This approach seems backwards.
It is hiding sensors from programs which are pledged (ie. we put effort into
security, therefore a fig leaf for privacy)
But.. in programs we cannot pledge, we continue exporting.
Yes chrome is pledged so permanently has no access to the information.
I am not loving this.
> We recently had a thread about adding more sensors, but then the browser will
> use them to spy on us, and everybody was sad. We allow hw.sensors even for
> pledge processes because ntpd needs to read the time. However, ntpd only needs
> to read the time.
>
> This diff zeroes out sensors other than timedeltas. Maybe some others can be
> added as needed, but that seemed a good place to start. I didn't want to
> change the code too much (i.e. hide the existence of sensors entirely) so it
> just changes them all to 0 valued plain integer sensors.
>
> Thoughts?
>
> Index: kern_sysctl.c
> ===================================================================
> RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
> retrieving revision 1.353
> diff -u -p -r1.353 kern_sysctl.c
> --- kern_sysctl.c 19 Jan 2019 01:53:44 -0000 1.353
> +++ kern_sysctl.c 22 Jan 2019 02:01:30 -0000
> @@ -137,7 +137,7 @@ int sysctl_proc_nobroadcastkill(int *, u
> struct proc *);
> int sysctl_proc_vmmap(int *, u_int, void *, size_t *, struct proc *);
> int sysctl_intrcnt(int *, u_int, void *, size_t *);
> -int sysctl_sensors(int *, u_int, void *, size_t *, void *, size_t);
> +int sysctl_sensors(int *, u_int, void *, size_t *, void *, size_t, struct
> proc *);
> int sysctl_cptime2(int *, u_int, void *, size_t *, void *, size_t);
> #if NAUDIO > 0
> int sysctl_audio(int *, u_int, void *, size_t *, void *, size_t);
> @@ -735,7 +735,7 @@ hw_sysctl(int *name, u_int namelen, void
> #ifndef SMALL_KERNEL
> case HW_SENSORS:
> return (sysctl_sensors(name + 1, namelen - 1, oldp, oldlenp,
> - newp, newlen));
> + newp, newlen, p));
> case HW_SETPERF:
> return (sysctl_hwsetperf(oldp, oldlenp, newp, newlen));
> case HW_PERFPOLICY:
> @@ -2302,7 +2302,7 @@ sysctl_intrcnt(int *name, u_int namelen,
>
> int
> sysctl_sensors(int *name, u_int namelen, void *oldp, size_t *oldlenp,
> - void *newp, size_t newlen)
> + void *newp, size_t newlen, struct proc *p)
> {
> struct ksensor *ks;
> struct sensor *us;
> @@ -2350,6 +2350,22 @@ sysctl_sensors(int *name, u_int namelen,
> us->status = ks->status;
> us->numt = ks->numt;
> us->flags = ks->flags;
> +
> + /* not all sensors exposed to pledged processes */
> + if (p->p_p->ps_flags & PS_PLEDGE) {
> + switch (us->type) {
> + case SENSOR_TIMEDELTA:
> + break;
> + default:
> + memset(us->desc, 0, sizeof(us->desc));
> + memset(&us->tv, 0, sizeof(us->tv));
> + us->value = 0;
> + us->type = SENSOR_INTEGER;
> + us->status = SENSOR_S_UNKNOWN;
> + us->flags = SENSOR_FUNKNOWN;
> + break;
> + }
> + }
>
> ret = sysctl_rdstruct(oldp, oldlenp, newp, us,
> sizeof(struct sensor));
>
