CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/03/03 07:58:54
Modified files:
sys/kern : Tag: OPENBSD_7_8 kern_pledge.c
lib/libc/sys : Tag: OPENBSD_7_8 pledge.2
Log message:
pledge "tmppath" goes away because it sucks. The history is kind of
sad: unveil(2) was invented by Bob Beck and myself because a couple
of us struggled and couldn't expand the "tmppath" mechanism to general use.
unveil(2) ended up being kind of "upside down" different, and so we never
deleted "tmppath" because the refactorings seemed complicated.
However over the last two weeks, we're removed all the "tmppath" in base
pretty easily, and the 18 ports using it have also been fixed.
The majority of situations now use unveil "/tmp" "rwc", unveil "/" "r" or
similar, and then pledge "rpath wpath cpath", and this is generally needed
to satisfy the mkstemp(3) family of functions in libc.
Use of "tmppath" will now cause pledge(2) to return EINVAL. There is
no backwards compatible way of mimic the behaviour correctly using
kernel-internal unveil hackery.
Prompted by a report from David Leadbeater; and extensive conversations
with beck and semarie.
from deraadt@
Stop the canonicalization of the path in pledge_namei() callback since
we know is providing strictly normalized paths, and it leads to a subtle
problem a little bit like a TOCTOU. However, this pathcode can also be
reached by non-libc callers, so we need one validation step: the zoneinfo
sub-directory inspections may not attempt walks upwards through "..", we
don't need to consider symbolic links because root does not place them there.
from deraadt@; From discussions with david leadbeater, ok beck
In pledge_namei, improve the scanning for ".." in zoneinfo paths
from deraadt@; with millert
incorrectly nested break for latest zoneinfo check
from deraadt@; spotted by david leadbeater
Improve the discussion about "tmppath"
feedback from various people based upon my first attempts.
from deraadt@
this is errata/7.8/018_pledgepaths.patch.sig
