Re: unveil in process accounting and lastcomm

Thu, 25 Jul 2019 04:26:11 -0700 

On Thu, Jul 25, 2019 at 12:00:48PM +0200, Alexander Bluhm wrote:
> Do we want unveil violators in the daily mail?  We can turn it off
> if we get too many false positives.

Janne Johansson recommend to mention lastcomm(1) in unveil(2) man
page.  Diff for daily, lastcomm(1), unveil(2).  Kernel has been
commited already.

bluhm

Index: etc/daily
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/etc/daily,v
retrieving revision 1.91
diff -u -p -r1.91 daily
--- etc/daily   6 Feb 2018 19:57:37 -0000       1.91
+++ etc/daily   25 Jul 2019 09:56:20 -0000
@@ -74,7 +74,7 @@ if [ -f /var/account/acct ]; then
                mv -f /var/account/acct.0 /var/account/acct.1
        cp -f /var/account/acct /var/account/acct.0
        sa -sq
-       lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[PT]'
+       lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[PTU]'
 fi

 # If ROOTBACKUP is set to 1 in the environment, and
Index: usr.bin/lastcomm/lastcomm.1
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/lastcomm/lastcomm.1,v
retrieving revision 1.19
diff -u -p -r1.19 lastcomm.1
--- usr.bin/lastcomm/lastcomm.1 27 Feb 2018 07:58:29 -0000      1.19
+++ usr.bin/lastcomm/lastcomm.1 25 Jul 2019 09:42:15 -0000
@@ -115,10 +115,13 @@ indicates the command was terminated wit
 .Sq P
 indicates the command was terminated due to a
 .Xr pledge 2
-violation, and
+violation,
 .Sq T
 indicates the command did a memory access violation detected by a
-processor trap.
+processor trap, and
+.Sq U
+indicates the command tried a file access that was prevented by
+.Xr unveil 2 .
 .Sh FILES
 .Bl -tag -width /var/account/acct -compact
 .It Pa /var/account/acct
Index: usr.bin/lastcomm/lastcomm.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/lastcomm/lastcomm.c,v
retrieving revision 1.27
diff -u -p -r1.27 lastcomm.c
--- usr.bin/lastcomm/lastcomm.c 27 Feb 2018 07:58:29 -0000      1.27
+++ usr.bin/lastcomm/lastcomm.c 25 Jul 2019 09:41:34 -0000
@@ -174,6 +174,7 @@ flagbits(int f)
        BIT(AXSIG, 'X');
        BIT(APLEDGE, 'P');
        BIT(ATRAP, 'T');
+       BIT(AUNVEIL, 'U');
        *p = '\0';
        return (flags);
 }
Index: lib/libc/sys/unveil.2
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/lib/libc/sys/unveil.2,v
retrieving revision 1.17
diff -u -p -r1.17 unveil.2
--- lib/libc/sys/unveil.2       24 Mar 2019 19:55:31 -0000      1.17
+++ lib/libc/sys/unveil.2       25 Jul 2019 11:12:15 -0000
@@ -132,6 +132,12 @@ use can be tricky because programs misbe
 unexpectedly disappear.
 In many cases it is easier to unveil the directories in which an
 application makes use of files.
+After a process has terminated,
+.Xr lastcomm 1
+will mark it with the
+.Sq U
+flag if file access was prevented by
+.Nm unveil .
 .Sh RETURN VALUES
 .Rv -std
 .Sh ERRORS

Reply via email to