Theo de Raadt <deraadt <at> cvs.openbsd.org> writes:
>
[replying via gmane, which apparently doesn't like text from the original
email to be quoted so I had to severely strip out text from the original
message, and also doesn't allow this bracketed message to be placed at the
top of my message]
Hi,
I was just reading through this and it looks like there is a bug in one of
your strncmp() calls in sys/kern/kern_tame.c:tame_namei() here:
if (strncmp(path, "/var/yp/binding/", 14) == 0)
return (0);
"/var/yp/binding/" is not 14 characters.
For what it's worth, I like this idea. It certainly makes using this
feature more accessible than seccomp-bpf in linux, and hence more likely to
be used. I'm more of a linux guy, but I've always appreciated OpenBSD's
focus on security (thanks for strlcpy/strlcat btw :-). It seems like your
tame interface could be implemented as a header-only interface on top of
linux's seccomp-bpf.
Cheers,
-Brandon
> Index: sys/kern/kern_tame.c
> ===================================================================
> RCS file: sys/kern/kern_tame.c
> diff -N sys/kern/kern_tame.c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ sys/kern/kern_tame.c 18 Jul 2015 21:36:11 -0000
> <at> <at> -0,0 +1,788 <at> <at>
<snip>
> + if (p->p_p->ps_tame & _TM_GETPW) {
> + if (strcmp(path, "/var/run/ypbind.lock") == 0) {
> + p->p_tamenote |= TMN_YPLOCK;
> + p->p_tameafter = 1;
> + return (0);
> + }
> + if (strncmp(path, "/var/yp/binding/", 14) == 0)
Here, "/var/yp/binding/" is not 14 characters.
> + return (0);
> + }
<snip>
