On Sun, Apr 10, 2016 at 9:16 AM, Ingo Schwarze <[email protected]> wrote: ... >> The following aren't listed in the manpage. Should some of them be? >> >> [SYS_sendsyslog] = PLEDGE_ALWAYS, /* stack protector reporting */ > > It looks like that's already listed below "stdio". > > By the way, since sendsyslog(2) is only intended to be called by > syslog(3) and not directly by application code, i'd prefer to have > syslog(3) listed instead of sendsyslog(2) - but that's probably a > seperate matter.
I'm inclined to list both; we document our internal system calls and users can see them in the source and in kdump output. >> [SYS_osendsyslog] = PLEDGE_ALWAYS, /* obsolete sendsyslog */ > > Don't list that one. It will go away soon, and no application > program can reasonably use it. I agree. >> [SYS_thrkill] = PLEDGE_ALWAYS, /* raise, abort, stack pro */ > > Looks like that should be listed; or maybe - like for syslog, since > this is hardly fit for direct use - pthread_kill(3), raise(3), abort(3) > instead? At least raise(3) and pthread_kill(3), yes. >> [SYS_utrace] = PLEDGE_ALWAYS, /* ltrace(1) from ld.so */ > > Looks like it should be listed. > >> The kill(2) call is only mentioned under "proc". The special case of >> "killing self" currently isn't mentioned and probably should be: > > I agree, that seems important. I wish we could get rid of that, but converting everything from kill(getpid(), sig) to raise(sig) is probably a fool's errand. Hmm, I wonder if permitting kill(0, sig) is actually still correct, as it's the same as kill(-getpgid(), sig), sending the signal to all processes in the process group. Should that really always be permitted? >> /* >> * Can kill self with "stdio". Killing another pid >> * requires "proc" >> */ >> [SYS_o58_kill] = PLEDGE_STDIO, > > But of course, don't mention o58_kill, which will go away. Indeed, it's been 5 months and a couple libc bumps. I'll send a diff to do so. >> /* >> * Classify as RPATH|WPATH, because of path information leakage. >> * WPATH due to unknown use of mk*temp(3) on non-/tmp paths.. >> */ >> [SYS___getcwd] = PLEDGE_RPATH | PLEDGE_WPATH, > > That's a very clear case of a function that should never be called > directly. We don't even have a manual page for it, and none is needed. > The __getcwd(2) syscall is intended to be only called by getcwd(3), > and that is correctly listed below both "rpath" and "wpath", so > nothing to do here. I agree, just list getcwd(3). (Some day I may rename the underlying syscall to remove the __ prefix...) Philip Guenther
