Re: [PATCH] pledge: allow kern.somaxconn sysctl for inet

2020-05-13 Thread Kevin Chadwick 
For the archives, if anyone else hits this issue.

Being killed with pledge sysctl 2 on a golang http.ListenAndServe, no longer
happens.

https://github.com/golang/go/issues/31927

Re: [PATCH] pledge: allow kern.somaxconn sysctl for inet

2020-02-11 Thread Claudio Jeker 
On Mon, Feb 03, 2020 at 12:52:05AM +, Jimmy Brush wrote:
> No golang tcp server can be pledged without this change because it
> queries kern.somaxconn before it listens on a tcp socket[1][2][3].
> 
> I cannot think of any advantage this change would give an attacker
> who has compromised a pledged process.
> 
> [1] https://golang.org/src/net/sock_posix.go#L57
> [2] https://golang.org/src/net/net.go#L373
> [3] https://golang.org/src/net/sock_bsd.go#L27
> 
> ---
>  sys/kern/kern_pledge.c | 6 ++
>  1 file changed, 6 insertions(+)
> 
> diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c
> index 9f436df4893..8d1203198ed 100644
> --- sys/kern/kern_pledge.c
> +++ sys/kern/kern_pledge.c
> @@ -904,6 +904,12 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, void 
> *new)
>   return (0);
>   }
>  
> + if ((p->p_p->ps_pledge & PLEDGE_INET)) {
> + if (miblen == 2 &&  /* kern.somaxconn */
> + mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
> + return (0);
> + }
> +
>   if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET | PLEDGE_DNS))) {
>   if (miblen == 6 &&  /* getifaddrs() */
>   mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
> 

I think go should not query the sysctl and instead just use a reasonably
high default (or let users choose). The kernel will then use the minimum
of the two values. At least this is what all other daemons do.
Guess that option will not happen...

-- 
:wq Claudio

[PATCH] pledge: allow kern.somaxconn sysctl for inet

2020-02-02 Thread Jimmy Brush 
No golang tcp server can be pledged without this change because it
queries kern.somaxconn before it listens on a tcp socket[1][2][3].

I cannot think of any advantage this change would give an attacker
who has compromised a pledged process.

[1] https://golang.org/src/net/sock_posix.go#L57
[2] https://golang.org/src/net/net.go#L373
[3] https://golang.org/src/net/sock_bsd.go#L27

---
 sys/kern/kern_pledge.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c
index 9f436df4893..8d1203198ed 100644
--- sys/kern/kern_pledge.c
+++ sys/kern/kern_pledge.c
@@ -904,6 +904,12 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, void 
*new)
return (0);
}
 
+   if ((p->p_p->ps_pledge & PLEDGE_INET)) {
+   if (miblen == 2 &&  /* kern.somaxconn */
+   mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
+   return (0);
+   }
+
if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET | PLEDGE_DNS))) {
if (miblen == 6 &&  /* getifaddrs() */
mib[0] == CTL_NET && mib[1] == PF_ROUTE &&