sensors hiding with pledge

Mon, 21 Jan 2019 18:19:21 -0800 

We recently had a thread about adding more sensors, but then the browser will
use them to spy on us, and everybody was sad. We allow hw.sensors even for
pledge processes because ntpd needs to read the time. However, ntpd only needs
to read the time.

This diff zeroes out sensors other than timedeltas. Maybe some others can be
added as needed, but that seemed a good place to start. I didn't want to
change the code too much (i.e. hide the existence of sensors entirely) so it
just changes them all to 0 valued plain integer sensors.

Thoughts?

Index: kern_sysctl.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.353
diff -u -p -r1.353 kern_sysctl.c
--- kern_sysctl.c       19 Jan 2019 01:53:44 -0000      1.353
+++ kern_sysctl.c       22 Jan 2019 02:01:30 -0000
@@ -137,7 +137,7 @@ int sysctl_proc_nobroadcastkill(int *, u
        struct proc *);
 int sysctl_proc_vmmap(int *, u_int, void *, size_t *, struct proc *);
 int sysctl_intrcnt(int *, u_int, void *, size_t *);
-int sysctl_sensors(int *, u_int, void *, size_t *, void *, size_t);
+int sysctl_sensors(int *, u_int, void *, size_t *, void *, size_t, struct proc 
*);
 int sysctl_cptime2(int *, u_int, void *, size_t *, void *, size_t);
 #if NAUDIO > 0
 int sysctl_audio(int *, u_int, void *, size_t *, void *, size_t);
@@ -735,7 +735,7 @@ hw_sysctl(int *name, u_int namelen, void
 #ifndef        SMALL_KERNEL
        case HW_SENSORS:
                return (sysctl_sensors(name + 1, namelen - 1, oldp, oldlenp,
-                   newp, newlen));
+                   newp, newlen, p));
        case HW_SETPERF:
                return (sysctl_hwsetperf(oldp, oldlenp, newp, newlen));
        case HW_PERFPOLICY:
@@ -2302,7 +2302,7 @@ sysctl_intrcnt(int *name, u_int namelen,
 
 int
 sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp,
-    void *newp, size_t newlen)
+    void *newp, size_t newlen, struct proc *p)
 {
        struct ksensor *ks;
        struct sensor *us;
@@ -2350,6 +2350,22 @@ sysctl_sensors(int *name, u_int namelen,
        us->status = ks->status;
        us->numt = ks->numt;
        us->flags = ks->flags;
+
+       /* not all sensors exposed to pledged processes */
+       if (p->p_p->ps_flags & PS_PLEDGE) {
+               switch (us->type) {
+               case SENSOR_TIMEDELTA:
+                       break;
+               default:
+                       memset(us->desc, 0, sizeof(us->desc));
+                       memset(&us->tv, 0, sizeof(us->tv));
+                       us->value = 0;
+                       us->type = SENSOR_INTEGER;
+                       us->status = SENSOR_S_UNKNOWN;
+                       us->flags = SENSOR_FUNKNOWN;
+                       break;
+               }
+       }
 
        ret = sysctl_rdstruct(oldp, oldlenp, newp, us,
            sizeof(struct sensor));

Reply via email to