Hey, I was working on an application that uses pledge, and without diving into the source, I found it difficult to figure out what sysctl's are permitted at different pledge levels.
This documents the set of different sysctl ops that are allowed at different pledge levels, and adds some additional documentation around ioctl's as well. Thanks! Index: lib/libc/sys/pledge.2 =================================================================== RCS file: /cvs/src/lib/libc/sys/pledge.2,v retrieving revision 1.48 diff -u -b -w -p -r1.48 pledge.2 --- lib/libc/sys/pledge.2 12 Dec 2017 11:11:18 -0000 1.48 +++ lib/libc/sys/pledge.2 4 Jan 2018 08:51:41 -0000 @@ -141,6 +141,25 @@ support: .Xr getifaddrs 3 , .Xr uname 3 , system sensor readings. +Specifically: +.Va hw.sensors.* , +.Va kern.domainname , +.Va kern.hostname , +.Va net.route.0.0.rt_ifnames , +.Va kern.ostype , +.Va kern.osrelease , +.Va kern.osversion , +.Va kern.clockrate , +.Va kern.argmax , +.Va kern.ngroups , +.Va kern.sysvshm , +.Va kern.posix1version , +.Va hw.machine , +.Va hw.pagesize , +.Va vm.psstrings , +.Va hw.ncpu , +and +.Va vm.loadavg . .Pp .It Fn pledge Can only reduce permissions for @@ -322,6 +341,14 @@ domains: .Xr setsockopt 2 , .Xr getsockopt 2 . .Pp +The following +.Xr sysctl 2 +operations are allowed: +.Pp +.Va net.route.0.0.rt_iflist , +.Va net.route.0.inet.rt_iflist , +.Va net.route.0.inet6.rt_iflist +.Pp .Xr setsockopt 2 has been reduced in functionality substantially. .It Va mcast @@ -390,6 +417,15 @@ a few system calls become able to allow .Xr recvfrom 2 , .Xr socket 2 , .Xr connect 2 . +.Pp +The following +.Xr sysctl 2 +operations are allowed: +.Pp +.Va net.route.0.0.rt_iflist , +.Va net.route.0.inet.rt_iflist , +.Va net.route.0.inet6.rt_iflist +.Pp .It Va getpw This allows read-only opening of files in .Pa /etc @@ -491,19 +527,39 @@ and .Xr adjfreq 2 system calls. .It Va ps -Allows enough +Allows the following .Xr sysctl 3 interfaces to allow inspection of processes operating on the system using programs like -.Xr ps 1 . +.Xr ps 1 : +.Pp +.Va kern.fscale , +.Va kern.boottime , +.Va kern.consdev , +.Va kern.cptime , +.Va kern.cptime2 , +.Va kern.procargs.* , +.Va kern.proc.* , +.Va kern.proc_cwd.* , +.Va kern.physmem , +.Va kern.ccpu , +.Va vm.maxslp .It Va vminfo -Allows enough +Allows the following .Xr sysctl 3 interfaces to allow inspection of the system's virtual memory by programs like .Xr top 1 and -.Xr vmstat 8 . +.Xr vmstat 8 : +.Pp +.Va vm.uvmexp , +.Va vfs.generic.bcachestat , +.Va kern.fscale , +.Va kern.boottime , +.Va kern.consdev , +.Va kern.cptime , +.Va kern.cptime2 .It Va id Allows the following system calls which can change the rights of a process: @@ -562,6 +618,85 @@ Allow operation for statistics collection from a .Xr bpf 4 device. +.It Va disklabel +Allows a subset of +.Xr ioctl 2 +operations on +.Xr diskmap 4 +devices: +.Pp +.Dv DIOCGDINFO , +.Dv DIOCGPDINFO , +.Dv DIOCRLDINFO , +.Dv DIOCWDINFO , +.Dv BIOCDISK , +.Dv BIOCINQ , +.Dv BIOCINSTALLBOOT , +.Dv BIOCVOL , +.Dv DIOCMAP . +.Pp +Also enables the use of the following +.Xr sysctl 2 +operations: +.Pp +.Va kern.rawpartition , +.Va kern.maxpartitions , +.Va machdep.chr2blk . +.It Va route +Allows a subset of read-only +.Xr ioctl 2 +operations on network interfaces: +.Pp +.Dv SIOCGIFADDR , +.Dv SIOCGIFAFLAG_IN6 , +.Dv SIOCGIFALIFETIME_IN6 , +.Dv SIOCGIFDESCR , +.Dv SIOCGIFFLAGS , +.Dv SIOCGIFMETRIC , +.Dv SIOCGIFGMEMB , +.Dv SIOCGIFRDOMAIN , +.Dv SIOCGIFDSTADDR_IN6 , +.Dv SIOCGIFNETMASK_IN6 , +.Dv SIOCGIFXFLAGS , +.Dv SIOCGNBRINFO_IN6 , +.Dv SIOCGIFINFO_IN6 , +.Dv SIOCGIFMEDIA . +.Pp +Also allows the following +.Xr sysctl 2 +operations: +.Pp +.Va net.route.0.*.dump , +.Va net.route.0.0.rt_table , +.Va net.route.0.inet.rt_table , +.Va net.route.0.inet6.rt_table , +.Va net.route.0.0.flags.llinfo , +.Va net.route.0.inet.flags.llinfo , +.Va net.route.0.inet6.flags.llinfo , +.Va net.route.0.0.rt_iflist , +.Va net.route.0.inet.rt_iflist , +.Va net.route.0.inet6.rt_iflist . +.It Va vmm +Allows the following +.Xr ioctl 2 +operations on the +.Xr vmm 4 +device: +.Pp +.Dv VMM_IOC_TERM , +.Dv VMM_IOC_RUN , +.Dv VMM_IOC_RESETCPU , +.Dv VMM_IOC_INTR , +.Dv VMM_IOC_READREGS , +.Dv VMM_IOC_WRITEREGS . +.Pp +In combination with +.Va proc , +it additionally allows: +.Pp +.Dv VMM_IOC_CREATE +and +.Dv VMM_IOC_INFO . .It Va error Rather than killing the process upon violation, indicate error with .Er ENOSYS .
