r/db/acpi.
--
Sebastien Marie
On Thu, Apr 20, 2017 at 12:08:02PM +0200, Sebastien Marie wrote:
>
> profil(2) syscall itself could be allowed in "stdio" with specifics
> arguments: profil(NULL, 0, 0, 0) (but some code inspection should be
> done before: extending "stdio" is not neutral - think t
oxing). Only this
particular call of profil(2) is ran under pledge(2): the first call is
done before calling main() so before any pledge(2) call setted by
user code.
--
Sebastien Marie
uires "stdio" promise too (sysctl(3) code,
getuid(2), ...)
Thanks.
--
Sebastien Marie
On Thu, Apr 20, 2017 at 08:18:59AM +0200, Anton Lindqvist wrote:
> Hi,
> Profiling a pledged program using gprof(1) is not possible since the
> profil(2) syscall is not allowed. I have prev
in base or ports.
Below is a diff to put it back in case it is important.
Thanks.
--
Sebastien Marie
Index: gcc.alpha
===
RCS file: /cvs/src/distrib/sets/lists/comp/gcc.alpha,v
retrieving revision 1.2
diff -u -p -r1.2 gcc.alpha
net/mtr to avoid defining multiples sockets (one
per protocol) and to control TOS and TTL fields in the IP header.
As alternative code is present in net.c (in case IP_HDRINCL isn't
defined), isn't possible to use it instead of extending "inet" promise ?
Thanks.
--
Sebastien Marie
On Tue, Feb 21, 2017 at 08:31:43PM +0100, Sebastien Marie wrote:
> Hi,
>
> The following diff adds regress tests for sendfd/recvfd promises.
>
same diff, but rebased in right directory, and including Makefile
modification.
sorry.
--
Sebastien Marie
Ind
= VREG VDIR VBLK VCHAR VLNK VSOCK VFIFO
$ ./sendrecvfd sendfd VDIR
Abort trap (core dumped)
And Makefile has some loop to testing all cases.
--
Sebastien Marie
Index: Makefile
===
RCS file: Makefile
diff -N Makefile
--- /dev/null
Hi,
The Makefile for regress/sys/kern/pledge/ioctl defines a user-settings
(SUDO), and makes it to fail when doas(1) isn't configured.
So just remove it, as it should be defined in /etc/mk.conf is needed.
--
Sebastien Marie
Index: Mak
x27;t very
practical for rerun only individual tests. Futher tests additions should
occurs as individual tests (as "regress/sys/kern/pledge/ioctl"). I will
also try to rewrite tests in generic as individual tests.
Thanks.
--
Sebastien Marie
Index: main.c
===
)'
The comment in your key file has been changed.
The following diff should correct it.
As side note, I found the output of ssh-keygen a bit confusing as the
printed comment is the old one (but it could be due to english isn't my
luding the kernel image, onto the dump device.
So physical RAM + some megas for kernel ?
> On 2017-02-04 03:17, Philip Guenther wrote:
> > On Fri, 3 Feb 2017, Sebastien Marie wrote:
> > ...
> > > My understanding is if savecore(8) is able to extract bsd.core
> > &g
n not permitted
939 tcpdump PSIG SIGABRT SIG_DFL
939 tcpdump NAMI "tcpdump.core"
(here is a error I faked as I don't reproduce your problem).
Thanks.
--
Sebastien Marie
ations, you found two documentation bugs !
The man page one was already commited by deraadt@, for the faq the
following patch should do the work.
Thanks.
--
Sebastien Marie
Index: faq/pf/ftp.html
===
RCS file: /cvs/www/faq/pf/ftp.h
Hi,
The user of ftp-proxy(8) for privdrop is _ftp_proxy. The man page has
a typo in the username mentionned.
src/usr.sbin/ftp-proxy/ftp-proxy.c
54
55 #define CHROOT_DIR "/var/empty"
56 #define NOPRIV_USER "_ftp_proxy"
57
Thanks.
--
Sebastien Marie
On Mon, Jan 09, 2017 at 06:12:37PM +, Stuart Henderson wrote:
> On 2017/01/09 19:00, Sebastien Marie wrote:
> > On Sun, Jan 08, 2017 at 12:29:50PM +0100, Sebastien Marie wrote:
> > > Hi,
> > >
> > > The "OpenSSL bindings for Rust" checks,
On Sun, Jan 08, 2017 at 12:29:50PM +0100, Sebastien Marie wrote:
> Hi,
>
> The "OpenSSL bindings for Rust" checks, using pkg-config, the version of
> openssl installed, and target 1.0.1 as minimal version.
>
> Under OpenBSD, /usr/lib/pkgconfig/openssl.pc is gene
"Version: 1.0.0" as on OpenBSD.
Thanks.
--
Sebastien Marie
lem, whereas previously panic occurred soon
after starting.
I will keep it running.
Thanks.
--
Sebastien Marie
clyde lpd[9254]: lp: job could not be printed
(cfA014clyde.local)
--
Sebastien Marie
Index: lpd/printjob.c
===
RCS file: /cvs/src/usr.sbin/lpr/lpd/printjob.c,v
retrieving revision 1.57
diff -u -p -U5 -r1.57 printjob.c
--- lpd/printjo
"cpath" was for Tek emulation window. I also reviewed
several functions for ensuring no others use of "cpath" after pledging.
Ideally, additionnal review would be welcome: xterm(1) is a big program,
and #ifdef maze is a bit compl
root will still make the program run with effective uid as root,
isn't it ?
I think we always want to drop effective uid once SOCK_RAW socket has
been opened.
Thanks.
--
Sebastien Marie
> Index: usr.sbin/traceroute/traceroute.c
> =
On Sat, Sep 24, 2016 at 04:35:39PM -0700, Philip Guenther wrote:
> On Sat, 24 Sep 2016, Sebastien Marie wrote:
> ...
> > The following diff adds a `va_nlink' member in `struct kinfo_file'. The
> > information become available though sysctl(3) via KERN_FILE interface,
&
sndiod(ok)
# check that now, the running process use the new inode.
$ fstat | grep 'sndio.*text'
_sndio sndiod 79950 text /usr 2754467 -r-xr-xr-x r 80160
_sndiop sndiod 1725 text /usr 2754467 -r-xr-xr-x r80160
Does it make any interest ?
Thanks.
--
moved files:
> etc: csh.cshrc csh.login csh.logout
>
> Log message:
> remove pointless csh placeholder files from /etc
>
> ok jung@ (some time ago) phessler@
>
does /etc/changelist should be cleared too ? I am unsure as it could
also make sens to keep csh.{cshrc,login,
On Tue, Jul 05, 2016 at 08:12:05PM +0200, Martin Pelikan wrote:
>
> The uint64_t part still stands.
>
ok semarie@
--
Sebastien Marie
;restricted"
(with -U, -x ...) : else any running xmessage(1) program on the host
will be killed (remote X11 xmessage on the host while another user log
using xdm).
--
Sebastien Marie
On Sun, Jun 26, 2016 at 12:37:57PM -0700, Philip Guenther wrote:
> On Sun, Jun 26, 2016 at 9:09 AM, Sebastien Marie wrote:
> > In the following code, namei() call is done in doutimensat(), and
> > nd.ni_vp is passed to dovutimens() as vp.
> >
> > In the same way, i
Hi,
When calling revoke(2) on a no-tty device, we return ENOTTY without
relaxing the vnode obtained with namei().
Use the error code path instead to call vrele(vp) before returning
ENOTTY.
OK ?
--
Sebastien Marie
Index: kern/vfs_syscalls.c
Hi,
In the following code, namei() call is done in doutimensat(), and
nd.ni_vp is passed to dovutimens() as vp.
In the same way, in dofutimens() the vp (from getvnode) is vref() before
calling dovutimens().
So I think we should call vput() before returning any error.
--
Sebastien Marie
Index
;nd) call with:
NDINITAT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, fd, path, p);
Does it makes sens ?
--
Sebastien Marie
Index: kern/vfs_syscalls.c
===
RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.256
t;stdio rpath wpath dpath fattr cpath getpw
> ioctl",
> NULL) == -1)
> err(1, "pledge");
> }
>
I agree with your diff.
While here, reorder pledge promises to make the order consistent in pa
for (f = fields; f->name != NULL; f++) {
> + printf("%s=", f->name);
> + print_val(f, f->raddr);
> + printf("\n");
> }
> - } else {
> - while (argc--) {
> - char *q;
> -
> - if ((q = strchr(*argv, '=')) != NULL) {
> - *q++ = 0;
> - p = findfield(*argv);
> - if (p == 0)
> - warnx("field `%s' does not exist",
> *argv);
> - else {
> - if (!canwrite)
> - errx(1, "%s: permission denied",
> - *argv);
> - if (p->flags & READONLY)
> - warnx("`%s' is read only",
> *argv);
> - else {
> - rdfield(p, q);
> - if (p->valp == &fullduplex)
> - if (ioctl(fd,
> AUDIO_SETFD,
> - &fullduplex) < 0)
> - err(1, "set
> failed");
> - }
> - writeinfo = 1;
> - }
> - } else {
> - p = findfield(*argv);
> - if (p == 0)
> - warnx("field %s does not exist", *argv);
> - else {
> - prfield(p, sep);
> - }
> - }
> - argv++;
> + }
> + AUDIO_INITPAR(&wpar);
> + for (; argc > 0; argc--, argv++) {
> + lhs = *argv;
> + rhs = strchr(*argv, '=');
> + if (rhs)
> + *rhs++ = '\0';
> + for (f = fields;; f++) {
> + if (f->name == NULL)
> + errx(1, "%s: unknown parameter", lhs);
> + if (strcmp(f->name, lhs) == 0)
> + break;
> }
> - if (writeinfo) {
> - info.record.sample_rate = info.play.sample_rate;
> - info.record.encoding = info.play.encoding;
> - info.record.precision = info.play.precision;
> - info.record.bps = info.play.bps;
> - info.record.msb = info.play.msb;
> - info.record.block_size = block_size *
> - info.record.bps * info.record.channels;
> - info.play.block_size = block_size *
> - info.play.bps * info.play.channels;
> - if (ioctl(fd, AUDIO_SETINFO, &info) < 0)
> - err(1, "set failed");
> + if (rhs) {
> + if (f->waddr == NULL)
> + errx(1, "%s: is read only", f->name);
> + parse_val(f, f->waddr, rhs);
> + f->set = 1;
> + set = 1;
> + } else {
> + if (print_names)
> + printf("%s=", f->name);
> + print_val(f, f->raddr);
> + printf("\n");
> }
> - getinfo(fd);
> - for (i = 0; fields[i].name; i++) {
> - if (fields[i].flags & SET) {
> - prfield(&fields[i], sep);
> - }
> + }
> + if (!set)
> + return 0;
> + if (ioctl(fd, AUDIO_SETPAR, &wpar) < 0)
> + err(1, "AUDIO_SETPAR");
> + if (ioctl(fd, AUDIO_GETPAR, &wpar) < 0)
> + err(1, "AUDIO_GETPAR");
> + for (f = fields; f->name != NULL; f++) {
> + if (!f->set || quiet)
> + continue;
> + if (print_names) {
> + printf("%s: ", f->name);
> + print_val(f, f->raddr);
> + printf(" -> ");
> }
> + print_val(f, f->waddr);
> + printf("\n");
> }
> - exit(0);
> + return 0;
> }
>
>
--
Sebastien Marie
ledge");
> -
> while ((ch = getopt(argc, argv, "iegpuvf:c:h:s:l:b:y")) != -1) {
> const char *errstr;
>
> @@ -168,6 +164,10 @@ main(int argc, char *argv[])
>
> disk.name = argv[0];
> DISK_open(i_flag || u_flag || e_flag);
> +
> + /* "proc exec" for man page display */
> + if (pledge("stdio rpath wpath disklabel proc exec", NULL) == -1)
> + err(1, "pledge");
>
> error = MBR_read(0, &dos_mbr);
> if (error)
>
>
--
Sebastien Marie
d->bpf);
> + if (vid->mmap_buffer[i] != NULL)
> + r = munmap(vid->mmap_buffer[i], vid->bpf);
> if (r == -1) {
> warn("munmap");
> return 0;
>
>
--
Sebastien Marie
{
> int ch;
>
> - if (pledge("stdio rpath wpath disklabel", NULL) == -1)
> - err(1, "pledge");
> -
> while ((ch = getopt(argc, argv, "pynf")) != -1) {
> switch (ch) {
> case 'f':
>
>
--
Sebastien Marie
d) will only do write(2).
so in *all cases*, the process that proceed untrusted data is
pledged. not only if you pass one argument.
--
Sebastien Marie
7;t need pledge. Is that right?
>
now, I am unsure about correctly understood your message :)
access(2) requires "rpath" too. But some paths could be whitelisted
(only "/etc/localtime" and "/var/run/ypbind.lock").
--
Sebastien Marie
and _XOpenFile will do access(2) and open(2) on filename, and
kernel will kill it due to pledge.
I am still unsure if adding "rpath" is the good way to deal with that.
But the problem you saw could be related to some X11 error that trigger
a access(2) or a open(2) for showing error message.
--
Sebastien Marie
uld be a open(2) call in some
X11R6 library.
One possibility is error code path: in xterm, the commit message for
justifying "rpath" is: for X11 error ("X Error of failed request: ...")
which read at least /usr/X11R6/share/X11/XErrorDB.
Maybe we should identify correctly these open(2) call in X11R6 libraries ?
--
Sebastien Marie
int, the program required
"rpath" promise but didn't pledge it (so it was killed).
But it could be good for us to know *why* it needs it :)
Could you provide a way to reproduce it ? It could be command-line used,
actions that have been done, or any others clues... a backtrace could
als
:
openssl(15019): syscall 97 "dns"
backtrace at https://gist.github.com/kAworu/dc30ead97d3b44b5cabb67b134362820
After testing, the following diff corrects the problem.
OK ?
--
Sebastien Marie
Index: ocsp.c
===
RCS file
cated
string on error
- set `flags' and `wl' to struct proc.
In order to avoid abuse of repeatively call pledge(NULL, BIGLIST) for
DoSing the kernel (1. doing parsing / 2. get error / 3. goto 1), I keep
a check at beginning of `paths' parsing, and commented it accordingly.
Com
On Sun, Apr 10, 2016 at 01:54:33PM +0200, Sebastien Marie wrote:
> Hi,
>
> The following diff removes an unneeded check on flags. It was used
> historically, when tame(2) promises were passed as bitflags, in order to
> avoid userland to be able to set flags normally ma
On Sun, Apr 10, 2016 at 03:09:44PM +0200, Sebastien Marie wrote:
> Hi,
>
> The following diff simplifies the check for allowing only promises
> reductions.
ping ?
> Please review it carefully: it implies several bitwise operations.
>
> I will try also to explain the diff
.
I am OK with it, but as I am not really competent in this area you
shouldn't take my OK as really authoritative :)
Thanks.
--
Sebastien Marie
On Wed, Apr 20, 2016 at 09:21:16AM +0100, Stuart Henderson wrote:
> This file changes twice a day if you're validating dnssec and
> it's pretty pointless to warn about in security(8).
>
> OK?
yes please.
OK semarie@
--
Sebastien Marie
Hi,
I noted that iked(8) default key (generated at boot time by rc(8) if it
doesn't exist yet) aren't present in changelist(5), whereas the same
keys for isakmpd(8) are.
Does adding /etc/iked/local.pub and /etc/iked/private/local.key to
changelist(5) makes sens ?
--
Sebastien Mar
n OFF if the state is unknown.
Thanks for testing it.
--
Sebastien Marie
Index: sys/dev/acpi/acpitz.c
===
RCS file: /cvs/src/sys/dev/acpi/acpitz.c,v
retrieving revision 1.49
diff -u -p -r1.49 acpitz.c
--- sys/dev/acpi/acpitz.c
multicast group
- IPV6_LEAVE_GROUP : Leave a multicast group
- IP_MULTICAST_IF : same but for ipv4
- IP_ADD_MEMBERSHIP
- IP_DROP_MEMBERSHIP
Comments ?
--
Sebastien Marie
Index: lib/libc/sys/pledge.2
===
RCS file: /cvs/src/lib/
tls and sysctls
interfaces for routing will confirm the exactness of the description (or
provide a more precise description). I added in Cc people using "route"
promise (in dhclient, iked, bgpd, dhcpcd, route6d, rtadvd), which should
be competent for th
gt; -.Xr chflags 2 ,
> -.Xr chflagsat 2 ,
> .Xr chown 2 ,
> +.Xr fchown 2 ,
> .Xr fchownat 2 ,
> .Xr lchown 2 ,
> -.Xr fchown 2 ,
> .Xr utimes 2 .
> .It Va "flock"
> File locking via
> @@ -353,7 +369,9 @@ a few system calls become able to allow
> .Xr s
`ps_pledge' doesn't have.
(The diff was generated in a way it doesn't depend on previous one)
Comments ?
--
Sebastien Marie
Index: kern/kern_pledge.c
===
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revisi
string in controlled way. So userland can't set high bits
in flags.
Comments ? OK ?
--
Sebastien Marie
Index: kern/kern_pledge.c
===
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.162
diff -u -p -r
e of tsleep(9), it was a way proposed to me for resolving
the "atomic" view of pledge(2) from userland, with getblk() as example.
But as I am far to understand all internals in kernel, I have no problem
to look at another way to resolv this.
Thanks.
--
Sebastien Marie
continue is done using a new flag PLEDGE_BUSY,
which mark a thread of the current process is currently inside
sys_pledge().
This diff was done with the help of deraadt@ and guenther@.
Comments or OK ?
--
Sebastien Marie
Index: sys/kern/kern_pledge.c
On Wed, Apr 06, 2016 at 06:50:04AM +0200, Sebastien Marie wrote:
> On Tue, Apr 05, 2016 at 08:22:22PM +0200, frit...@alokat.org wrote:
> > Hi,
> >
> > cmd is a ptr.
> >
> > --f.
>
> I am OK with it (after a small change for fit 80 cols)
>
Commited. Thanks !
--
Sebastien Marie
nt == 0 && cmd == NULL && S_ISREG(st.st_mode)));
> + if ((cmd == NULL) && stats)
> logxfer(name, byte_count, start);
> (void) fclose(dout);
> data = -1;
> @@ -1214,7 +1214,7 @@
> if (pdata >= 0)
> (void) close(pdata);
> pdata = -1;
> - if (cmd == 0) {
> + if (cmd == NULL) {
> LOGBYTES("get", name, byte_count);
> fclose(fin);
> } else {
>
>
--
Sebastien Marie
On Sun, Apr 03, 2016 at 06:28:21PM +0200, Sebastien Marie wrote:
> > +
> > + if (pledge("stdio rpath getpw proc wpath cpath
> > inet ioctl sendfd recvfd",
> > + NULL) == -1) {
> > +
if (pledge("stdio proc dns inet sendfd",
> + NULL) == -1) {
> + fatalx("pledge");
> + }
>
> send_data(fd_slave, &slavequit,
> sizeof(slavequit));
>
>
--
Sebastien Marie
> if ((pw = getpwnam(FTPD_PRIVSEP_USER)) == NULL)
> @@ -193,6 +197,10 @@
>
> endpwent();
> close(fd_slave);
> +
> + if (pledge("stdio", NULL) == -1)
> + err(1, "pledge");
> +
I like this one :)
> return (1);
> }
>
Thanks !
--
Sebastien Marie
OMEM on failure.
> return (NULL);
> + }
> mem_allocated = 1;
> } else
> mem_allocated = 0;
>
>
>
--
Sebastien Marie
Hi,
The following diff corrects an evaluation order error and a memory leak
in error code path.
Comments or OK ?
--
Sebastien Marie
Index: sys/kern/kern_pledge.c
===
--- sys/kern/kern_pledge.c.orig 2016-03-15 08:54:33.500610285
ould be invalid whitelisting (bypassing), but the
operations after would *not* be altered and the program would not gain
any privileges (only information leaks as ENOENT wouldn't be returned as
it should).
Comments ? OK ?
--
Sebastien Marie
Index
t str_match *m)
> for (i = 0; i < m->sm_nmatch; i++)
> free(m->sm_match[i]);
> free(m->sm_match);
> + m->sm_match = NULL;
> m->sm_nmatch = 0;
> }
Committed, thanks !
--
Sebastien Marie
gt;
> > However, your patch looks good to me.
> >
> > natano
>
> I am sorry, you are right, it was not server_close_http being called twice.
> Instead, it was server_reset_http being called twice.
>
The patch makes sens to me also. I am OK with it.
An
27;
call in each of them).
Additionnally, the fact to ignore $PROFDIR stuff would be more complex:
userland has no way to know the running program is pledged or not.
--
Sebastien Marie
p the AS number for each hop address) uses DNS service for
resolv the AS number.
Ok or comments ?
--
Sebastien Marie
Index: traceroute.c
===
RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.144
dif
d *pp;
> static const char banner[] =
> "Enter root password, or ^D to go multi-user\n";
> - char *clear, *password;
> + char *clear;
> #endif
>
> /* Init shell and name */
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
>
>
--
Sebastien Marie
|= BT_NOSYNC;
>
> - if (asprintf(&ns->data_path, "%s/%s_data.db", DATADIR, ns->suffix) < 0)
> + if (asprintf(&ns->data_path, "%s/%s_data.db", datadir, ns->suffix) < 0)
> return -1;
> log_info("opening namespace %s", ns->suffix);
> ns->data_db = btree_open(ns->data_path, db_flags | BT_REVERSEKEY, 0644);
> @@ -124,7 +125,7 @@
>
> btree_set_cache_size(ns->data_db, ns->cache_size);
>
> - if (asprintf(&ns->indx_path, "%s/%s_indx.db", DATADIR, ns->suffix) < 0)
> + if (asprintf(&ns->indx_path, "%s/%s_indx.db", datadir, ns->suffix) < 0)
> return -1;
> ns->indx_db = btree_open(ns->indx_path, db_flags, 0644);
> if (ns->indx_db == NULL)
>
>
--
Sebastien Marie
On Mon, Jan 18, 2016 at 06:05:31PM +0100, Alexandre Ratchov wrote:
> On Mon, Jan 18, 2016 at 01:35:46PM +0100, Sebastien Marie wrote:
> > On Mon, Jan 18, 2016 at 12:55:30PM +0100, Alexandre Ratchov wrote:
> >
> > I am unsure about returning 0 for something we know is wrong
_VNODE)
> + break;
> + if (vp->v_type == VCHR &&
> cdevsw[major(vp->v_rdev)].d_open == audioopen)
> + return (0);
> + if (vp->v_type == VBAD)
> return (0);
> }
> #endif /* NAUDIO > 0 */
>
>
--
Sebastien Marie
ath cpath getpw", NULL) == -1)
> + err(1, "pledge");
> + } else if (pflag == 0) {
> if (pledge("stdio rpath wpath cpath", NULL) == -1)
> err(1, "pledge");
> } else {
>
>
--
Sebastien Marie
ust switched to snprintf(3); not sure what's normally done
> in such situations.
>
When possible, we try to keep the `if conditions' and don't construct
pledge promises strings by hand. Else it would make pledge promises not
grep-able.
Could you confirm this diff resolve
re ignored.
It is already documented in "Some system calls have restrictions applied
to them" list.
I dunno if "special files" is the right expression for saying "FIFO file" and
"special file node" (if I take words from man pages of mkfifo(2) and
mknod(2)).
echo abcc
^ cursor here
in the same manner, it is just a "visual effect", as the line is really
"éecho abc" (tested with cut/paste: Ctrl+U Ctrl+Y)
Thanks
--
Sebastien Marie
make DEBUG=-g
$ cd /usr/src/usr.bin/ssh/ssh/obj && ./ssh -v ...
$ cd /usr/src/usr.bin/ssh/ssh/obj && gdb ./ssh ssh.core
(gdb) bt
...
- any other useful informations :)
Thanks for testing.
Comments ?
--
Sebastien Marie
Index: clientloop.c
=
ent() call is below if (doall), so I think this is not needed.
>
> > err(1, "pledge");
> > }
> >
yes, you are right. matthieu@ said the same... my bad.
--
Sebastien Marie
Index: calendar.c
==
Hi,
Here a patch that should correct a pledge kill in calendar.
calendar(1) use getpwent, so it needs "getpw" for running in YP
environment.
OK ?
--
Sebastien Marie
Index: calendar.c
===
RCS file: /cvs/src/usr.bi
sockopt(struct proc *p, int set, int level, int optname);
> int pledge_socket(struct proc *p, int dns);
> -int pledge_ioctl(struct proc *p, long com, void *);
> +int pledge_ioctl(struct proc *p, long com, struct file *);
> int pledge_flock(struct proc *p);
> int pledge_fcntl(struct proc *p, int cmd);
> int pledge_swapctl(struct proc *p);
>
>
--
Sebastien Marie
ete report for pledge(2) issue, please refer to previous
mails in tech: http://marc.info/?l=openbsd-tech&m=144412493925465&w=2
(note: pledge(2) was tame(2) before).
Thanks.
--
Sebastien Marie
looks close to the one I got when I made that
> very mistake, so verify you ran config...)
Hey, you are right !
running config before rebuilding help a lot: I see no more problem.
--
Sebastien Marie
me, I transcribe a small part of it, but I could provide all the
backtrace on demand:
wsdisplay at inteldrm0 not configured
panic: vga_common_setup: can't map vga i/o
Stopped at Debuffer+0x7: leave
The panic() call is in vga_init() at dev/ic/vga.c:482.
The dmesg of the machine with
t argc, char *argv[])
> }
> signal(SIGINT, die);
> setup();
> +
> + if (pledge("stdio tty", NULL) == -1)
> + err(1, "pledge");
> +
> for (;;) {
> Wordnum++;
>
, NULL) == -1)
> + err(1, "pledge");
> +
so you still need "tty" here.
Regards.
--
Sebastien Marie
start
script, and create a new-window (Ctrl+B "): tmux will send SIGWINCH
signal to the script process for telling it "beware, your window size
has changed". And the script process will (try to) send forward this
signal to subprocess.
Here a di
move in tame area for now.
It will add "abort" request to tame() in bgpd.
Next, allow bgpd to make coredump:
# mkdir -m 700 /var/crash/bgpd
# sysctl kern.nosuidcoredump=3
Run the program, and finally reports your dmesg and gdb-backtrace.
I hope it helps.
--
Sebastien Marie
Index: u
Hi Remco,
On Mon, Oct 05, 2015 at 07:47:26PM +0200, Remco wrote:
> Sebastien Marie wrote:
>
> > Just a remark about "proc" request. It won't allow calling exec(2), but
> > only fork(2) (and some others, see the man page for details).
> >
> >
with TAME flags cleared: it could do
what he want. so even if your process is tamed, it could potentially
permit all things. it is bad.
- if an exec'ed program starts with herited TAME flags: the
initialisation of the program would be difficult as it would be
already tamed.
--
Sebastien Marie
> }
>
> while ((nrd = read(nfd, nbuf, sizeof(nbuf))) != -1 && nrd != 0)
> write(STDOUT_FILENO, nbuf, nrd);
> close (nfd);
>
> - exit (1);
> + return 1;
> }
>
--
Sebastien Marie
s another way is possible ?
Else, I am not completely sure about saying "systrace is disabled". It
isn't systrace(4) per se, but just the possibility to use systrace for
this specific program once the tame(2) was called.
--
Sebastien Marie
Index: lib/libc/sys/tame.2
=
Hi,
Mentions that using systrace(4) isn't possible when a program has called
tame(2).
Comments ? OK ?
--
Sebastien Marie
Index: lib/libc/sys/tame.2
===
RCS file: /cvs/src/lib/libc/sys/tame.2,v
retrieving revision 1.27
diff
On Sat, Sep 19, 2015 at 10:48:01AM -0700, Philip Guenther wrote:
> On Sat, Sep 19, 2015 at 10:29 AM, Sebastien Marie wrote:
> > On Sat, Sep 19, 2015 at 10:07:04AM -0700, Philip Guenther wrote:
> >> On Sat, Sep 19, 2015 at 9:50 AM, Sebastien Marie
> >> wrote:
>
On Sat, Sep 19, 2015 at 10:07:04AM -0700, Philip Guenther wrote:
> On Sat, Sep 19, 2015 at 9:50 AM, Sebastien Marie wrote:
> > While working on building llvm 3.7.0 on openbsd (-current amd64 and
> > i386), I encounter a problem when linking a shared library, while
> > -Wl,
before for unresolved symbols in
objects.
If the patch corrects my problem, I don't known enough ld(1) to be sure
it doesn't break something else.
Comments ? OK ?
--
Sebastien Marie
Index: elf-bfd.h
===
RCS file: /cvs/src
copy libkern code for explicit_bzero into libsa.
Comments ? OK ?
--
Sebastien Marie
Index: explicit_bzero.c
===
RCS file: /cvs/src/sys/lib/libsa/explicit_bzero.c,v
retrieving revision 1.1
diff -u -p -r1.1 explicit_bzero.c
_TM_SELF | _TM_MALLOC | _TM_DNSPATH
TAME_CMSG = _TM_SELF | _TM_RW | _TM_UNIX | TAME_CMSG
The following patch restore the behaviour, and make the regress too work
again.
Comments ? OK ?
--
Sebastien Marie
Index: kern_tame.c
===
RCS file:
On Tue, Sep 15, 2015 at 10:06:22PM +0200, Alexander Hall wrote:
> On 09/12/15 09:13, Sebastien Marie wrote:
> > First, some generals remarks:
> >
> > - The debug feature (not documented) defeat the `-r' flag purpose.
>
> How do you mean it defeats it? The purpose
free(res);
> syslog(LOG_ERR, "%s: unexpected error with capability %s",
> lc->lc_class, cap);
> errno = ERANGE;
> @@ -359,12 +354,10 @@ login_getcapnum(login_cap_t *lc, char *c
>
> switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
> case -1:
> - if (res)
> - free(res);
> + free(res);
> return (def);
> case -2:
> - if (res)
> - free(res);
> + free(res);
> syslog(LOG_ERR, "%s: getting capability %s: %m",
> lc->lc_class, cap);
> errno = ERANGE;
> @@ -372,8 +365,7 @@ login_getcapnum(login_cap_t *lc, char *c
> default:
> if (stat >= 0)
> break;
> - if (res)
> - free(res);
> + free(res);
> syslog(LOG_ERR, "%s: unexpected error with capability %s",
> lc->lc_class, cap);
> errno = ERANGE;
> @@ -417,12 +409,10 @@ login_getcapsize(login_cap_t *lc, char *
>
> switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
> case -1:
> - if (res)
> - free(res);
> + free(res);
> return (def);
> case -2:
> - if (res)
> - free(res);
> + free(res);
> syslog(LOG_ERR, "%s: getting capability %s: %m",
> lc->lc_class, cap);
> errno = ERANGE;
> @@ -430,8 +420,7 @@ login_getcapsize(login_cap_t *lc, char *
> default:
> if (stat >= 0)
> break;
> - if (res)
> - free(res);
> + free(res);
> syslog(LOG_ERR, "%s: unexpected error with capability %s",
> lc->lc_class, cap);
> errno = ERANGE;
> @@ -467,12 +456,9 @@ void
> login_close(login_cap_t *lc)
> {
> if (lc) {
> - if (lc->lc_class)
> - free(lc->lc_class);
> - if (lc->lc_cap)
> - free(lc->lc_cap);
> - if (lc->lc_style)
> - free(lc->lc_style);
> + free(lc->lc_class);
> + free(lc->lc_cap);
> + free(lc->lc_style);
> free(lc);
> }
> }
>
--
Sebastien Marie
Hi,
Here a first sets of "if(x) free(x)" cleanup in sys/arch/
This patch contains only trivial if(x) removal. The size argument in
free is keep untouched (because it is already setted, or because it
makes sens to keep it to 0).
Comments ? OK ?
--
Sebastien Marie
Index: b/sys/arch/a
201 - 300 of 354 matches
Mail list logo
