Re: Install from snapshot unable boot

2015-11-27 Thread Antoine Jacoutot 
On Fri, Nov 27, 2015 at 08:58:33AM +0100, Rolf Sommerhalder wrote:
> The current snapshot fails to install from .iso at the very last step
> at writing the boot info to disk on VirtualBox.
> 
> http://mirror.switch.ch/ftp/pub/OpenBSD/snapshots/i386/BUILDINFO
> Build date: 1448569476 - Thu Nov 26 20:24:36 UTC 2015
> 
> Using "the same procedure", install from an older i386 snapshot from 5
> Nov 2015, followed by an update to the current snapshot using bsd.rd,
> works as usual.

Yeah, that's because of pledge(2):
installboot(19095): syscall 54 "ioctl"

-- 
Antoine

Install from snapshot unable boot

2015-11-27 Thread Rolf Sommerhalder 
The current snapshot fails to install from .iso at the very last step
at writing the boot info to disk on VirtualBox.

http://mirror.switch.ch/ftp/pub/OpenBSD/snapshots/i386/BUILDINFO
Build date: 1448569476 - Thu Nov 26 20:24:36 UTC 2015

Using "the same procedure", install from an older i386 snapshot from 5
Nov 2015, followed by an update to the current snapshot using bsd.rd,
works as usual.

Re: Install from snapshot unable boot

2015-11-27 Thread Rolf Sommerhalder 
On Fri, Nov 27, 2015 at 9:01 AM, Antoine Jacoutot  wrote:
> Yeah, that's because of pledge(2):
> installboot(19095): syscall 54 "ioctl"

Thank for your confirmation. I did not spot the error message above,
but saw a commit from Theo last night related to installboot. So I
thought this might be connected, and maybe relevant feedback.

Re: Install from snapshot unable boot

2015-11-27 Thread Theo Buehler 
On Fri, Nov 27, 2015 at 09:12:11AM +0100, Rolf Sommerhalder wrote:
> On Fri, Nov 27, 2015 at 9:01 AM, Antoine Jacoutot  
> wrote:
> > Yeah, that's because of pledge(2):
> > installboot(19095): syscall 54 "ioctl"
> 
> Thank for your confirmation. I did not spot the error message above,
> but saw a commit from Theo last night related to installboot. So I
> thought this might be connected, and maybe relevant feedback.
> 

To be able to pledge installboot as it currently stands, two ioctl's
would need to be whitelisted in pledge "disklabel".  I don't know if
this would be an acceptable policy, though.  Tested on amd64, FWIW:

$ /usr/bin/doas installboot -v sd1
Password:
Using / as root
installing bootstrap on /dev/rsd1c
using first-stage /usr/mdec/biosboot, second-stage /usr/mdec/boot
sd1: softraid volume with 1 disk(s)
sd1: installing boot loader on softraid volume
/usr/mdec/boot is 5 blocks x 16384 bytes
sd0a: installing boot blocks on /dev/rsd0c, part offset 144
master boot record (MBR) at sector 0
partition 3: type 0xA6 offset 64 size 625137281
/usr/mdec/biosboot will be written at sector 64
$

Index: sys/kern/kern_pledge.c
===
RCS file: /var/cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.124
diff -u -p -r1.124 kern_pledge.c
--- sys/kern/kern_pledge.c  25 Nov 2015 15:53:01 -  1.124
+++ sys/kern/kern_pledge.c  27 Nov 2015 09:21:08 -
@@ -1178,7 +1178,9 @@ pledge_ioctl(struct proc *p, long com, s
case DIOCGPDINFO:
case DIOCRLDINFO:
case DIOCWDINFO:
+   case BIOCDISK:
case BIOCINQ:
+   case BIOCINSTALLBOOT:
case BIOCVOL:
if (fp->f_type == DTYPE_VNODE &&
((vp->v_type == VCHR &&