This will probably be commited in the next day or so.
The 2nd argument of pledge() becomes execpromises, which is what
will gets activated after execve.
There is also a small new feature called "error", which causes
violating system calls to return -1 with ENOSYS rather than killing
the process. This must be used with EXTREME CAUTION because libraries
and programs are full of unchecked system calls. If you carry on past
one of these failures, your program is in uncharted territory and
risks of exploitation become high.
"error" is being introduced for a different reason: The pre-exec
process's expectation of what the post-exec process will do might
mismatch, so "error" allows things like starting an editor which has
no network access or maybe other restrictions in the future...
Index: include/unistd.h
===================================================================
RCS file: /cvs/src/include/unistd.h,v
retrieving revision 1.104
diff -u -p -u -r1.104 unistd.h
--- include/unistd.h 9 Mar 2017 10:13:03 -0000 1.104
+++ include/unistd.h 30 Sep 2017 20:44:53 -0000
@@ -522,7 +522,7 @@ int strtofflags(char **, u_int32_t *, u
int swapctl(int cmd, const void *arg, int misc);
int syscall(int, ...);
int getentropy(void *, size_t);
-int pledge(const char *, const char **);
+int pledge(const char *, const char *);
pid_t __tfork_thread(const struct __tfork *, size_t, void (*)(void *),
void *);
#endif /* __BSD_VISIBLE */
Index: lib/libc/sys/execve.2
===================================================================
RCS file: /cvs/src/lib/libc/sys/execve.2,v
retrieving revision 1.50
diff -u -p -u -r1.50 execve.2
--- lib/libc/sys/execve.2 13 Apr 2017 21:49:11 -0000 1.50
+++ lib/libc/sys/execve.2 10 Dec 2017 20:51:21 -0000
@@ -273,6 +273,12 @@ system not allowing such operations, bei
.Xr mount 8
.Fl o Cm wxallowed
flag.
+.It Bq Er EACCESS
+The parent used
+.Xr pledge 2
+to declare an
+.Va execpromise ,
+and that is not permitted for setuid or setgid images.
.It Bq Er ENOEXEC
The new process file has the appropriate access
permission, but has an invalid magic number in its header.
Index: lib/libc/sys/pledge.2
===================================================================
RCS file: /cvs/src/lib/libc/sys/pledge.2,v
retrieving revision 1.46
diff -u -p -u -r1.46 pledge.2
--- lib/libc/sys/pledge.2 22 Oct 2017 18:26:46 -0000 1.46
+++ lib/libc/sys/pledge.2 10 Dec 2017 19:10:24 -0000
@@ -23,7 +23,7 @@
.Sh SYNOPSIS
.In unistd.h
.Ft int
-.Fn pledge "const char *promises" "const char *paths[]"
+.Fn pledge "const char *promises" "const char *execpromises"
.Sh DESCRIPTION
The current process is forced into a restricted-service operating mode.
A few subsets are available, roughly described as computation, memory
@@ -33,7 +33,7 @@ In general, these modes were selected by
of many programs using libc and other such interfaces, and setting
.Ar promises
or
-.Ar paths .
+.Ar execpromises .
.Pp
Use of
.Fn pledge
@@ -58,7 +58,7 @@ with the
flag.
.Pp
A
-.Fa promises
+.Ar promises
value of "" restricts the process to the
.Xr _exit 2
system call.
@@ -68,9 +68,9 @@ with another process.
Passing
.Dv NULL
to
-.Fa promises
+.Ar promises
or
-.Fa paths
+.Ar execpromises
specifies to not change the current value.
.Pp
Some system calls, when allowed, have restrictions applied to them:
@@ -143,9 +143,10 @@ support:
system sensor readings.
.Pp
.It Fn pledge
-Can only reduce permissions; can only set a list of
-.Pa paths
-once.
+Can only reduce permissions for
+.Ar promises
+and
+.Ar execpromises.
.El
.Pp
The
@@ -466,9 +467,15 @@ Allows a process to call
Coupled with the
.Va proc
promise, this allows a process to fork and execute another program.
-The new program starts running without pledge active and hopefully
-makes a new
-.Fn pledge .
+If
+.Ar execpromises
+has been previously set the new program begins with those promises,
+unless setuid/setgid bits are set in which case execution is blocked with
+.Er EACCESS .
+Otherwise the new program starts running without pledge active,
+and hopefully makes a new
+.Fn pledge
+soon.
.It Va prot_exec
Allows the use of
.Dv PROT_EXEC
@@ -552,14 +559,13 @@ for more information on using the sndio
.It Va bpf
Allow
.Dv BIOCGSTATS
-operation for statistics collection from a bpf device.
+operation for statistics collection from a
+.Xr bpf 4
+device.
+.It Va error
+Rather than killing the process upon violation, indicate error with
+.Er ENOSYS .
.El
-.Pp
-A whitelist of permitted paths may be provided in
-.Ar paths .
-All other paths will return
-.Er ENOENT .
-At least one promise is required to be pledged in order to activate a
whitelist.
.Sh RETURN VALUES
.Rv -std
.Sh ERRORS
@@ -567,37 +573,18 @@ At least one promise is required to be p
will fail if:
.Bl -tag -width Er
.It Bq Er EFAULT
-.Fa paths
-or one of its elements, or
-.Fa promises
+.Ar promises
+or
+.Ar execpromises
points outside the process's allocated address space.
.It Bq Er EINVAL
.Ar promises
is malformed or contains invalid keywords.
-.It Bq Er ENAMETOOLONG
-An element of
-.Fa paths
-is too large, prepending
-.Fa cwd
-to it would exceed
-.Dv PATH_MAX
-bytes, or
-.Fa promises
-is too long.
.It Bq Er EPERM
This process is attempting to increase permissions.
-.It Bq Er E2BIG
-The
-.Ar paths
-array is too large, or the total number of bytes exceeds a
-system-imposed limit.
-The limit in the system as released is 262144 bytes
-.Pf ( Dv ARG_MAX ) .
.El
.Sh HISTORY
The
.Fn pledge
system call first appeared in
.Ox 5.9 .
-.Sh BUGS
-The path whitelist feature is not available at this time.
Index: sys/sys/pledge.h
===================================================================
RCS file: /cvs/src/sys/sys/pledge.h,v
retrieving revision 1.32
diff -u -p -u -r1.32 pledge.h
--- sys/sys/pledge.h 29 Aug 2017 02:51:27 -0000 1.32
+++ sys/sys/pledge.h 8 Oct 2017 17:08:00 -0000
@@ -59,6 +59,7 @@
#define PLEDGE_CHOWN 0x0000000080000000ULL /* chown(2) family */
#define PLEDGE_CHOWNUID 0x0000000100000000ULL /* allow owner/group
changes */
#define PLEDGE_BPF 0x0000000200000000ULL /* bpf ioctl */
+#define PLEDGE_ERROR 0x0000000400000000ULL /* ENOSYS instead of kill */
/*
* Bits outside PLEDGE_USERSET are used by the kernel itself
@@ -105,6 +106,7 @@ static struct {
{ PLEDGE_VMM, "vmm" },
{ PLEDGE_CHOWNUID, "chown" },
{ PLEDGE_BPF, "bpf" },
+ { PLEDGE_ERROR, "error" },
{ 0, NULL },
};
#endif
Index: sys/sys/proc.h
===================================================================
RCS file: /cvs/src/sys/sys/proc.h,v
retrieving revision 1.240
diff -u -p -u -r1.240 proc.h
--- sys/sys/proc.h 29 Aug 2017 02:51:27 -0000 1.240
+++ sys/sys/proc.h 8 Dec 2017 05:03:17 -0000
@@ -220,6 +220,7 @@ struct process {
u_short ps_acflag; /* Accounting flags. */
uint64_t ps_pledge;
+ uint64_t ps_execpledge;
int64_t ps_kbind_cookie;
u_long ps_kbind_addr;
@@ -262,13 +263,14 @@ struct process {
#define PS_NOBROADCASTKILL 0x00080000 /* Process excluded from kill
-1. */
#define PS_PLEDGE 0x00100000 /* Has called pledge(2) */
#define PS_WXNEEDED 0x00200000 /* Process may violate W^X */
+#define PS_EXECPLEDGE 0x00400000 /* Has exec pledges */
#define PS_BITS \
("\20" "\01CONTROLT" "\02EXEC" "\03INEXEC" "\04EXITING" "\05SUGID" \
"\06SUGIDEXEC" "\07PPWAIT" "\010ISPWAIT" "\011PROFIL" "\012TRACED" \
"\013WAITED" "\014COREDUMP" "\015SINGLEEXIT" "\016SINGLEUNWIND" \
"\017NOZOMBIE" "\020STOPPED" "\021SYSTEM" "\022EMBRYO" "\023ZOMBIE" \
- "\024NOBROADCASTKILL" "\025PLEDGE" "\026WXNEEDED")
+ "\024NOBROADCASTKILL" "\025PLEDGE" "\026WXNEEDED", "\027EXECPLEDGE")
struct lock_list_entry;
Index: sys/sys/syscall.h
===================================================================
RCS file: /cvs/src/sys/sys/syscall.h,v
retrieving revision 1.189
diff -u -p -u -r1.189 syscall.h
--- sys/sys/syscall.h 28 Nov 2017 06:05:15 -0000 1.189
+++ sys/sys/syscall.h 8 Dec 2017 18:38:10 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscall.h,v 1.189 2017/11/28 06:05:15 guenther Exp $ */
+/* $OpenBSD$ */
/*
* System call numbers.
@@ -327,7 +327,7 @@
/* syscall: "chflagsat" ret: "int" args: "int" "const char *" "u_int" "int" */
#define SYS_chflagsat 107
-/* syscall: "pledge" ret: "int" args: "const char *" "const char **" */
+/* syscall: "pledge" ret: "int" args: "const char *" "const char *" */
#define SYS_pledge 108
/* syscall: "ppoll" ret: "int" args: "struct pollfd *" "u_int" "const struct
timespec *" "const sigset_t *" */
Index: sys/sys/syscallargs.h
===================================================================
RCS file: /cvs/src/sys/sys/syscallargs.h,v
retrieving revision 1.192
diff -u -p -u -r1.192 syscallargs.h
--- sys/sys/syscallargs.h 28 Nov 2017 06:05:15 -0000 1.192
+++ sys/sys/syscallargs.h 8 Dec 2017 18:38:10 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscallargs.h,v 1.192 2017/11/28 06:05:15 guenther Exp $
*/
+/* $OpenBSD$ */
/*
* System call argument lists.
@@ -538,8 +538,8 @@ struct sys_chflagsat_args {
};
struct sys_pledge_args {
- syscallarg(const char *) request;
- syscallarg(const char **) paths;
+ syscallarg(const char *) promises;
+ syscallarg(const char *) execpromises;
};
struct sys_ppoll_args {
Index: sys/kern/init_sysent.c
===================================================================
RCS file: /cvs/src/sys/kern/init_sysent.c,v
retrieving revision 1.190
diff -u -p -u -r1.190 init_sysent.c
--- sys/kern/init_sysent.c 28 Nov 2017 06:05:15 -0000 1.190
+++ sys/kern/init_sysent.c 8 Dec 2017 18:38:10 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: init_sysent.c,v 1.190 2017/11/28 06:05:15 guenther Exp $
*/
+/* $OpenBSD$ */
/*
* System call switch table.
Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.189
diff -u -p -u -r1.189 kern_exec.c
--- sys/kern/kern_exec.c 29 Aug 2017 02:51:27 -0000 1.189
+++ sys/kern/kern_exec.c 10 Dec 2017 20:51:24 -0000
@@ -139,6 +139,13 @@ check_exec(struct proc *p, struct exec_p
goto bad1;
}
+ /* SUID programs may not be started with execpromises */
+ if ((epp->ep_vap->va_mode & (VSUID | VSGID)) &&
+ (pr->ps_flags & PS_EXECPLEDGE))
+ error = EACCES;
+ goto bad1;
+ }
+
if ((vp->v_mount->mnt_flag & MNT_NOSUID))
epp->ep_vap->va_mode &= ~(VSUID | VSGID);
@@ -520,7 +527,13 @@ sys_execve(struct proc *p, void *v, regi
else
atomic_clearbits_int(&pr->ps_flags, PS_SUGIDEXEC);
- atomic_clearbits_int(&pr->ps_flags, PS_PLEDGE);
+ if (pr->ps_flags & PS_EXECPLEDGE) {
+ pr->ps_pledge = pr->ps_execpledge;
+ atomic_setbits_int(&pr->ps_flags, PS_PLEDGE);
+ } else {
+ atomic_clearbits_int(&pr->ps_flags, PS_PLEDGE);
+ pr->ps_pledge = 0;
+ }
/*
* deal with set[ug]id.
Index: sys/kern/kern_fork.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_fork.c,v
retrieving revision 1.200
diff -u -p -u -r1.200 kern_fork.c
--- sys/kern/kern_fork.c 27 Sep 2017 06:45:00 -0000 1.200
+++ sys/kern/kern_fork.c 8 Dec 2017 05:08:14 -0000
@@ -237,7 +237,7 @@ process_new(struct proc *p, struct proce
vref(pr->ps_textvp);
pr->ps_flags = parent->ps_flags &
- (PS_SUGID | PS_SUGIDEXEC | PS_PLEDGE | PS_WXNEEDED);
+ (PS_SUGID | PS_SUGIDEXEC | PS_PLEDGE | PS_EXECPLEDGE | PS_WXNEEDED);
if (parent->ps_session->s_ttyvp != NULL)
pr->ps_flags |= parent->ps_flags & PS_CONTROLT;
Index: sys/kern/kern_pledge.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.225
diff -u -p -u -r1.225 kern_pledge.c
--- sys/kern/kern_pledge.c 9 Dec 2017 06:50:32 -0000 1.225
+++ sys/kern/kern_pledge.c 9 Dec 2017 19:22:48 -0000
@@ -84,7 +84,9 @@
#endif
uint64_t pledgereq_flags(const char *req);
-int canonpath(const char *input, char *buf, size_t bufsize);
+int parsepledges(struct proc *p, const char *kname,
+ const char *promises, u_int64_t *fp);
+int canonpath(const char *input, char *buf, size_t bufsize);
/* #define DEBUG_PLEDGE */
#ifdef DEBUG_PLEDGE
@@ -367,6 +369,7 @@ static const struct {
{ "dns", PLEDGE_DNS },
{ "dpath", PLEDGE_DPATH },
{ "drm", PLEDGE_DRM },
+ { "error", PLEDGE_ERROR },
{ "exec", PLEDGE_EXEC },
{ "fattr", PLEDGE_FATTR | PLEDGE_CHOWN },
{ "flock", PLEDGE_FLOCK },
@@ -394,66 +397,91 @@ static const struct {
};
int
+parsepledges(struct proc *p, const char *kname, const char *promises,
u_int64_t *fp)
+{
+ size_t rbuflen;
+ char *rbuf, *rp, *pn;
+ u_int64_t flags = 0, f;
+ int error;
+
+ rbuf = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
+ error = copyinstr(promises, rbuf, MAXPATHLEN,
+ &rbuflen);
+ if (error) {
+ free(rbuf, M_TEMP, MAXPATHLEN);
+ return (error);
+ }
+#ifdef KTRACE
+ if (KTRPOINT(p, KTR_STRUCT))
+ ktrstruct(p, kname, rbuf, rbuflen-1);
+#endif
+
+ for (rp = rbuf; rp && *rp && error == 0; rp = pn) {
+ pn = strchr(rp, ' '); /* find terminator */
+ if (pn) {
+ while (*pn == ' ')
+ *pn++ = '\0';
+ }
+ if ((f = pledgereq_flags(rp)) == 0) {
+ free(rbuf, M_TEMP, MAXPATHLEN);
+ return (EINVAL);
+ }
+ flags |= f;
+ }
+ free(rbuf, M_TEMP, MAXPATHLEN);
+ *fp = flags;
+ return 0;
+}
+
+int
sys_pledge(struct proc *p, void *v, register_t *retval)
{
struct sys_pledge_args /* {
- syscallarg(const char *)request;
- syscallarg(const char **)paths;
+ syscallarg(const char *)promises;
+ syscallarg(const char *)execpromises;
} */ *uap = v;
struct process *pr = p->p_p;
- uint64_t flags = 0;
+ uint64_t promises, execpromises;
int error;
- if (SCARG(uap, request)) {
- size_t rbuflen;
- char *rbuf, *rp, *pn;
- uint64_t f;
-
- rbuf = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
- error = copyinstr(SCARG(uap, request), rbuf, MAXPATHLEN,
- &rbuflen);
- if (error) {
- free(rbuf, M_TEMP, MAXPATHLEN);
+ if (SCARG(uap, promises)) {
+ error = parsepledges(p, "pledgereq",
+ SCARG(uap, promises), &promises);
+ if (error)
return (error);
- }
-#ifdef KTRACE
- if (KTRPOINT(p, KTR_STRUCT))
- ktrstruct(p, "pledgereq", rbuf, rbuflen-1);
-#endif
- for (rp = rbuf; rp && *rp && error == 0; rp = pn) {
- pn = strchr(rp, ' '); /* find terminator */
- if (pn) {
- while (*pn == ' ')
- *pn++ = '\0';
- }
-
- if ((f = pledgereq_flags(rp)) == 0) {
- free(rbuf, M_TEMP, MAXPATHLEN);
- return (EINVAL);
- }
- flags |= f;
+ /* In "error" mode, ignore promise increase requests */
+ if (ISSET(pr->ps_flags, PS_PLEDGE) &&
+ (pr->ps_pledge & PLEDGE_ERROR)) {
+ promises &= (pr->ps_pledge & PLEDGE_USERSET);
+ promises |= PLEDGE_ERROR;
}
- free(rbuf, M_TEMP, MAXPATHLEN);
- /*
- * if we are already pledged, allow only promises reductions.
- * flags doesn't contain flags outside _USERSET: they will be
- * relearned.
- */
+ /* Only permit reductions */
if (ISSET(pr->ps_flags, PS_PLEDGE) &&
- (((flags | pr->ps_pledge) != pr->ps_pledge)))
+ (((promises | pr->ps_pledge) != pr->ps_pledge)))
return (EPERM);
}
+ if (SCARG(uap, execpromises)) {
+ error = parsepledges(p, "pledgeexecreq",
+ SCARG(uap, execpromises), &execpromises);
+ if (error)
+ return (error);
- if (SCARG(uap, paths))
- return (EINVAL);
+ /* Only permit reductions */
+ if (ISSET(pr->ps_flags, PS_EXECPLEDGE) &&
+ (((execpromises | pr->ps_execpledge) != pr->ps_execpledge)))
+ return (EPERM);
+ }
- if (SCARG(uap, request)) {
- pr->ps_pledge = flags;
+ if (SCARG(uap, promises)) {
+ pr->ps_pledge = promises;
pr->ps_flags |= PS_PLEDGE;
}
-
+ if (SCARG(uap, execpromises)) {
+ pr->ps_execpledge = execpromises;
+ pr->ps_flags |= PS_EXECPLEDGE;
+ }
return (0);
}
@@ -489,13 +517,16 @@ pledge_fail(struct proc *p, int error, u
codes = pledgenames[i].name;
break;
}
- log(LOG_ERR, "%s[%d]: pledge \"%s\", syscall %d\n",
- p->p_p->ps_comm, p->p_p->ps_pid, codes, p->p_pledge_syscall);
- p->p_p->ps_acflag |= APLEDGE;
#ifdef KTRACE
if (KTRPOINT(p, KTR_PLEDGE))
ktrpledge(p, error, code, p->p_pledge_syscall);
#endif
+ if (p->p_p->ps_pledge & PLEDGE_ERROR)
+ return (ENOSYS);
+
+ log(LOG_ERR, "%s[%d]: pledge \"%s\", syscall %d\n",
+ p->p_p->ps_comm, p->p_p->ps_pid, codes, p->p_pledge_syscall);
+ p->p_p->ps_acflag |= APLEDGE;
/* Send uncatchable SIGABRT for coredump */
memset(&sa, 0, sizeof sa);
sa.sa_handler = SIG_DFL;
@@ -1393,6 +1424,9 @@ int
pledge_protexec(struct proc *p, int prot)
{
if ((p->p_p->ps_flags & PS_PLEDGE) == 0)
+ return 0;
+ /* Before kbind(2) call, ld.so and crt may create EXEC mappings */
+ if (p->p_p->ps_kbind_addr == 0 && p->p_p->ps_kbind_cookie == 0)
return 0;
if (!(p->p_p->ps_pledge & PLEDGE_PROTEXEC) && (prot & PROT_EXEC))
return pledge_fail(p, EPERM, PLEDGE_PROTEXEC);
Index: sys/kern/syscalls.c
===================================================================
RCS file: /cvs/src/sys/kern/syscalls.c,v
retrieving revision 1.189
diff -u -p -u -r1.189 syscalls.c
--- sys/kern/syscalls.c 28 Nov 2017 06:05:16 -0000 1.189
+++ sys/kern/syscalls.c 8 Dec 2017 18:38:10 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscalls.c,v 1.189 2017/11/28 06:05:16 guenther Exp $ */
+/* $OpenBSD$ */
/*
* System call names.
Index: sys/kern/syscalls.master
===================================================================
RCS file: /cvs/src/sys/kern/syscalls.master,v
retrieving revision 1.179
diff -u -p -u -r1.179 syscalls.master
--- sys/kern/syscalls.master 28 Nov 2017 06:03:41 -0000 1.179
+++ sys/kern/syscalls.master 8 Dec 2017 18:38:08 -0000
@@ -227,7 +227,8 @@
106 STD { int sys_listen(int s, int backlog); }
107 STD { int sys_chflagsat(int fd, const char *path, \
u_int flags, int atflags); }
-108 STD { int sys_pledge(const char *request, const char
**paths); }
+108 STD { int sys_pledge(const char *promises, \
+ const char *execpromises); }
109 STD { int sys_ppoll(struct pollfd *fds, \
u_int nfds, const struct timespec *ts, \
const sigset_t *mask); }
Index: usr.bin/kdump/ktrstruct.c
===================================================================
RCS file: /cvs/src/usr.bin/kdump/ktrstruct.c,v
retrieving revision 1.23
diff -u -p -u -r1.23 ktrstruct.c
--- usr.bin/kdump/ktrstruct.c 8 Oct 2016 02:16:43 -0000 1.23
+++ usr.bin/kdump/ktrstruct.c 7 Oct 2017 17:52:30 -0000
@@ -647,12 +647,12 @@ ktrstruct(char *buf, size_t buflen)
ktrcmsghdr(cmsg, datalen);
free(cmsg);
} else if (strcmp(name, "pledgereq") == 0) {
- printf("pledge request=");
- showbufc(basecol + sizeof("pledge request=") - 1,
+ printf("promise=");
+ showbufc(basecol + sizeof("promise=") - 1,
(unsigned char *)data, datalen, VIS_DQ | VIS_TAB | VIS_NL);
- } else if (strcmp(name, "pledgepath") == 0) {
- printf("pledge path=");
- showbufc(basecol + sizeof("pledge path=") - 1,
+ } else if (strcmp(name, "pledgeexecreq") == 0) {
+ printf("execpromise=");
+ showbufc(basecol + sizeof("execpromise=") - 1,
(unsigned char *)data, datalen, VIS_DQ | VIS_TAB | VIS_NL);
} else {
printf("unknown structure %s\n", name);
