42 tame calls have been commited to 28 userland programs so far.
For instance gzip, md5, ping, traceroute, tcpdump, script, arp,
whois, ntpd, sshd...
Below is a tree of roughly a hundred more programs. Not all are
fully verified yet, but they being placed in snapshots.
Some of these I did myself, but others were contributed. I am trying
to focus on the programs which do either file or socket behaviour, but
not both. Or, on the programs which do their fd setup early.
I appreciate the feedback I've received so far.
Index: bin/dd/dd.c
===================================================================
RCS file: /cvs/src/bin/dd/dd.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 dd.c
--- bin/dd/dd.c 16 Jan 2015 06:39:31 -0000 1.21
+++ bin/dd/dd.c 28 Sep 2015 20:15:11 -0000
@@ -149,6 +149,9 @@ setup(void)
if (out.offset)
pos_out();
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
/*
* Truncate the output file; ignore errors because it fails on some
* kinds of output files, tapes, for example.
Index: bin/df/df.c
===================================================================
RCS file: /cvs/src/bin/df/df.c,v
retrieving revision 1.52
diff -u -p -u -r1.52 df.c
--- bin/df/df.c 16 Jan 2015 06:39:31 -0000 1.52
+++ bin/df/df.c 2 Oct 2015 00:19:01 -0000
@@ -79,6 +79,9 @@ main(int argc, char *argv[])
int width, maxwidth;
char *mntpt;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "hiklnPt:")) != -1)
switch (ch) {
case 'h':
Index: bin/expr/expr.c
===================================================================
RCS file: /cvs/src/bin/expr/expr.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 expr.c
--- bin/expr/expr.c 11 Aug 2015 17:15:46 -0000 1.20
+++ bin/expr/expr.c 28 Sep 2015 20:15:11 -0000
@@ -12,6 +12,7 @@
#include <limits.h>
#include <locale.h>
#include <ctype.h>
+#include <unistd.h>
#include <regex.h>
#include <err.h>
@@ -499,6 +500,9 @@ main(int argc, char *argv[])
struct val *vp;
(void) setlocale(LC_ALL, "");
+
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
if (argc > 1 && !strcmp(argv[1], "--"))
argv++;
Index: bin/ls/ls.c
===================================================================
RCS file: /cvs/src/bin/ls/ls.c,v
retrieving revision 1.41
diff -u -p -u -r1.41 ls.c
--- bin/ls/ls.c 25 Jun 2015 02:04:07 -0000 1.41
+++ bin/ls/ls.c 28 Sep 2015 20:15:11 -0000
@@ -123,6 +123,9 @@ ls_main(int argc, char *argv[])
termwidth = width;
}
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
/* Root is -A automatically. */
if (!getuid())
f_listdot = 1;
Index: bin/mkdir/mkdir.c
===================================================================
RCS file: /cvs/src/bin/mkdir/mkdir.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 mkdir.c
--- bin/mkdir/mkdir.c 2 Apr 2013 20:26:17 -0000 1.25
+++ bin/mkdir/mkdir.c 3 Oct 2015 03:32:46 -0000
@@ -55,6 +55,9 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
+ if (tame("stdio cpath rpath fattr", NULL) == -1)
+ err(1, "tame");
+
/*
* The default file mode is a=rwx (0777) with selected permissions
* removed in accordance with the file mode creation mask. For
Index: bin/pax/ar_io.c
===================================================================
RCS file: /cvs/src/bin/pax/ar_io.c,v
retrieving revision 1.50
diff -u -p -u -r1.50 ar_io.c
--- bin/pax/ar_io.c 22 Mar 2015 03:15:00 -0000 1.50
+++ bin/pax/ar_io.c 3 Oct 2015 23:42:07 -0000
@@ -75,6 +75,7 @@ static int wr_trail = 1; /* trailer was
static int can_unlnk = 0; /* do we unlink null archives? */
const char *arcname; /* printable name of archive */
const char *gzip_program; /* name of gzip program */
+const char *delayed_tame; /* tame request for after forking gzip_program */
static pid_t zpid = -1; /* pid of child process */
int force_one_volume; /* 1 if we ignore volume changes */
@@ -1276,4 +1277,6 @@ ar_start_gzip(int fd, const char *path,
err(1, "could not exec %s", path);
/* NOTREACHED */
}
+ if (delayed_tame != NULL && tame(delayed_tame, NULL) == -1)
+ err(1, "tame");
}
Index: bin/pax/extern.h
===================================================================
RCS file: /cvs/src/bin/pax/extern.h,v
retrieving revision 1.53
diff -u -p -u -r1.53 extern.h
--- bin/pax/extern.h 19 Mar 2015 05:14:24 -0000 1.53
+++ bin/pax/extern.h 3 Oct 2015 23:42:07 -0000
@@ -45,6 +45,7 @@
*/
extern const char *arcname;
extern const char *gzip_program;
+extern const char *delayed_tame;
extern int force_one_volume;
int ar_open(const char *);
void ar_close(int _in_sig);
Index: bin/pax/pax.c
===================================================================
RCS file: /cvs/src/bin/pax/pax.c,v
retrieving revision 1.41
diff -u -p -u -r1.41 pax.c
--- bin/pax/pax.c 9 Mar 2015 04:23:29 -0000 1.41
+++ bin/pax/pax.c 3 Oct 2015 23:42:07 -0000
@@ -257,6 +257,30 @@ main(int argc, char **argv)
return(exit_val);
/*
+ * pmode needs to restore setugid bits when extracting or copying,
+ * so can't tame at all then.
+ */
+ if (pmode == 0 || (act != EXTRACT && act != COPY)) {
+ /*
+ * If we need to fork/exec gzip_program, then delay the
+ * tame() call. (Copy mode ignores gzip_program)
+ */
+ if (gzip_program == NULL || act == COPY) {
+ if (tame("stdio getpw ioctl cpath wpath rpath fattr",
+ NULL) == -1)
+ err(1, "tame");
+ } else if (gzip_program != NULL) {
+ /*
+ * If nflag, then add "proc" to the above, for
+ * kill() of zpid
+ */
+ delayed_tame =
+ nflag? "stdio getpw ioctl cpath wpath rpath fattr"
+ : "proc stdio getpw ioctl cpath wpath rpath fattr";
+ }
+ }
+
+ /*
* select a primary operation mode
*/
switch (act) {
Index: bin/pwd/pwd.c
===================================================================
RCS file: /cvs/src/bin/pwd/pwd.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 pwd.c
--- bin/pwd/pwd.c 28 May 2014 06:55:58 -0000 1.12
+++ bin/pwd/pwd.c 28 Sep 2015 20:15:11 -0000
@@ -47,6 +47,9 @@ main(int argc, char *argv[])
int ch, lFlag = 0;
const char *p;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "LP")) != -1) {
switch (ch) {
case 'L':
Index: sbin/dmesg/dmesg.c
===================================================================
RCS file: /cvs/src/sbin/dmesg/dmesg.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 dmesg.c
--- sbin/dmesg/dmesg.c 16 Jan 2015 06:39:57 -0000 1.25
+++ sbin/dmesg/dmesg.c 3 Oct 2015 01:13:02 -0000
@@ -108,6 +108,9 @@ main(int argc, char *argv[])
if (sysctl(mib, 2, bufdata, &len, NULL, 0))
err(1, "sysctl: KERN_MSGBUF");
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
memcpy(&cur, bufdata, sizeof(cur));
bufdata = ((struct msgbuf *)bufdata)->msg_bufc;
} else {
@@ -119,6 +122,9 @@ main(int argc, char *argv[])
if ((kd = kvm_open(nlistf, memf, NULL, O_RDONLY,
"dmesg")) == NULL)
return (1);
+
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
if (kvm_nlist(kd, nl) == -1)
errx(1, "kvm_nlist: %s", kvm_geterr(kd));
Index: usr.bin/arch/arch.c
===================================================================
RCS file: /cvs/src/usr.bin/arch/arch.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 arch.c
--- usr.bin/arch/arch.c 25 Sep 2015 16:19:26 -0000 1.16
+++ usr.bin/arch/arch.c 28 Sep 2015 20:15:11 -0000
@@ -30,6 +30,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <err.h>
static void __dead usage(void);
@@ -43,6 +44,9 @@ main(int argc, char *argv[])
char *arch, *opts;
setlocale(LC_ALL, "");
+
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
machine = strcmp(__progname, "machine") == 0;
if (machine) {
Index: usr.bin/banner/banner.c
===================================================================
RCS file: /cvs/src/usr.bin/banner/banner.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 banner.c
--- usr.bin/banner/banner.c 27 Oct 2009 23:59:35 -0000 1.9
+++ usr.bin/banner/banner.c 28 Sep 2015 20:15:11 -0000
@@ -53,6 +53,7 @@
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
+#include <err.h>
#include "banner.h"
@@ -152,6 +153,8 @@ main(int argc, char *argv[])
{
char word[10+1]; /* strings limited to 10 chars
*/
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
while (*++argv) {
(void)strlcpy(word, *argv, sizeof (word));
scan_out(1, word, '\0');
Index: usr.bin/cal/cal.c
===================================================================
RCS file: /cvs/src/usr.bin/cal/cal.c,v
retrieving revision 1.28
diff -u -p -u -r1.28 cal.c
--- usr.bin/cal/cal.c 17 Mar 2015 19:31:30 -0000 1.28
+++ usr.bin/cal/cal.c 28 Sep 2015 20:15:11 -0000
@@ -150,6 +150,9 @@ main(int argc, char *argv[])
int ch, month, year, yflag;
const char *errstr;
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
yflag = year = 0;
while ((ch = getopt(argc, argv, "jmwy")) != -1)
switch(ch) {
Index: usr.bin/col/col.c
===================================================================
RCS file: /cvs/src/usr.bin/col/col.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 col.c
--- usr.bin/col/col.c 9 May 2015 20:36:18 -0000 1.17
+++ usr.bin/col/col.c 28 Sep 2015 20:15:11 -0000
@@ -113,6 +113,9 @@ main(int argc, char *argv[])
int adjust, opt, warned;
const char *errstr;
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
max_bufd_lines = 256;
compress_spaces = 1; /* compress spaces into tabs */
while ((opt = getopt(argc, argv, "bfhl:x")) != -1)
Index: usr.bin/colrm/colrm.c
===================================================================
RCS file: /cvs/src/usr.bin/colrm/colrm.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 colrm.c
--- usr.bin/colrm/colrm.c 27 Oct 2009 23:59:36 -0000 1.9
+++ usr.bin/colrm/colrm.c 28 Sep 2015 20:15:11 -0000
@@ -52,6 +52,9 @@ main(int argc, char *argv[])
int ch;
char *p;
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "")) != -1)
switch(ch) {
case '?':
Index: usr.bin/column/column.c
===================================================================
RCS file: /cvs/src/usr.bin/column/column.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 column.c
--- usr.bin/column/column.c 22 May 2014 19:50:34 -0000 1.19
+++ usr.bin/column/column.c 4 Oct 2015 05:00:55 -0000
@@ -76,6 +76,9 @@ main(int argc, char *argv[])
} else
termwidth = win.ws_col;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
tflag = xflag = 0;
while ((ch = getopt(argc, argv, "c:s:tx")) != -1)
switch(ch) {
@@ -100,16 +103,21 @@ main(int argc, char *argv[])
argc -= optind;
argv += optind;
- if (!*argv)
+ if (!*argv) {
input(stdin);
- else for (; *argv; ++argv)
- if ((fp = fopen(*argv, "r"))) {
- input(fp);
- (void)fclose(fp);
- } else {
- warn("%s", *argv);
- eval = 1;
+ } else {
+ for (; *argv; ++argv) {
+ if ((fp = fopen(*argv, "r"))) {
+ input(fp);
+ (void)fclose(fp);
+ } else {
+ warn("%s", *argv);
+ eval = 1;
+ }
}
+ }
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
if (!entries)
exit(eval);
Index: usr.bin/comm/comm.c
===================================================================
RCS file: /cvs/src/usr.bin/comm/comm.c,v
retrieving revision 1.8
diff -u -p -u -r1.8 comm.c
--- usr.bin/comm/comm.c 27 Oct 2009 23:59:37 -0000 1.8
+++ usr.bin/comm/comm.c 28 Sep 2015 20:15:11 -0000
@@ -61,6 +61,9 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
flag1 = flag2 = flag3 = 1;
compare = strcoll;
while ((ch = getopt(argc, argv, "123f")) != -1)
Index: usr.bin/csplit/csplit.c
===================================================================
RCS file: /cvs/src/usr.bin/csplit/csplit.c,v
retrieving revision 1.5
diff -u -p -u -r1.5 csplit.c
--- usr.bin/csplit/csplit.c 20 May 2014 01:25:23 -0000 1.5
+++ usr.bin/csplit/csplit.c 4 Oct 2015 05:00:49 -0000
@@ -103,6 +103,9 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
+ if (tame("stdio rpath wpath cpath", NULL) == -1)
+ err(1, "tame");
+
kflag = sflag = 0;
prefix = "xx";
sufflen = 2;
@@ -140,6 +143,8 @@ main(int argc, char *argv[])
if (strcmp(infn, "-") == 0) {
infile = stdin;
infn = "stdin";
+ if (tame("stdio wpath cpath", NULL) == -1)
+ err(1, "tame");
} else if ((infile = fopen(infn, "r")) == NULL)
err(1, "%s", infn);
Index: usr.bin/cut/cut.c
===================================================================
RCS file: /cvs/src/usr.bin/cut/cut.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 cut.c
--- usr.bin/cut/cut.c 18 Aug 2015 17:10:48 -0000 1.19
+++ usr.bin/cut/cut.c 28 Sep 2015 20:15:11 -0000
@@ -63,6 +63,9 @@ main(int argc, char *argv[])
setlocale (LC_ALL, "");
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
dchar = '\t'; /* default delimiter is \t */
/* Since we don't support multi-byte characters, the -c and -b
Index: usr.bin/deroff/deroff.c
===================================================================
RCS file: /cvs/src/usr.bin/deroff/deroff.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 deroff.c
--- usr.bin/deroff/deroff.c 9 Feb 2015 11:39:17 -0000 1.11
+++ usr.bin/deroff/deroff.c 4 Oct 2015 05:00:40 -0000
@@ -260,6 +260,9 @@ main(int ac, char **av)
int errflg = 0;
int kflag = NO;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
iflag = NO;
wordflag = NO;
msflag = NO;
@@ -331,6 +334,8 @@ main(int ac, char **av)
#endif /* DEBUG */
if (argc == 0) {
infile = stdin;
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
} else {
infile = opn(argv[0]);
--argc;
Index: usr.bin/diff/diff.c
===================================================================
RCS file: /cvs/src/usr.bin/diff/diff.c,v
retrieving revision 1.59
diff -u -p -u -r1.59 diff.c
--- usr.bin/diff/diff.c 29 Apr 2015 04:00:25 -0000 1.59
+++ usr.bin/diff/diff.c 28 Sep 2015 20:15:11 -0000
@@ -217,6 +217,10 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
+ if (lflag == 0) {
+ if (tame("stdio wpath rpath tmppath", NULL) == -1)
+ err(1, "tame");
+ }
/*
* Do sanity checks, fill in stb1 and stb2 and call the appropriate
* driver routine. Both drivers use the contents of stb1 and stb2.
Index: usr.bin/diff3/diff3prog.c
===================================================================
RCS file: /cvs/src/usr.bin/diff3/diff3prog.c,v
retrieving revision 1.15
diff -u -p -u -r1.15 diff3prog.c
--- usr.bin/diff3/diff3prog.c 5 Sep 2015 09:47:08 -0000 1.15
+++ usr.bin/diff3/diff3prog.c 28 Sep 2015 20:15:11 -0000
@@ -145,6 +145,9 @@ main(int argc, char **argv)
{
int ch, i, m, n;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
eflag = 0;
oflag = 0;
while ((ch = getopt(argc, argv, "EeXx3")) != -1) {
Index: usr.bin/dirname/dirname.c
===================================================================
RCS file: /cvs/src/usr.bin/dirname/dirname.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 dirname.c
--- usr.bin/dirname/dirname.c 10 Aug 2010 22:05:36 -0000 1.13
+++ usr.bin/dirname/dirname.c 28 Sep 2015 20:15:11 -0000
@@ -33,6 +33,9 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
default:
Index: usr.bin/expand/expand.c
===================================================================
RCS file: /cvs/src/usr.bin/expand/expand.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 expand.c
--- usr.bin/expand/expand.c 26 Nov 2013 13:18:55 -0000 1.12
+++ usr.bin/expand/expand.c 28 Sep 2015 20:15:11 -0000
@@ -51,6 +51,9 @@ main(int argc, char *argv[])
int c, column;
int n;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
/* handle obsolete syntax */
while (argc > 1 && argv[1][0] == '-' &&
isdigit((unsigned char)argv[1][1])) {
Index: usr.bin/fgen/fgen.l
===================================================================
RCS file: /cvs/src/usr.bin/fgen/fgen.l,v
retrieving revision 1.10
diff -u -p -u -r1.10 fgen.l
--- usr.bin/fgen/fgen.l 30 Dec 2013 21:52:21 -0000 1.10
+++ usr.bin/fgen/fgen.l 28 Sep 2015 20:15:11 -0000
@@ -960,6 +960,9 @@ main(argc, argv)
char *hdrtype = "version1";
int i;
+ if (tame("stdio rpath wpath cpath", NULL) == -1)
+ err(1, "tame");
+
outf = 1; /* stdout */
myname = argv[0];
Index: usr.bin/file/Makefile
===================================================================
RCS file: /cvs/src/usr.bin/file/Makefile,v
retrieving revision 1.15
diff -u -p -u -r1.15 Makefile
--- usr.bin/file/Makefile 27 Apr 2015 13:52:17 -0000 1.15
+++ usr.bin/file/Makefile 28 Sep 2015 20:15:11 -0000
@@ -1,7 +1,7 @@
# $OpenBSD: Makefile,v 1.15 2015/04/27 13:52:17 nicm Exp $
PROG= file
-SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c sandbox.c
\
+SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c \
text.c xmalloc.c
MAN= file.1 magic.5
Index: usr.bin/file/file.c
===================================================================
RCS file: /cvs/src/usr.bin/file/file.c,v
retrieving revision 1.48
diff -u -p -u -r1.48 file.c
--- usr.bin/file/file.c 2 Oct 2015 18:06:27 -0000 1.48
+++ usr.bin/file/file.c 2 Oct 2015 18:10:55 -0000
@@ -116,7 +116,7 @@ usage(void)
int
main(int argc, char **argv)
{
- int opt, pair[2], fd, idx;
+ int opt, pair[2], fd, idx, mode;
char *home;
struct passwd *pw;
struct imsgbuf ibuf;
@@ -192,8 +192,10 @@ main(int argc, char **argv)
parent = getpid();
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pair) != 0)
err(1, "socketpair");
- pid = sandbox_fork(FILE_USER);
- if (pid == 0) {
+ switch (pid = fork()) {
+ case -1:
+ err(1, "fork");
+ case 0:
close(pair[0]);
child(pair[1], parent, argc, argv);
}
@@ -220,10 +222,21 @@ main(int argc, char **argv)
fd = -1;
msg.error = errno;
} else {
- fd = open(argv[idx], O_RDONLY|O_NONBLOCK);
- if (fd == -1 && (errno == ENFILE || errno == EMFILE))
- err(1, "open");
- if (S_ISLNK(msg.sb.st_mode))
+ /*
+ * tame(2) doesn't let us pass directory file
+ * descriptors around but we don't need them, so don't
+ * open directories or symlinks (which could be to
+ * directories).
+ */
+ mode = msg.sb.st_mode;
+ if (!S_ISDIR(mode) && !S_ISLNK(mode)) {
+ fd = open(argv[idx], O_RDONLY|O_NONBLOCK);
+ if (fd == -1 &&
+ (errno == ENFILE || errno == EMFILE))
+ err(1, "open");
+ } else
+ fd = -1;
+ if (S_ISLNK(mode))
read_link(&msg, argv[idx]);
}
send_message(&ibuf, &msg, sizeof msg, fd);
@@ -328,6 +341,7 @@ read_link(struct input_msg *msg, const c
static __dead void
child(int fd, pid_t parent, int argc, char **argv)
{
+ struct passwd *pw;
struct magic *m;
struct imsgbuf ibuf;
struct imsg imsg;
@@ -336,6 +350,24 @@ child(int fd, pid_t parent, int argc, ch
struct input_file inf;
int i, idx;
size_t len, width = 0;
+
+ if (tame("stdio cmsg getpw proc", NULL) == -1)
+ err(1, "tame");
+
+ if (geteuid() == 0) {
+ pw = getpwnam(FILE_USER);
+ if (pw == NULL)
+ errx(1, "unknown user %s", FILE_USER);
+ if (setgroups(1, &pw->pw_gid) != 0)
+ err(1, "setgroups");
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
+ err(1, "setresgid");
+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
+ err(1, "setresuid");
+ }
+
+ if (tame("stdio cmsg", NULL) == -1)
+ err(1, "tame");
m = magic_load(magicfp, magicpath, cflag || Wflag);
if (cflag) {
Index: usr.bin/file/sandbox.c
===================================================================
RCS file: /cvs/src/usr.bin/file/sandbox.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 sandbox.c
--- usr.bin/file/sandbox.c 23 Aug 2015 18:31:41 -0000 1.9
+++ usr.bin/file/sandbox.c 28 Sep 2015 20:15:11 -0000
@@ -1,158 +0,0 @@
-/* $OpenBSD: sandbox.c,v 1.9 2015/08/23 18:31:41 guenther Exp $ */
-
-/*
- * Copyright (c) 2015 Nicholas Marriott <[email protected]>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
- * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include <sys/syscall.h>
-#include <sys/wait.h>
-
-#include <dev/systrace.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <signal.h>
-#include <unistd.h>
-
-#include "file.h"
-#include "magic.h"
-#include "xmalloc.h"
-
-static const struct
-{
- int syscallnum;
- int action;
-} allowed_syscalls[] = {
- { SYS_open, SYSTR_POLICY_NEVER }, /* for strerror */
-
- { SYS_close, SYSTR_POLICY_PERMIT },
- { SYS_exit, SYSTR_POLICY_PERMIT },
- { SYS_fcntl, SYSTR_POLICY_PERMIT },
- { SYS_fstat, SYSTR_POLICY_PERMIT },
- { SYS_getdtablecount, SYSTR_POLICY_PERMIT },
- { SYS_getentropy, SYSTR_POLICY_PERMIT },
- { SYS_getpid, SYSTR_POLICY_PERMIT },
- { SYS_getrlimit, SYSTR_POLICY_PERMIT },
- { SYS_issetugid, SYSTR_POLICY_PERMIT },
- { SYS_kbind, SYSTR_POLICY_PERMIT },
- { SYS_madvise, SYSTR_POLICY_PERMIT },
- { SYS_mmap, SYSTR_POLICY_PERMIT },
- { SYS_mprotect, SYSTR_POLICY_PERMIT },
- { SYS_mquery, SYSTR_POLICY_PERMIT },
- { SYS_munmap, SYSTR_POLICY_PERMIT },
- { SYS_read, SYSTR_POLICY_PERMIT },
- { SYS_recvmsg, SYSTR_POLICY_PERMIT },
- { SYS_sendmsg, SYSTR_POLICY_PERMIT },
- { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
- { SYS_write, SYSTR_POLICY_PERMIT },
-
- { -1, -1 }
-};
-
-static int
-sandbox_find(int syscallnum)
-{
- int i;
-
- for (i = 0; allowed_syscalls[i].syscallnum != -1; i++) {
- if (allowed_syscalls[i].syscallnum == syscallnum)
- return (allowed_syscalls[i].action);
- }
- return (SYSTR_POLICY_KILL);
-}
-
-static int
-sandbox_child(const char *user)
-{
- struct passwd *pw;
-
- if (geteuid() == 0) {
- pw = getpwnam(user);
- if (pw == NULL)
- errx(1, "unknown user %s", user);
- if (setgroups(1, &pw->pw_gid) != 0)
- err(1, "setgroups");
- if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
- err(1, "setresgid");
- if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
- err(1, "setresuid");
- }
-
- if (kill(getpid(), SIGSTOP) != 0)
- err(1, "kill(SIGSTOP)");
- return (0);
-}
-
-int
-sandbox_fork(const char *user)
-{
- pid_t pid;
- int status, devfd, fd, i;
- struct systrace_policy policy;
-
- switch (pid = fork()) {
- case -1:
- err(1, "fork");
- case 0:
- return (sandbox_child(user));
- }
-
- /*
- * Wait for the child to stop itself with SIGSTOP before assigning the
- * policy, before that it might still be calling syscalls the policy
- * would block.
- */
- do {
- pid = waitpid(pid, &status, WUNTRACED);
- } while (pid == -1 && errno == EINTR);
- if (!WIFSTOPPED(status))
- errx(1, "child not stopped");
-
- devfd = open("/dev/systrace", O_RDONLY);
- if (devfd == -1)
- err(1, "open(\"/dev/systrace\")");
- if (ioctl(devfd, STRIOCCLONE, &fd) == -1)
- err(1, "ioctl(STRIOCCLONE)");
- close(devfd);
-
- if (ioctl(fd, STRIOCATTACH, &pid) == -1)
- goto out;
-
- memset(&policy, 0, sizeof policy);
- policy.strp_op = SYSTR_POLICY_NEW;
- policy.strp_maxents = SYS_MAXSYSCALL;
- if (ioctl(fd, STRIOCPOLICY, &policy) == -1)
- err(1, "ioctl(STRIOCPOLICY/NEW)");
- policy.strp_op = SYSTR_POLICY_ASSIGN;
- policy.strp_pid = pid;
- if (ioctl(fd, STRIOCPOLICY, &policy) == -1)
- err(1, "ioctl(STRIOCPOLICY/ASSIGN)");
-
- for (i = 0; i < SYS_MAXSYSCALL; i++) {
- policy.strp_op = SYSTR_POLICY_MODIFY;
- policy.strp_code = i;
- policy.strp_policy = sandbox_find(i);
- if (ioctl(fd, STRIOCPOLICY, &policy) == -1)
- err(1, "ioctl(STRIOCPOLICY/MODIFY)");
- }
-
-out:
- if (kill(pid, SIGCONT) != 0)
- err(1, "kill(SIGCONT)");
- return (pid);
-}
Index: usr.bin/fmt/fmt.c
===================================================================
RCS file: /cvs/src/usr.bin/fmt/fmt.c,v
retrieving revision 1.30
diff -u -p -u -r1.30 fmt.c
--- usr.bin/fmt/fmt.c 26 Nov 2013 13:18:55 -0000 1.30
+++ usr.bin/fmt/fmt.c 4 Oct 2015 05:00:34 -0000
@@ -255,6 +255,9 @@ main(int argc, char *argv[])
(void)setlocale(LC_CTYPE, "");
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
/* 1. Grok parameters. */
while ((ch = getopt(argc, argv, "0123456789cd:hl:mnpst:w:")) != -1) {
switch (ch) {
@@ -337,6 +340,8 @@ main(int argc, char *argv[])
while (argc-- > 0)
process_named_file(*argv++);
} else {
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
process_stream(stdin, "standard input");
}
Index: usr.bin/fold/fold.c
===================================================================
RCS file: /cvs/src/usr.bin/fold/fold.c,v
retrieving revision 1.15
diff -u -p -u -r1.15 fold.c
--- usr.bin/fold/fold.c 6 Feb 2015 09:10:55 -0000 1.15
+++ usr.bin/fold/fold.c 4 Oct 2015 05:00:27 -0000
@@ -56,6 +56,9 @@ main(int argc, char *argv[])
unsigned int width;
const char *errstr;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
width = 0;
lastch = '\0';
prevoptind = 1;
@@ -99,14 +102,19 @@ main(int argc, char *argv[])
if (width == 0)
width = DEFLINEWIDTH;
- if (!*argv)
+ if (!*argv) {
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
fold(width);
- else for (; *argv; ++argv)
- if (!freopen(*argv, "r", stdin)) {
- err(1, "%s", *argv);
- /* NOTREACHED */
- } else
- fold(width);
+ } else {
+ for (; *argv; ++argv) {
+ if (!freopen(*argv, "r", stdin))
+ err(1, "%s", *argv);
+ /* NOTREACHED */
+ else
+ fold(width);
+ }
+ }
exit(0);
}
Index: usr.bin/from/from.c
===================================================================
RCS file: /cvs/src/usr.bin/from/from.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 from.c
--- usr.bin/from/from.c 3 Jun 2015 18:08:54 -0000 1.20
+++ usr.bin/from/from.c 4 Oct 2015 05:00:21 -0000
@@ -80,6 +80,8 @@ main(int argc, char *argv[])
exit(EXIT_SUCCESS);
err(1, "%s", file);
}
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
for (newline = 1; (linelen = getline(&line, &linesize, fp)) != -1;) {
if (*line == '\n') {
newline = 1;
@@ -98,6 +100,9 @@ char *
mail_spool(char *file, const char *user)
{
struct passwd *pwd;
+
+ if (tame("stdio rpath getpw", NULL) == -1)
+ err(1, "tame");
/*
* We find the mailbox by:
Index: usr.bin/getopt/getopt.c
===================================================================
RCS file: /cvs/src/usr.bin/getopt/getopt.c,v
retrieving revision 1.8
diff -u -p -u -r1.8 getopt.c
--- usr.bin/getopt/getopt.c 27 Oct 2009 23:59:38 -0000 1.8
+++ usr.bin/getopt/getopt.c 28 Sep 2015 20:15:11 -0000
@@ -8,6 +8,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
+#include <err.h>
int
main(int argc, char *argv[])
@@ -16,6 +17,9 @@ main(int argc, char *argv[])
extern char *optarg;
int c;
int status = 0;
+
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
optind = 2; /* Past the program name and the option letters. */
while ((c = getopt(argc, argv, argv[1])) != -1)
Index: usr.bin/head/head.c
===================================================================
RCS file: /cvs/src/usr.bin/head/head.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 head.c
--- usr.bin/head/head.c 8 Oct 2014 08:31:53 -0000 1.18
+++ usr.bin/head/head.c 4 Oct 2015 05:00:14 -0000
@@ -55,6 +55,9 @@ main(int argc, char *argv[])
char *p = NULL;
int status = 0;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
/* handle obsolete -number syntax */
if (argc > 1 && argv[1][0] == '-' &&
isdigit((unsigned char)argv[1][1])) {
@@ -87,6 +90,8 @@ main(int argc, char *argv[])
if (!firsttime)
exit(status);
fp = stdin;
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
} else {
if ((fp = fopen(*argv, "r")) == NULL) {
warn("%s", *argv++);
Index: usr.bin/hexdump/hexdump.c
===================================================================
RCS file: /cvs/src/usr.bin/hexdump/hexdump.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 hexdump.c
--- usr.bin/hexdump/hexdump.c 16 Jan 2015 06:40:08 -0000 1.17
+++ usr.bin/hexdump/hexdump.c 28 Sep 2015 20:15:11 -0000
@@ -33,6 +33,7 @@
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
#include <string.h>
#include "hexdump.h"
@@ -52,6 +53,9 @@ main(int argc, char *argv[])
{
FS *tfs;
char *p;
+
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
if (!(p = strrchr(argv[0], 'o')) || strcmp(p, "od"))
newsyntax(argc, &argv);
Index: usr.bin/id/id.c
===================================================================
RCS file: /cvs/src/usr.bin/id/id.c,v
retrieving revision 1.23
diff -u -p -u -r1.23 id.c
--- usr.bin/id/id.c 19 May 2015 16:03:19 -0000 1.23
+++ usr.bin/id/id.c 28 Sep 2015 20:15:11 -0000
@@ -105,6 +105,9 @@ main(int argc, char *argv[])
argc -= optind;
argv += optind;
+ if (tame("stdio getpw", NULL) == -1)
+ err(1, "tame");
+
switch (cflag + Gflag + gflag + pflag + uflag) {
case 1:
break;
Index: usr.bin/indent/indent.c
===================================================================
RCS file: /cvs/src/usr.bin/indent/indent.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 indent.c
--- usr.bin/indent/indent.c 20 Aug 2015 22:32:41 -0000 1.27
+++ usr.bin/indent/indent.c 28 Sep 2015 20:15:11 -0000
@@ -78,6 +78,8 @@ main(int argc, char **argv)
int last_else = 0; /* true iff last keyword was an else */
+ if (tame("stdio rpath wpath cpath tmppath", NULL) == -1)
+ err(1, "tame");
/*-----------------------------------------------*\
| INITIALIZATION |
Index: usr.bin/infocmp/infocmp.c
===================================================================
RCS file: /cvs/src/usr.bin/infocmp/infocmp.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 infocmp.c
--- usr.bin/infocmp/infocmp.c 12 Jan 2010 23:22:13 -0000 1.20
+++ usr.bin/infocmp/infocmp.c 28 Sep 2015 20:15:11 -0000
@@ -1282,6 +1282,9 @@ main(int argc, char *argv[])
bool init_analyze = FALSE;
bool suppress_untranslatable = FALSE;
+ if (tame("stdio rpath", NULL) == -1)
+ perror("tame");
+
/* where is the terminfo database location going to default to? */
restdir = firstdir = 0;
Index: usr.bin/join/join.c
===================================================================
RCS file: /cvs/src/usr.bin/join/join.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 join.c
--- usr.bin/join/join.c 21 Jul 2015 04:42:59 -0000 1.25
+++ usr.bin/join/join.c 28 Sep 2015 20:15:11 -0000
@@ -104,6 +104,9 @@ main(int argc, char *argv[])
int aflag, ch, cval, vflag;
char *end;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
F1 = &input1;
F2 = &input2;
Index: usr.bin/jot/jot.c
===================================================================
RCS file: /cvs/src/usr.bin/jot/jot.c,v
retrieving revision 1.24
diff -u -p -u -r1.24 jot.c
--- usr.bin/jot/jot.c 21 Jul 2015 04:04:06 -0000 1.24
+++ usr.bin/jot/jot.c 28 Sep 2015 20:15:11 -0000
@@ -84,6 +84,9 @@ main(int argc, char *argv[])
int ch;
const char *errstr;
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "rb:w:cs:np:")) != -1)
switch (ch) {
case 'r':
Index: usr.bin/lam/lam.c
===================================================================
RCS file: /cvs/src/usr.bin/lam/lam.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 lam.c
--- usr.bin/lam/lam.c 16 Jan 2015 06:40:09 -0000 1.17
+++ usr.bin/lam/lam.c 28 Sep 2015 20:15:11 -0000
@@ -71,6 +71,9 @@ main(int argc, char *argv[])
{
int i;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
/* Process arguments, set numfiles to file argument count. */
getargs(argc, argv);
if (numfiles == 0)
Index: usr.bin/lastcomm/lastcomm.c
===================================================================
RCS file: /cvs/src/usr.bin/lastcomm/lastcomm.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 lastcomm.c
--- usr.bin/lastcomm/lastcomm.c 15 Mar 2015 00:41:28 -0000 1.21
+++ usr.bin/lastcomm/lastcomm.c 28 Sep 2015 20:15:11 -0000
@@ -69,6 +69,9 @@ main(int argc, char *argv[])
int ch;
char *acctfile;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
acctfile = _PATH_ACCT;
while ((ch = getopt(argc, argv, "f:")) != -1)
switch(ch) {
Index: usr.bin/logger/logger.c
===================================================================
RCS file: /cvs/src/usr.bin/logger/logger.c,v
retrieving revision 1.14
diff -u -p -u -r1.14 logger.c
--- usr.bin/logger/logger.c 18 Apr 2015 18:28:37 -0000 1.14
+++ usr.bin/logger/logger.c 28 Sep 2015 20:15:11 -0000
@@ -37,6 +37,7 @@
#include <stdio.h>
#include <ctype.h>
#include <string.h>
+#include <err.h>
#define SYSLOG_NAMES
#include <syslog.h>
@@ -91,6 +92,9 @@ main(int argc, char *argv[])
/* setup for logging */
openlog(tag ? tag : getlogin(), logflags, 0);
(void) fclose(stdout);
+
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
/* log input line if appropriate */
if (argc > 0) {
Index: usr.bin/logname/logname.c
===================================================================
RCS file: /cvs/src/usr.bin/logname/logname.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 logname.c
--- usr.bin/logname/logname.c 27 Oct 2009 23:59:40 -0000 1.7
+++ usr.bin/logname/logname.c 28 Sep 2015 20:15:11 -0000
@@ -46,6 +46,9 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
+ if (tame("stdio getpw", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "")) != -1)
switch (ch) {
case '?':
Index: usr.bin/look/look.c
===================================================================
RCS file: /cvs/src/usr.bin/look/look.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 look.c
--- usr.bin/look/look.c 6 Feb 2015 23:21:59 -0000 1.16
+++ usr.bin/look/look.c 28 Sep 2015 20:15:11 -0000
@@ -88,6 +88,9 @@ main(int argc, char *argv[])
int ch, fd, termchar;
char *back, *file, *front, *string, *p;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
file = _PATH_WORDS;
termchar = '\0';
while ((ch = getopt(argc, argv, "dft:")) != -1)
Index: usr.bin/mktemp/mktemp.c
===================================================================
RCS file: /cvs/src/usr.bin/mktemp/mktemp.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 mktemp.c
--- usr.bin/mktemp/mktemp.c 6 Aug 2013 21:56:51 -0000 1.20
+++ usr.bin/mktemp/mktemp.c 28 Sep 2015 20:15:11 -0000
@@ -38,6 +38,9 @@ main(int argc, char *argv[])
char *cp, *template, *tempfile, *prefix = _PATH_TMP;
size_t len;
+ if (tame("stdio wpath cpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "dp:qtu")) != -1)
switch(ch) {
case 'd':
Index: usr.bin/nl/nl.c
===================================================================
RCS file: /cvs/src/usr.bin/nl/nl.c,v
retrieving revision 1.4
diff -u -p -u -r1.4 nl.c
--- usr.bin/nl/nl.c 21 Jan 2015 22:28:09 -0000 1.4
+++ usr.bin/nl/nl.c 4 Oct 2015 05:00:06 -0000
@@ -118,6 +118,9 @@ main(int argc, char *argv[])
(void)setlocale(LC_ALL, "");
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((c = getopt(argc, argv, "pb:d:f:h:i:l:n:s:v:w:")) != -1) {
switch (c) {
case 'p':
@@ -204,10 +207,15 @@ main(int argc, char *argv[])
switch (argc) {
case 0:
+ /* Read from stdin. */
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
break;
case 1:
- if (strcmp(argv[0], "-") != 0 &&
- freopen(argv[0], "r", stdin) == NULL)
+ if (strcmp(argv[0], "-") == 0)
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+ else if (freopen(argv[0], "r", stdin) == NULL)
err(EXIT_FAILURE, "%s", argv[0]);
break;
default:
Index: usr.bin/nm/nm.c
===================================================================
RCS file: /cvs/src/usr.bin/nm/nm.c,v
retrieving revision 1.47
diff -u -p -u -r1.47 nm.c
--- usr.bin/nm/nm.c 13 Aug 2015 19:13:28 -0000 1.47
+++ usr.bin/nm/nm.c 3 Oct 2015 04:25:11 -0000
@@ -211,6 +211,10 @@ main(int argc, char *argv[])
posix_radix, posix_radix);
if (demangle)
pipe2cppfilt();
+
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
argv += optind;
argc -= optind;
Index: usr.bin/paste/paste.c
===================================================================
RCS file: /cvs/src/usr.bin/paste/paste.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 paste.c
--- usr.bin/paste/paste.c 25 Nov 2014 10:20:24 -0000 1.19
+++ usr.bin/paste/paste.c 28 Sep 2015 20:15:11 -0000
@@ -57,6 +57,9 @@ main(int argc, char *argv[])
extern int optind;
int ch, seq;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
seq = 0;
while ((ch = getopt(argc, argv, "d:s")) != -1) {
switch (ch) {
Index: usr.bin/pr/pr.c
===================================================================
RCS file: /cvs/src/usr.bin/pr/pr.c,v
retrieving revision 1.36
diff -u -p -u -r1.36 pr.c
--- usr.bin/pr/pr.c 20 Aug 2015 22:32:41 -0000 1.36
+++ usr.bin/pr/pr.c 28 Sep 2015 20:15:11 -0000
@@ -140,6 +140,9 @@ main(int argc, char *argv[])
{
int ret_val;
+ if (tame("stdio rpath", NULL) == -1)
+ perror("tame");
+
if (signal(SIGINT, SIG_IGN) != SIG_IGN)
(void)signal(SIGINT, terminate);
ret_val = setup(argc, argv);
Index: usr.bin/printenv/printenv.c
===================================================================
RCS file: /cvs/src/usr.bin/printenv/printenv.c,v
retrieving revision 1.6
diff -u -p -u -r1.6 printenv.c
--- usr.bin/printenv/printenv.c 27 Oct 2009 23:59:41 -0000 1.6
+++ usr.bin/printenv/printenv.c 28 Sep 2015 20:15:11 -0000
@@ -32,6 +32,8 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <err.h>
/*
* printenv
@@ -45,6 +47,9 @@ main(int argc, char *argv[])
extern char **environ;
char *cp, **ep;
int len;
+
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
if (argc < 2) {
for (ep = environ; *ep; ep++)
Index: usr.bin/printf/printf.c
===================================================================
RCS file: /cvs/src/usr.bin/printf/printf.c,v
retrieving revision 1.22
diff -u -p -u -r1.22 printf.c
--- usr.bin/printf/printf.c 25 May 2014 07:36:36 -0000 1.22
+++ usr.bin/printf/printf.c 28 Sep 2015 20:15:11 -0000
@@ -32,6 +32,7 @@
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
#include <string.h>
#include <limits.h>
#include <locale.h>
@@ -80,6 +81,9 @@ main(int argc, char *argv[])
char *format;
setlocale (LC_ALL, "");
+
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
/* Need to accept/ignore "--" option. */
if (argc > 1 && strcmp(argv[1], "--") == 0) {
Index: usr.bin/readlink/readlink.c
===================================================================
RCS file: /cvs/src/usr.bin/readlink/readlink.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 readlink.c
--- usr.bin/readlink/readlink.c 1 May 2009 10:36:48 -0000 1.25
+++ usr.bin/readlink/readlink.c 28 Sep 2015 20:15:11 -0000
@@ -44,6 +44,9 @@ main(int argc, char *argv[])
int n, ch, nflag = 0, fflag = 0;
extern int optind;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "fn")) != -1)
switch (ch) {
case 'f':
Index: usr.bin/rev/rev.c
===================================================================
RCS file: /cvs/src/usr.bin/rev/rev.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 rev.c
--- usr.bin/rev/rev.c 27 Oct 2009 23:59:42 -0000 1.10
+++ usr.bin/rev/rev.c 28 Sep 2015 20:15:11 -0000
@@ -49,6 +49,9 @@ main(int argc, char *argv[])
size_t len;
int ch, rval;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "")) != -1)
switch(ch) {
case '?':
@@ -71,6 +74,9 @@ main(int argc, char *argv[])
continue;
}
filename = *argv++;
+ } else {
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
}
while ((p = fgetln(fp, &len)) != NULL) {
if (p[len - 1] == '\n')
Index: usr.bin/rs/rs.c
===================================================================
RCS file: /cvs/src/usr.bin/rs/rs.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 rs.c
--- usr.bin/rs/rs.c 20 Aug 2015 22:32:41 -0000 1.25
+++ usr.bin/rs/rs.c 28 Sep 2015 20:15:11 -0000
@@ -93,6 +93,9 @@ void putfile(void);
int
main(int argc, char *argv[])
{
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
getargs(argc, argv);
getfile();
if (flags & SHAPEONLY) {
Index: usr.bin/split/split.c
===================================================================
RCS file: /cvs/src/usr.bin/split/split.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 split.c
--- usr.bin/split/split.c 16 Jan 2015 06:40:12 -0000 1.18
+++ usr.bin/split/split.c 28 Sep 2015 20:15:11 -0000
@@ -68,6 +68,9 @@ main(int argc, char *argv[])
char *ep, *p;
const char *errstr;
+ if (tame("stdio rpath wpath cpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "0123456789a:b:l:p:-")) != -1)
switch (ch) {
case '0': case '1': case '2': case '3': case '4':
Index: usr.bin/stat/stat.c
===================================================================
RCS file: /cvs/src/usr.bin/stat/stat.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 stat.c
--- usr.bin/stat/stat.c 26 Nov 2013 21:08:12 -0000 1.18
+++ usr.bin/stat/stat.c 28 Sep 2015 20:15:11 -0000
@@ -158,6 +158,9 @@ main(int argc, char *argv[])
int lsF, fmtchar, usestat, fn, nonl, quiet;
char *statfmt, *options, *synopsis;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
lsF = 0;
fmtchar = '\0';
usestat = 0;
Index: usr.bin/tail/tail.c
===================================================================
RCS file: /cvs/src/usr.bin/tail/tail.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 tail.c
--- usr.bin/tail/tail.c 27 Oct 2009 23:59:44 -0000 1.17
+++ usr.bin/tail/tail.c 28 Sep 2015 20:15:11 -0000
@@ -61,6 +61,9 @@ main(int argc, char *argv[])
int ch, first;
char *p;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
/*
* Tail's options are weird. First, -n10 is the same as -n-10, not
* -n+10. Second, the number options are 1 based and not offsets,
Index: usr.bin/tee/tee.c
===================================================================
RCS file: /cvs/src/usr.bin/tee/tee.c,v
retrieving revision 1.8
diff -u -p -u -r1.8 tee.c
--- usr.bin/tee/tee.c 23 Apr 2013 17:48:17 -0000 1.8
+++ usr.bin/tee/tee.c 28 Sep 2015 20:15:11 -0000
@@ -74,6 +74,9 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
+ if (tame("stdio rpath wpath cpath", NULL) == -1)
+ err(1, "tame");
+
append = 0;
while ((ch = getopt(argc, argv, "ai")) != -1) {
switch(ch) {
Index: usr.bin/tic/tic.c
===================================================================
RCS file: /cvs/src/usr.bin/tic/tic.c,v
retrieving revision 1.31
diff -u -p -u -r1.31 tic.c
--- usr.bin/tic/tic.c 28 Nov 2013 18:24:55 -0000 1.31
+++ usr.bin/tic/tic.c 30 Sep 2015 18:03:04 -0000
@@ -499,6 +499,9 @@ main(int argc, char *argv[])
bool check_only = FALSE;
bool suppress_untranslatable = FALSE;
+ if (tame("stdio rpath cpath", NULL) == -1)
+ perror("tame");
+
log_fp = stderr;
_nc_progname = _nc_rootname(argv[0]);
Index: usr.bin/touch/touch.c
===================================================================
RCS file: /cvs/src/usr.bin/touch/touch.c,v
retrieving revision 1.23
diff -u -p -u -r1.23 touch.c
--- usr.bin/touch/touch.c 17 Mar 2015 19:31:30 -0000 1.23
+++ usr.bin/touch/touch.c 3 Oct 2015 04:37:51 -0000
@@ -60,6 +60,9 @@ main(int argc, char *argv[])
(void)setlocale(LC_ALL, "");
+ if (tame("stdio rpath wpath cpath fattr", NULL) == -1)
+ err(1, "tame");
+
aflag = cflag = mflag = timeset = 0;
while ((ch = getopt(argc, argv, "acd:fmr:t:")) != -1)
switch (ch) {
Index: usr.bin/tr/tr.c
===================================================================
RCS file: /cvs/src/usr.bin/tr/tr.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 tr.c
--- usr.bin/tr/tr.c 3 Jun 2014 20:57:23 -0000 1.17
+++ usr.bin/tr/tr.c 28 Sep 2015 20:15:11 -0000
@@ -87,6 +87,9 @@ main(int argc, char *argv[])
int ch, cnt, lastch, *p;
int cflag, dflag, sflag, isstring2;
+ if (tame("stdio", NULL) == -1)
+ err(1, "tame");
+
cflag = dflag = sflag = 0;
while ((ch = getopt(argc, argv, "Ccds")) != -1)
switch(ch) {
Index: usr.bin/units/units.c
===================================================================
RCS file: /cvs/src/usr.bin/units/units.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 units.c
--- usr.bin/units/units.c 27 Nov 2013 00:13:24 -0000 1.20
+++ usr.bin/units/units.c 28 Sep 2015 20:15:11 -0000
@@ -23,6 +23,7 @@
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
+#include <err.h>
#define UNITSFILE "/usr/share/misc/units.lib"
@@ -630,6 +631,9 @@ main(int argc, char **argv)
extern char *optarg;
extern int optind;
+
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
while ((optchar = getopt(argc, argv, "vqf:")) != -1) {
switch (optchar) {
Index: usr.bin/unvis/unvis.c
===================================================================
RCS file: /cvs/src/usr.bin/unvis/unvis.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 unvis.c
--- usr.bin/unvis/unvis.c 22 Jan 2014 09:45:21 -0000 1.12
+++ usr.bin/unvis/unvis.c 28 Sep 2015 20:15:11 -0000
@@ -43,6 +43,9 @@ main(int argc, char *argv[])
FILE *fp;
int ch;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "")) != -1)
switch(ch) {
case '?':
Index: usr.bin/users/users.c
===================================================================
RCS file: /cvs/src/usr.bin/users/users.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 users.c
--- usr.bin/users/users.c 8 Oct 2014 04:11:28 -0000 1.11
+++ usr.bin/users/users.c 28 Sep 2015 20:15:11 -0000
@@ -53,6 +53,9 @@ main(int argc, char *argv[])
struct utmp utmp;
int ch;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "")) != -1)
switch(ch) {
case '?':
Index: usr.bin/vacation/vacation.c
===================================================================
RCS file: /cvs/src/usr.bin/vacation/vacation.c,v
retrieving revision 1.37
diff -u -p -u -r1.37 vacation.c
--- usr.bin/vacation/vacation.c 20 Aug 2015 22:32:42 -0000 1.37
+++ usr.bin/vacation/vacation.c 3 Oct 2015 04:23:59 -0000
@@ -49,6 +49,7 @@
#include <stdlib.h>
#include <string.h>
#include <paths.h>
+#include <err.h>
/*
* VACATION -- return a message to the sender when on vacation.
Index: usr.bin/vis/vis.c
===================================================================
RCS file: /cvs/src/usr.bin/vis/vis.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 vis.c
--- usr.bin/vis/vis.c 18 Apr 2015 18:28:38 -0000 1.17
+++ usr.bin/vis/vis.c 28 Sep 2015 20:15:11 -0000
@@ -55,6 +55,9 @@ main(int argc, char *argv[])
FILE *fp;
int ch;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
while ((ch = getopt(argc, argv, "anwctsobfF:ld")) != -1)
switch(ch) {
case 'a':
Index: usr.bin/what/what.c
===================================================================
RCS file: /cvs/src/usr.bin/what/what.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 what.c
--- usr.bin/what/what.c 22 Jan 2015 19:10:17 -0000 1.13
+++ usr.bin/what/what.c 28 Sep 2015 20:15:11 -0000
@@ -58,6 +58,9 @@ main(int argc, char *argv[])
char match[256];
int c;
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
matches = sflag = 0;
while ((c = getopt(argc, argv, "s")) != -1) {
switch (c) {
Index: usr.bin/who/who.c
===================================================================
RCS file: /cvs/src/usr.bin/who/who.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 who.c
--- usr.bin/who/who.c 22 Aug 2013 04:43:41 -0000 1.20
+++ usr.bin/who/who.c 28 Sep 2015 20:15:11 -0000
@@ -72,6 +72,9 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
+ if (tame("stdio rpath", NULL) == -1)
+ err(1, "tame");
+
only_current_term = show_term = show_idle = show_labels = 0;
show_quick = 0;
while ((c = getopt(argc, argv, "HmqTu")) != -1) {
Index: usr.bin/yes/yes.c
===================================================================
RCS file: /cvs/src/usr.bin/yes/yes.c,v
retrieving revision 1.8
diff -u -p -u -r1.8 yes.c
--- usr.bin/yes/yes.c 27 Oct 2009 23:59:50 -0000 1.8
+++ usr.bin/yes/yes.c 28 Sep 2015 20:15:11 -0000
@@ -30,11 +30,15 @@
* SUCH DAMAGE.
*/
+#include <unistd.h>
#include <stdio.h>
int
main(int argc, char *argv[])
{
+ if (tame("stdio", NULL) == -1)
+ perror("tame");
+
if (argc > 1)
for (;;)
puts(argv[1]);
Index: usr.sbin/bgpd/rde.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.339
diff -u -p -u -r1.339 rde.c
--- usr.sbin/bgpd/rde.c 21 Sep 2015 09:47:15 -0000 1.339
+++ usr.sbin/bgpd/rde.c 28 Sep 2015 20:15:11 -0000
@@ -30,6 +30,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <err.h>
#include "bgpd.h"
#include "mrt.h"
@@ -185,6 +186,9 @@ rde_main(int debug, int verbose)
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
fatal("can't drop privileges");
+
+ if (tame("malloc unix cmsg", NULL) == -1)
+ err(1, "tame");
signal(SIGTERM, rde_sighdlr);
signal(SIGINT, rde_sighdlr);
Index: usr.sbin/bgpd/session.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
retrieving revision 1.340
diff -u -p -u -r1.340 session.c
--- usr.sbin/bgpd/session.c 4 Aug 2015 14:46:38 -0000 1.340
+++ usr.sbin/bgpd/session.c 28 Sep 2015 20:15:11 -0000
@@ -219,6 +219,9 @@ session_main(int debug, int verbose)
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
fatal("can't drop privileges");
+ if (tame("malloc inet cmsg", NULL) == -1)
+ err(1, "tame");
+
signal(SIGTERM, session_sighdlr);
signal(SIGINT, session_sighdlr);
signal(SIGPIPE, SIG_IGN);
Index: usr.sbin/httpd/httpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 httpd.c
--- usr.sbin/httpd/httpd.c 20 Aug 2015 13:00:23 -0000 1.39
+++ usr.sbin/httpd/httpd.c 29 Sep 2015 09:34:57 -0000
@@ -247,6 +247,9 @@ main(int argc, char *argv[])
setproctitle("parent");
+ if (tame("malloc inet cmsg cpath rpath wpath proc ioctl", NULL) == -1)
+ err(1, "tame");
+
event_init();
signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
Index: usr.sbin/httpd/logger.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/logger.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 logger.c
--- usr.sbin/httpd/logger.c 20 Aug 2015 13:00:23 -0000 1.13
+++ usr.sbin/httpd/logger.c 28 Sep 2015 20:15:11 -0000
@@ -26,6 +26,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <err.h>
#include <fcntl.h>
#include <imsg.h>
@@ -70,6 +71,9 @@ logger_shutdown(void)
void
logger_init(struct privsep *ps, struct privsep_proc *p, void *arg)
{
+ if (tame("malloc cmsg", NULL) == -1)
+ err(1, "tame");
+
if (config_init(ps->ps_env) == -1)
fatal("failed to initialize configuration");
Index: usr.sbin/httpd/server.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server.c,v
retrieving revision 1.80
diff -u -p -u -r1.80 server.c
--- usr.sbin/httpd/server.c 11 Sep 2015 13:21:09 -0000 1.80
+++ usr.sbin/httpd/server.c 3 Oct 2015 02:52:35 -0000
@@ -38,6 +38,7 @@
#include <string.h>
#include <syslog.h>
#include <unistd.h>
+#include <err.h>
#include <event.h>
#include <imsg.h>
#include <tls.h>
@@ -243,6 +244,15 @@ server_init(struct privsep *ps, struct p
/* Unlimited file descriptors (use system limits) */
socket_rlimit(-1);
+
+ /*
+ * XXX "inet" and "unix" are only needed for fcgi, however
+ * whether fcgi is used or not can change when the config is
+ * reloaded. should the parent retain these abilities, but
+ * re-fork the children and properly tame them again on reload?
+ */
+ if (tame("malloc cmsg rpath proc inet unix ioctl", NULL) == -1)
+ err(1, "tame");
#if 0
/* Schedule statistics timer */
Index: usr.sbin/ntpd/ntp.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v
retrieving revision 1.135
diff -u -p -u -r1.135 ntp.c
--- usr.sbin/ntpd/ntp.c 14 Aug 2015 02:00:18 -0000 1.135
+++ usr.sbin/ntpd/ntp.c 28 Sep 2015 20:15:11 -0000
@@ -30,6 +30,7 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <err.h>
#include <tls.h>
#include "ntpd.h"
@@ -164,6 +165,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, s
fatal("can't drop privileges");
endservent();
+
+ /* XXX "dns" for constraint.c, which is forked off wrong parent? */
+ if (tame("stdio inet dns proc", NULL) == -1)
+ err(1, "tame");
signal(SIGTERM, ntp_sighdlr);
signal(SIGINT, ntp_sighdlr);
Index: usr.sbin/ntpd/ntpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
retrieving revision 1.95
diff -u -p -u -r1.95 ntpd.c
--- usr.sbin/ntpd/ntpd.c 3 Oct 2015 02:47:15 -0000 1.95
+++ usr.sbin/ntpd/ntpd.c 3 Oct 2015 02:47:28 -0000
@@ -196,6 +196,10 @@ main(int argc, char *argv[])
setproctitle("[priv]");
readfreq();
+// XXX missing: adjtime() to change time
+// if (tame("stdio unix proc", NULL) == -1)
+// err(1, "tame");
+
signal(SIGTERM, sighdlr);
signal(SIGINT, sighdlr);
signal(SIGHUP, sighdlr);
Index: usr.sbin/portmap/portmap.c
===================================================================
RCS file: /cvs/src/usr.sbin/portmap/portmap.c,v
retrieving revision 1.45
diff -u -p -u -r1.45 portmap.c
--- usr.sbin/portmap/portmap.c 13 Sep 2015 15:44:47 -0000 1.45
+++ usr.sbin/portmap/portmap.c 4 Oct 2015 01:00:35 -0000
@@ -246,6 +246,9 @@ main(int argc, char *argv[])
}
endpwent();
+ if (tame("stdio rpath inet proc", NULL) == -1)
+ err(1, "tame");
+
if (svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE) == 0) {
syslog(LOG_ERR, "svc_register failed.");
exit(1);
@@ -604,6 +607,10 @@ callit(struct svc_req *rqstp, SVCXPRT *x
a.rmt_prog);
return;
}
+
+ if (tame("stdio rpath inet", NULL) == -1)
+ err(1, "tame");
+
port = pml->pml_map.pm_port;
get_myaddress(&me);
me.sin_port = htons(port);
Index: usr.sbin/relayd/ca.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 ca.c
--- usr.sbin/relayd/ca.c 2 May 2015 13:15:24 -0000 1.13
+++ usr.sbin/relayd/ca.c 28 Sep 2015 20:15:11 -0000
@@ -23,6 +23,7 @@
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
+#include <err.h>
#include <imsg.h>
#include <openssl/bio.h>
@@ -73,6 +74,9 @@ ca(struct privsep *ps, struct privsep_pr
void
ca_init(struct privsep *ps, struct privsep_proc *p, void *arg)
{
+ if (tame("malloc rw cmsg", NULL) == -1)
+ err(1, "tame");
+
if (config_init(ps->ps_env) == -1)
fatal("failed to initialize configuration");
Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.190
diff -u -p -u -r1.190 syslogd.c
--- usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:19:23 -0000 1.190
+++ usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:42:24 -0000
@@ -593,6 +593,9 @@ main(int argc, char *argv[])
if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0)
errx(1, "unable to privsep");
+ if (tame("malloc rpath unix inet cmsg", NULL) == -1)
+ err(1, "tame");
+
/* Process is now unprivileged and inside a chroot */
event_init();
