unveil in process accounting and lastcomm

Thu, 18 Jul 2019 07:14:08 -0700 

Hi,

Can we track unveil(2) violators in process accounting lastcomm(1)?
This makes it easier to find them.

$ lastcomm | grep -e '-[A-Z]U'
pflogd     -FU     root    __         0.00 secs Thu Jul 18 14:19 (2:33:22.00)

Seems that pflogd(8) has to be investigated.

Also we keep record about programs that may be exploited and do
something illegal.  We have the same mechanism for pledge(2).

Not sure if we want it for both EACCES and ENOENT cases.  If it
creates false positives, we can change that later to EACCES only.

ok?

bluhm

Index: kern/kern_unveil.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/kern/kern_unveil.c,v
retrieving revision 1.27
diff -u -p -r1.27 kern_unveil.c
--- kern/kern_unveil.c  14 Jul 2019 03:26:02 -0000      1.27
+++ kern/kern_unveil.c  18 Jul 2019 12:01:24 -0000
@@ -18,6 +18,7 @@

 #include <sys/param.h>

+#include <sys/acct.h>
 #include <sys/mount.h>
 #include <sys/filedesc.h>
 #include <sys/proc.h>
@@ -823,6 +824,7 @@ unveil_check_final(struct proc *p, struc
                            " vnode %p\n",
                            p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_vp);
 #endif
+                       p->p_p->ps_acflag |= AUNVEIL;
                        if (uv->uv_flags & UNVEIL_USERSET)
                                return EACCES;
                        else
@@ -865,10 +867,11 @@ unveil_check_final(struct proc *p, struc
                         * EACCESS. Otherwise, use any covering match
                         * that we found above this dir.
                         */
-                       if (uv->uv_flags & UNVEIL_USERSET)
+                       if (uv->uv_flags & UNVEIL_USERSET) {
+                               p->p_p->ps_acflag |= AUNVEIL;
                                return EACCES;
-                       else
-                               goto done;
+                       }
+                       goto done;
                }
                /* directory flags match, update match */
                if (uv->uv_flags & UNVEIL_USERSET)
@@ -881,6 +884,7 @@ unveil_check_final(struct proc *p, struc
                printf("unveil: %s(%d) flag mismatch for terminal '%s'\n",
                    p->p_p->ps_comm, p->p_p->ps_pid, tname->un_name);
 #endif
+               p->p_p->ps_acflag |= AUNVEIL;
                return EACCES;
        }
        /* name and flags match in this dir. update match*/
@@ -903,8 +907,10 @@ done:
                    p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_cnd.cn_nameptr,
                    ni->ni_unveil_match->uv_vp);
 #endif
+               p->p_p->ps_acflag |= AUNVEIL;
                return EACCES;
        }
+       p->p_p->ps_acflag |= AUNVEIL;
        return ENOENT;
 }

Index: sys/acct.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/sys/acct.h,v
retrieving revision 1.7
diff -u -p -r1.7 acct.h
--- sys/acct.h  8 Jun 2017 17:14:02 -0000       1.7
+++ sys/acct.h  18 Jul 2019 11:37:27 -0000
@@ -63,6 +63,7 @@ struct acct {
 #define        AXSIG   0x10            /* killed by a signal */
 #define        APLEDGE 0x20            /* killed due to pledge violation */
 #define        ATRAP   0x40            /* memory access violation */
+#define        AUNVEIL 0x80            /* unveil access violation */
        u_int8_t  ac_flag;      /* accounting flags */
 };

Reply via email to