile
> ===
> RCS file: /cvs/ports/x11/wmii/Makefile,v
> retrieving revision 1.21
> diff -u -p -r1.21 Makefile
> --- Makefile12 Nov 2015 09:59:41 -  1.21
> +++ Makefile20 Nov 2015 22:33:36 -
> @@ -3,7 +3,7 @@
>  COMMENT=   dynamic window manager
>  DISTNAME=  wmii-3.6
> -REVISION=  6
> +REVISION=  7
>  CATEGORIES=x11
>  HOMEPAGE=  http://wmii.suckless.org/
> cvs server: Diffing patches
> Index: patches/patch-cmd_wmii_main_c
> ===
> RCS file: patches/patch-cmd_wmii_main_c
> diff -N patches/patch-cmd_wmii_main_c
> --- /dev/null   1 Jan 1970 00:00:00 -
> +++ patches/patch-cmd_wmii_main_c   20 Nov 2015 22:33:36 - @@ -0,0
> +1,13 @@
> +$OpenBSD$
> +--- cmd/wmii/main.c.orig   Sun Oct 18 15:10:20 2015
>  cmd/wmii/main.cSun Oct 18 15:10:33 2015
> +@@ -408,6 +408,9 @@ main(int argc, char *argv[]) {
> +   WinAttr wa;
> +   int i;
> +
> ++  if (pledge("stdio rpath cpath fattr unix proc exec prot_exec",
> NULL) == -1)
> ++  err(1, "pledge");
> ++
> +   fmtinstall('r', errfmt);
> +   fmtinstall('C', Cfmt);
> +
> Index: patches/patch-cmd_wmiir_c
> ===
> RCS file: patches/patch-cmd_wmiir_c
> diff -N patches/patch-cmd_wmiir_c
> --- /dev/null   1 Jan 1970 00:00:00 -
> +++ patches/patch-cmd_wmiir_c   20 Nov 2015 22:33:36 -
> @@ -0,0 +1,13 @@
> +$OpenBSD$
> +--- cmd/wmiir.c.orig   Sun Oct 18 15:09:57 2015
>  cmd/wmiir.cSun Oct 18 15:10:44 2015
> +@@ -312,6 +312,9 @@ main(int argc, char *argv[]) {
> +   exectab *tab;
> +   int ret;
> +
> ++  if (pledge("stdio unix", NULL) == -1)
> ++  err(1, "pledge");
> ++
> +   fmtinstall('r', errfmt);
> +
> +   address = getenv("WMII_ADDRESS");
> 
>

[Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-22 Thread trondd 
...And I meant for this to go to ports.  Sorry.

 Original Message 
Subject: [PATCH] pledge x11/wmii (and other ports?)
From:tro...@kagu-tsuchi.com
Date:Sun, November 22, 2015 12:24 pm
To:  m...@openbsd.org
--

I haven't seen much discussion about applying pledge to ports, so I
thought I'd
find out how people feel about it.

I chose to start with x11/wmii because
a) It's no longer officially developed so (other than updating the port to
the
last release) it's not going to change.
b) I might be the only one left who uses it.

I've been running it pledged since it was tame.

I can see downsides to this such as, ports maintainers not necessarily being
involved in the development of the port and having a lower understanding
of the
code as compared to OBSD developers with base code, or not having the ability
to reorganize or change the code in a way that improves it for pledge.

Tim.


Index: Makefile
===
RCS file: /cvs/ports/x11/wmii/Makefile,v
retrieving revision 1.21
diff -u -p -r1.21 Makefile
--- Makefile12 Nov 2015 09:59:41 -  1.21
+++ Makefile20 Nov 2015 22:33:36 -
@@ -3,7 +3,7 @@
 COMMENT=   dynamic window manager
 DISTNAME=  wmii-3.6
-REVISION=  6
+REVISION=  7
 CATEGORIES=x11
 HOMEPAGE=  http://wmii.suckless.org/
cvs server: Diffing patches
Index: patches/patch-cmd_wmii_main_c
===
RCS file: patches/patch-cmd_wmii_main_c
diff -N patches/patch-cmd_wmii_main_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-cmd_wmii_main_c   20 Nov 2015 22:33:36 - @@ -0,0
+1,13 @@
+$OpenBSD$
+--- cmd/wmii/main.c.orig   Sun Oct 18 15:10:20 2015
 cmd/wmii/main.cSun Oct 18 15:10:33 2015
+@@ -408,6 +408,9 @@ main(int argc, char *argv[]) {
+   WinAttr wa;
+   int i;
+
++  if (pledge("stdio rpath cpath fattr unix proc exec prot_exec",
NULL) == -1)
++  err(1, "pledge");
++
+   fmtinstall('r', errfmt);
+   fmtinstall('C', Cfmt);
+
Index: patches/patch-cmd_wmiir_c
===
RCS file: patches/patch-cmd_wmiir_c
diff -N patches/patch-cmd_wmiir_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-cmd_wmiir_c   20 Nov 2015 22:33:36 -
@@ -0,0 +1,13 @@
+$OpenBSD$
+--- cmd/wmiir.c.orig   Sun Oct 18 15:09:57 2015
 cmd/wmiir.cSun Oct 18 15:10:44 2015
+@@ -312,6 +312,9 @@ main(int argc, char *argv[]) {
+   exectab *tab;
+   int ret;
+
++  if (pledge("stdio unix", NULL) == -1)
++  err(1, "pledge");
++
+   fmtinstall('r', errfmt);
+
+   address = getenv("WMII_ADDRESS");

Re: [Fwd: [PATCH] pledge x11/wmii (and other ports?)]

2015-11-22 Thread Theo de Raadt 
That diff is completely wrong.

The addition of "prot_exec" to a pledge should result in some
significant questions.

You can't pledge a program if you don't understand what it is doing,
and why.

Misapplication of pledge like this will result in a nightmare.

> On Sun, Nov 22, 2015 at 12:38:22PM -0500, trondd wrote:
> > ...And I meant for this to go to ports.  Sorry.
> > 
> >  Original Message 
> > Subject: [PATCH] pledge x11/wmii (and other ports?)
> > From:tro...@kagu-tsuchi.com
> > Date:Sun, November 22, 2015 12:24 pm
> > To:  m...@openbsd.org
> > --
> > 
> > I haven't seen much discussion about applying pledge to ports, so I
> > thought I'd
> > find out how people feel about it.
> 
> I like it.
>  
> > I chose to start with x11/wmii because
> > a) It's no longer officially developed so (other than updating the port to
> > the
> > last release) it's not going to change.
> > b) I might be the only one left who uses it.
> 
> Yes.  I'm pretty sure you are ;)
> 
> However, I would consider github sunaku/wmii the "new" upstream, so
> maybe try to push the patches there as and gently ask for release.
> 
> > I've been running it pledged since it was tame.
> > 
> > I can see downsides to this such as, ports maintainers not necessarily being
> > involved in the development of the port and having a lower understanding
> > of the
> > code as compared to OBSD developers with base code, or not having the 
> > ability
> > to reorganize or change the code in a way that improves it for pledge.
> > 
> > Tim.
> > 
> > 
> > Index: Makefile
> > ===
> > RCS file: /cvs/ports/x11/wmii/Makefile,v
> > retrieving revision 1.21
> > diff -u -p -r1.21 Makefile
> > --- Makefile12 Nov 2015 09:59:41 -  1.21
> > +++ Makefile20 Nov 2015 22:33:36 -
> > @@ -3,7 +3,7 @@
> >  COMMENT=   dynamic window manager
> >  DISTNAME=  wmii-3.6
> > -REVISION=  6
> > +REVISION=  7
> >  CATEGORIES=x11
> >  HOMEPAGE=  http://wmii.suckless.org/
> > cvs server: Diffing patches
> > Index: patches/patch-cmd_wmii_main_c
> > ===
> > RCS file: patches/patch-cmd_wmii_main_c
> > diff -N patches/patch-cmd_wmii_main_c
> > --- /dev/null   1 Jan 1970 00:00:00 -
> > +++ patches/patch-cmd_wmii_main_c   20 Nov 2015 22:33:36 - @@ -0,0
> > +1,13 @@
> > +$OpenBSD$
> > +--- cmd/wmii/main.c.orig   Sun Oct 18 15:10:20 2015
> >  cmd/wmii/main.cSun Oct 18 15:10:33 2015
> > +@@ -408,6 +408,9 @@ main(int argc, char *argv[]) {
> > +   WinAttr wa;
> > +   int i;
> > +
> > ++  if (pledge("stdio rpath cpath fattr unix proc exec prot_exec",
> > NULL) == -1)
> > ++  err(1, "pledge");
> > ++
> > +   fmtinstall('r', errfmt);
> > +   fmtinstall('C', Cfmt);
> > +
> > Index: patches/patch-cmd_wmiir_c
> > ===
> > RCS file: patches/patch-cmd_wmiir_c
> > diff -N patches/patch-cmd_wmiir_c
> > --- /dev/null   1 Jan 1970 00:00:00 -
> > +++ patches/patch-cmd_wmiir_c   20 Nov 2015 22:33:36 -
> > @@ -0,0 +1,13 @@
> > +$OpenBSD$
> > +--- cmd/wmiir.c.orig   Sun Oct 18 15:09:57 2015
> >  cmd/wmiir.cSun Oct 18 15:10:44 2015
> > +@@ -312,6 +312,9 @@ main(int argc, char *argv[]) {
> > +   exectab *tab;
> > +   int ret;
> > +
> > ++  if (pledge("stdio unix", NULL) == -1)
> > ++  err(1, "pledge");
> > ++
> > +   fmtinstall('r', errfmt);
> > +
> > +   address = getenv("WMII_ADDRESS");
> > 
> > 
>