Re: Permit reading kern.somaxconn with unix pledge

2021-03-25 Thread Aaron Bieber 


Theo de Raadt writes:

> I have reviewed all the pledge using programs in the tree, and I do not
> see additional risk from this change.
>
> Who wants to take care of the commit?

I'll snag it!

>
> Josh Rickmar  wrote:
>
>> The kern.somaxconn sysctl was previously permitted under the inet
>> pledge, which allowed pledged Go applications to listen on AF_INET and
>> AF_INET6 domains.
>> 
>> https://marc.info/?l=openbsd-tech=158069595809463=2
>> https://marc.info/?l=openbsd-cvs=158081099810301=2
>> 
>> But Go will also read this sysctl when only using unix domain sockets.
>> The patch below additionally permits reading this sysctl if the unix
>> pledge is granted.
>> 
>> Note that for this to be tested and useful (where useful means not
>> running with the inet pledge), Go's net package also needs a patch:
>> https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81
>> 
>> diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src
>> blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b
>> file + sys/kern/kern_pledge.c
>> --- sys/kern/kern_pledge.c
>> +++ sys/kern/kern_pledge.c
>> @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo
>>  return (0);
>>  }
>>  
>> -if ((p->p_p->ps_pledge & PLEDGE_INET)) {
>> +if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) {
>>  if (miblen == 2 &&  /* kern.somaxconn */
>>  mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
>>  return (0);
>>

Re: Permit reading kern.somaxconn with unix pledge

2021-03-25 Thread Theo de Raadt 
I have reviewed all the pledge using programs in the tree, and I do not
see additional risk from this change.

Who wants to take care of the commit?

Josh Rickmar  wrote:

> The kern.somaxconn sysctl was previously permitted under the inet
> pledge, which allowed pledged Go applications to listen on AF_INET and
> AF_INET6 domains.
> 
> https://marc.info/?l=openbsd-tech=158069595809463=2
> https://marc.info/?l=openbsd-cvs=158081099810301=2
> 
> But Go will also read this sysctl when only using unix domain sockets.
> The patch below additionally permits reading this sysctl if the unix
> pledge is granted.
> 
> Note that for this to be tested and useful (where useful means not
> running with the inet pledge), Go's net package also needs a patch:
> https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81
> 
> diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src
> blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b
> file + sys/kern/kern_pledge.c
> --- sys/kern/kern_pledge.c
> +++ sys/kern/kern_pledge.c
> @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo
>   return (0);
>   }
>  
> - if ((p->p_p->ps_pledge & PLEDGE_INET)) {
> + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) {
>   if (miblen == 2 &&  /* kern.somaxconn */
>   mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
>   return (0);
>

Re: Permit reading kern.somaxconn with unix pledge

2021-03-25 Thread Josh Rickmar 
On Mon, Feb 01, 2021 at 08:18:53PM +, Josh Rickmar wrote:
> The kern.somaxconn sysctl was previously permitted under the inet
> pledge, which allowed pledged Go applications to listen on AF_INET and
> AF_INET6 domains.
> 
> https://marc.info/?l=openbsd-tech=158069595809463=2
> https://marc.info/?l=openbsd-cvs=158081099810301=2
> 
> But Go will also read this sysctl when only using unix domain sockets.
> The patch below additionally permits reading this sysctl if the unix
> pledge is granted.
> 
> Note that for this to be tested and useful (where useful means not
> running with the inet pledge), Go's net package also needs a patch:
> https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81
> 
> diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src
> blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b
> file + sys/kern/kern_pledge.c
> --- sys/kern/kern_pledge.c
> +++ sys/kern/kern_pledge.c
> @@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo
>   return (0);
>   }
>  
> - if ((p->p_p->ps_pledge & PLEDGE_INET)) {
> + if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) {
>   if (miblen == 2 &&  /* kern.somaxconn */
>   mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
>   return (0);

Ping.

The necessary Go patch just landed in their development branch, and
should appear in Go 1.17 at the very latest.

Permit reading kern.somaxconn with unix pledge

2021-02-01 Thread Josh Rickmar 
The kern.somaxconn sysctl was previously permitted under the inet
pledge, which allowed pledged Go applications to listen on AF_INET and
AF_INET6 domains.

https://marc.info/?l=openbsd-tech=158069595809463=2
https://marc.info/?l=openbsd-cvs=158081099810301=2

But Go will also read this sysctl when only using unix domain sockets.
The patch below additionally permits reading this sysctl if the unix
pledge is granted.

Note that for this to be tested and useful (where useful means not
running with the inet pledge), Go's net package also needs a patch:
https://gist.github.com/jrick/878236e2f3735d35d5a737936439cb81

diff b17f936e67043f9c006633bac4e3630f86dd05c2 /usr/src
blob - 9ffb7f2ffb9d05d6dd741e180b62141fb5e91f0b
file + sys/kern/kern_pledge.c
--- sys/kern/kern_pledge.c
+++ sys/kern/kern_pledge.c
@@ -888,7 +888,7 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, vo
return (0);
}
 
-   if ((p->p_p->ps_pledge & PLEDGE_INET)) {
+   if ((p->p_p->ps_pledge & (PLEDGE_INET | PLEDGE_UNIX))) {
if (miblen == 2 &&  /* kern.somaxconn */
mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
return (0);