This is a first stab at updating the list of syscalls in the pledge(2)
manpage and at the same time I'd like to clarify some simple things.
I'm wondering about the chflags(2), chown(2) and chmod(2) families of
system calls. They are currently listed up to four times: once at the
beginning where it is explained that they have general restrictions,
which makes sense. Then they are also listed under "fattr", "rpath" and
"wpath". Wouldn't "fattr" with a corresponding note about possible
additional need for "rpath" and "wpath" be better?
The following aren't listed in the manpage. Should some of them be?
[SYS_kbind] = PLEDGE_ALWAYS,
[SYS___get_tcb] = PLEDGE_ALWAYS,
[SYS_sendsyslog] = PLEDGE_ALWAYS, /* stack protector reporting */
[SYS_osendsyslog] = PLEDGE_ALWAYS, /* obsolete sendsyslog */
[SYS_thrkill] = PLEDGE_ALWAYS, /* raise, abort, stack pro */
[SYS_utrace] = PLEDGE_ALWAYS, /* ltrace(1) from ld.so */
I'm definitely not the right person to talk about these either:
[SYS___tfork] = PLEDGE_STDIO,
[SYS_sched_yield] = PLEDGE_STDIO,
[SYS___thrsleep] = PLEDGE_STDIO,
[SYS___thrwakeup] = PLEDGE_STDIO,
[SYS___threxit] = PLEDGE_STDIO,
[SYS___thrsigdivert] = PLEDGE_STDIO,
getsockopt(2) and setsockopt(2) are currently discussed under "inet" and
"unix". Should the "narrow whitelist" also be mentioned under "stdio"?
[SYS_setsockopt] = PLEDGE_STDIO, /* narrow whitelist */
[SYS_getsockopt] = PLEDGE_STDIO, /* narrow whitelist */
The kill(2) call is only mentioned under "proc". The special case of
"killing self" currently isn't mentioned and probably should be:
/*
* Can kill self with "stdio". Killing another pid
* requires "proc"
*/
[SYS_o58_kill] = PLEDGE_STDIO,
[SYS_kill] = PLEDGE_STDIO,
Not added since there is ongoing discussion about it:
[SYS_chroot] = PLEDGE_ID, /* also requires PLEDGE_PROC */
What about this one? It is not currently mentioned at all.
/*
* Classify as RPATH|WPATH, because of path information leakage.
* WPATH due to unknown use of mk*temp(3) on non-/tmp paths..
*/
[SYS___getcwd] = PLEDGE_RPATH | PLEDGE_WPATH,
Finally, I added bind(2) and getsockname(2) to "dns". Was that a simple
omission or is there more to it?
Index: pledge.2
===================================================================
RCS file: /var/cvs/src/lib/libc/sys/pledge.2,v
retrieving revision 1.27
diff -u -p -r1.27 pledge.2
--- pledge.2 11 Mar 2016 06:36:51 -0000 1.27
+++ pledge.2 10 Apr 2016 10:26:25 -0000
@@ -92,7 +92,8 @@ Use of the "tty" and "ioctl" promises re
.It Xr mkfifo 2
.It Xr mknod 2
Setuid/setgid/sticky bits are ignored.
-The user or group cannot be changed on a file.
+The user cannot be changed on a file and the group can only be changed
+to a group to which the process belongs.
.Pp
.It Xr mmap 2
.It Xr mprotect 2
@@ -133,6 +134,7 @@ The following system calls are permitted
in libc, including memory allocation, most types of IO operations on
previously allocated file descriptors:
.Pp
+.Xr break 2 ,
.Xr clock_getres 2 ,
.Xr clock_gettime 2 ,
.Xr close 2 ,
@@ -142,10 +144,10 @@ previously allocated file descriptors:
.Xr dup3 2 ,
.Xr fchdir 2 ,
.Xr fcntl 2 ,
+.Xr fpathconf 2 ,
.Xr fstat 2 ,
.Xr fsync 2 ,
.Xr ftruncate 2 ,
-.Xr getdents 2 ,
.Xr getdtablecount 2 ,
.Xr getegid 2 ,
.Xr getentropy 2 ,
@@ -154,6 +156,7 @@ previously allocated file descriptors:
.Xr getgroups 2 ,
.Xr getitimer 2 ,
.Xr getlogin 2 ,
+.Xr getlogin_r 2 ,
.Xr getpgid 2 ,
.Xr getpgrp 2 ,
.Xr getpid 2 ,
@@ -161,11 +164,11 @@ previously allocated file descriptors:
.Xr getresgid 2 ,
.Xr getresuid 2 ,
.Xr getrlimit 2 ,
+.Xr getrusage 2 ,
.Xr getsid 2 ,
.Xr getthrid 2 ,
.Xr gettimeofday 2 ,
.Xr getuid 2 ,
-.Xr getuid 2 ,
.Xr issetugid 2 ,
.Xr kevent 2 ,
.Xr kqueue 2 ,
@@ -176,12 +179,15 @@ previously allocated file descriptors:
.Xr mprotect 2 ,
.Xr mquery 2 ,
.Xr munmap 2 ,
+.Xr msync 2 ,
.Xr nanosleep 2 ,
.Xr pipe 2 ,
.Xr pipe2 2 ,
.Xr poll 2 ,
+.Xr ppoll 2 ,
.Xr pread 2 ,
.Xr preadv 2 ,
+.Xr pselect 2 ,
.Xr pwrite 2 ,
.Xr pwritev 2 ,
.Xr read 2 ,
@@ -195,9 +201,13 @@ previously allocated file descriptors:
.Xr setitimer 2 ,
.Xr shutdown 2 ,
.Xr sigaction 2 ,
+.Xr sigaltstack 2 ,
+.Xr sigpending 2 ,
.Xr sigprocmask 2 ,
.Xr sigreturn 2 ,
+.Xr sigsuspend 2 ,
.Xr socketpair 2 ,
+.Xr stat 2 ,
.Xr umask 2 ,
.Xr wait4 2 ,
.Xr write 2 ,
@@ -215,46 +225,52 @@ read-only effects on the filesystem:
.Xr chdir 2 ,
.Xr getcwd 3 ,
.Xr openat 2 ,
-.Xr fstatat 2 ,
.Xr faccessat 2 ,
-.Xr readlinkat 2 ,
-.Xr lstat 2 ,
+.Xr chflags 2 ,
+.Xr chflagsat 2 ,
.Xr chmod 2 ,
.Xr fchmod 2 ,
.Xr fchmodat 2 ,
-.Xr chflags 2 ,
-.Xr chflagsat 2 ,
.Xr chown 2 ,
.Xr fchown 2 ,
.Xr fchownat 2 ,
.Xr fstat 2 ,
+.Xr fstatat 2 ,
+.Xr fstatfs 2 ,
+.Xr getdents 2 ,
.Xr getfsstat 2 .
+.Xr lstat 2 ,
+.Xr pathconf 2 ,
+.Xr readlinkat 2 ,
+.Xr statfs 2 .
.It Va "wpath"
A number of system calls are allowed and may cause
write-effects on the filesystem:
.Pp
.Xr getcwd 3 ,
.Xr openat 2 ,
-.Xr fstatat 2 ,
.Xr faccessat 2 ,
-.Xr readlinkat 2 ,
-.Xr lstat 2 ,
+.Xr chflags 2 ,
+.Xr chflagsat 2 ,
.Xr chmod 2 ,
.Xr fchmod 2 ,
.Xr fchmodat 2 ,
-.Xr chflags 2 ,
-.Xr chflagsat 2 ,
.Xr chown 2 ,
.Xr fchown 2 ,
.Xr fchownat 2 ,
+.Xr lchown 2 .
.Xr fstat 2 .
+.Xr fstatat 2 ,
+.Xr lstat 2 ,
+.Xr readlinkat 2 ,
+.Xr truncate 2 .
.It Va "cpath"
A number of system calls and sub-modes are allowed, which may
create new files or directories in the filesystem:
.Pp
.Xr rename 2 ,
-.Xr rmdir 2 ,
.Xr renameat 2 ,
+.Xr rmdir 2 ,
.Xr link 2 ,
.Xr linkat 2 ,
.Xr symlink 2 ,
@@ -308,15 +324,15 @@ relating to a file:
.Xr futimes 2 ,
.Xr utimensat 2 ,
.Xr futimens 2 ,
+.Xr chflags 2 ,
+.Xr chflagsat 2 ,
.Xr chmod 2 ,
.Xr fchmod 2 ,
.Xr fchmodat 2 ,
-.Xr chflags 2 ,
-.Xr chflagsat 2 ,
.Xr chown 2 ,
+.Xr fchown 2 ,
.Xr fchownat 2 ,
.Xr lchown 2 ,
-.Xr fchown 2 ,
.Xr utimes 2 .
.It Va "flock"
File locking via
@@ -353,7 +369,9 @@ a few system calls become able to allow
.Xr sendto 2 ,
.Xr recvfrom 2 ,
.Xr socket 2 ,
-.Xr connect 2 .
+.Xr bind 2 ,
+.Xr connect 2 ,
+.Xr getsockname 2 .
.It Va "getpw"
This allows read-only opening of files in
.Pa /etc
@@ -376,11 +394,11 @@ operations.
.It Va "sendfd"
Allows sending of file descriptors using
.Xr sendmsg 2 .
-File descriptors referering to directories may not be passed.
+File descriptors referring to directories may not be passed.
.It Va "recvfd"
Allows receiving of file descriptors using
.Xr recvmsg 2 .
-File descriptors referering to directories may not be passed.
+File descriptors referring to directories may not be passed.
.It Va "ioctl"
Allows a subset of
.Xr ioctl 2
@@ -476,6 +494,8 @@ programs like
.Xr top 1
and
.Xr vmstat 8 .
+Also allows
+.Xr swapctl 2 .
.It Va "id"
Allows the following system calls which can change the rights of a
process:
