Re: Document missing pledge promises
On Fri, Jun 11, 2021 at 09:16:46AM -0600, Theo de Raadt wrote: > Dave Voutila wrote: > > > Theo de Raadt writes: > > > > > Regarding the vmm chunk -- as I said in my other reply, these > > > explanations are too precise. They risk becoming outdated as things > > > change. Furthermore, some of those ioctl may work in one way, but not > > > another way. Which would be too complicated to describe also. I urge > > > simple messaging: > > > > > > .It Va vmm > > > Operations required by > > > .Xr vmd 8 . > > > > > > It is accurate. If someone later wanted to use those operations, they > > > would figure it out by reading kernel and vmd source. > > > > I agree simpler is better. The actual ioctls are documented in vmm.4 and > > this is currently an all-or-nothing thing. You either get to perform all > > operations on the vmm(4) device or none. > > What you just said is the truth. But once you put it in a manual page, > in the future the code may change, and some ioctl might be exposed > without "vmm". it is better to be vague. > Agreed, simpler is better in the pledge docs.
Re: Document missing pledge promises
Dave Voutila wrote: > Theo de Raadt writes: > > > Regarding the vmm chunk -- as I said in my other reply, these > > explanations are too precise. They risk becoming outdated as things > > change. Furthermore, some of those ioctl may work in one way, but not > > another way. Which would be too complicated to describe also. I urge > > simple messaging: > > > > .It Va vmm > > Operations required by > > .Xr vmd 8 . > > > > It is accurate. If someone later wanted to use those operations, they > > would figure it out by reading kernel and vmd source. > > I agree simpler is better. The actual ioctls are documented in vmm.4 and > this is currently an all-or-nothing thing. You either get to perform all > operations on the vmm(4) device or none. What you just said is the truth. But once you put it in a manual page, in the future the code may change, and some ioctl might be exposed without "vmm". it is better to be vague.
Re: Document missing pledge promises
Theo de Raadt writes: > Regarding the vmm chunk -- as I said in my other reply, these > explanations are too precise. They risk becoming outdated as things > change. Furthermore, some of those ioctl may work in one way, but not > another way. Which would be too complicated to describe also. I urge > simple messaging: > > .It Va vmm > Operations required by > .Xr vmd 8 . > > It is accurate. If someone later wanted to use those operations, they > would figure it out by reading kernel and vmd source. I agree simpler is better. The actual ioctls are documented in vmm.4 and this is currently an all-or-nothing thing. You either get to perform all operations on the vmm(4) device or none. -dv
Re: Document missing pledge promises
Regarding the vmm chunk -- as I said in my other reply, these
explanations are too precise. They risk becoming outdated as things
change. Furthermore, some of those ioctl may work in one way, but not
another way. Which would be too complicated to describe also. I urge
simple messaging:
.It Va vmm
Operations required by
.Xr vmd 8 .
It is accurate. If someone later wanted to use those operations, they
would figure it out by reading kernel and vmd source.
Josh Rickmar wrote:
> Here's my take at documenting the missing pledge promises in pledge.2
> and placing them in a reasonable order with the others. Each of these
> just enabled various ioctl or sysctl interfaces.
>
> I'm unhappy with the explanation for drm, but don't know how to
> explain the purpose of these ioctls, and could not find any man page
> to .Xr which documents these ioctl commands.
>
> diff db8264de5e686d467fdfaede154dd2a2b3b1dc3d /usr/src
> blob - 5794003962d7bc22bb4bb10471ed6f3381383cdf
> file + lib/libc/sys/pledge.2
> --- lib/libc/sys/pledge.2
> +++ lib/libc/sys/pledge.2
> @@ -498,6 +498,24 @@ programs like
> .Xr top 1
> and
> .Xr vmstat 8 .
> +.It Va vmm
> +Allows a subset of
> +.Xr ioctl 2
> +operations on the
> +.Xr vmm 4
> +device:
> +.Pp
> +.Dv VMM_IOC_CREATE ,
> +.Dv VMM_IOC_RUN ,
> +.Dv VMM_IOC_INFO ,
> +.Dv VMM_IOC_TERM ,
> +.Dv VMM_IOC_RESETCPU ,
> +.Dv VMM_IOC_INTR ,
> +.Dv VMM_IOC_READREGS ,
> +.Dv VMM_IOC_WRITEREGS ,
> +.Dv VMM_IOC_READVMPARAMS ,
> +.Dv VMM_IOC_WRITEVMPARAMS ,
> +.Dv VMM_IOC_MPROTECT_EPT
> .It Va id
> Allows the following system calls which can change the rights of a
> process:
> @@ -579,12 +597,27 @@ devices:
> .Dv VIDIOC_STREAMON ,
> .Dv VIDIOC_TRY_FMT ,
> .Dv VIDIOC_REQBUFS
> +.It Va drm
> +Allows a subset of
> +.Xr ioctl 2
> +operations on
> +.Xr drm 4
> +devices.
> .It Va bpf
> Allow
> .Dv BIOCGSTATS
> operation for statistics collection from a
> .Xr bpf 4
> device.
> +.It Va disklabel
> +Allow enough
> +.Xr sysctl 2
> +interfaces to allow inspection of
> +.Xr disklabel 5
> +partitions by programs like
> +.Xr disklabel 8
> +and
> +.Xr fdisk 8 .
> .It Va unveil
> Allow
> .Xr unveil 2
> blob - a8e23adf2a48afcb82c4118a45b76ad3060c1069
> file + sys/sys/pledge.h
> --- sys/sys/pledge.h
> +++ sys/sys/pledge.h
> @@ -100,18 +100,18 @@ static const struct {
> { PLEDGE_SETTIME, "settime" },
> { PLEDGE_PS,"ps" },
> { PLEDGE_VMINFO,"vminfo" },
> + { PLEDGE_VMM, "vmm" },
> { PLEDGE_ID,"id" },
> { PLEDGE_PF,"pf" },
> { PLEDGE_ROUTE, "route" },
> { PLEDGE_WROUTE,"wroute" },
> { PLEDGE_AUDIO, "audio" },
> { PLEDGE_VIDEO, "video" },
> + { PLEDGE_DRM, "drm" },
> { PLEDGE_BPF, "bpf" },
> + { PLEDGE_DISKLABEL, "disklabel" },
> { PLEDGE_UNVEIL,"unveil" },
> { PLEDGE_ERROR, "error" },
> - { PLEDGE_DISKLABEL, "disklabel" },
> - { PLEDGE_DRM, "drm" },
> - { PLEDGE_VMM, "vmm" },
> { 0, NULL },
> };
> #endif
>
Document missing pledge promises
Here's my take at documenting the missing pledge promises in pledge.2
and placing them in a reasonable order with the others. Each of these
just enabled various ioctl or sysctl interfaces.
I'm unhappy with the explanation for drm, but don't know how to
explain the purpose of these ioctls, and could not find any man page
to .Xr which documents these ioctl commands.
diff db8264de5e686d467fdfaede154dd2a2b3b1dc3d /usr/src
blob - 5794003962d7bc22bb4bb10471ed6f3381383cdf
file + lib/libc/sys/pledge.2
--- lib/libc/sys/pledge.2
+++ lib/libc/sys/pledge.2
@@ -498,6 +498,24 @@ programs like
.Xr top 1
and
.Xr vmstat 8 .
+.It Va vmm
+Allows a subset of
+.Xr ioctl 2
+operations on the
+.Xr vmm 4
+device:
+.Pp
+.Dv VMM_IOC_CREATE ,
+.Dv VMM_IOC_RUN ,
+.Dv VMM_IOC_INFO ,
+.Dv VMM_IOC_TERM ,
+.Dv VMM_IOC_RESETCPU ,
+.Dv VMM_IOC_INTR ,
+.Dv VMM_IOC_READREGS ,
+.Dv VMM_IOC_WRITEREGS ,
+.Dv VMM_IOC_READVMPARAMS ,
+.Dv VMM_IOC_WRITEVMPARAMS ,
+.Dv VMM_IOC_MPROTECT_EPT
.It Va id
Allows the following system calls which can change the rights of a
process:
@@ -579,12 +597,27 @@ devices:
.Dv VIDIOC_STREAMON ,
.Dv VIDIOC_TRY_FMT ,
.Dv VIDIOC_REQBUFS
+.It Va drm
+Allows a subset of
+.Xr ioctl 2
+operations on
+.Xr drm 4
+devices.
.It Va bpf
Allow
.Dv BIOCGSTATS
operation for statistics collection from a
.Xr bpf 4
device.
+.It Va disklabel
+Allow enough
+.Xr sysctl 2
+interfaces to allow inspection of
+.Xr disklabel 5
+partitions by programs like
+.Xr disklabel 8
+and
+.Xr fdisk 8 .
.It Va unveil
Allow
.Xr unveil 2
blob - a8e23adf2a48afcb82c4118a45b76ad3060c1069
file + sys/sys/pledge.h
--- sys/sys/pledge.h
+++ sys/sys/pledge.h
@@ -100,18 +100,18 @@ static const struct {
{ PLEDGE_SETTIME, "settime" },
{ PLEDGE_PS,"ps" },
{ PLEDGE_VMINFO,"vminfo" },
+ { PLEDGE_VMM, "vmm" },
{ PLEDGE_ID,"id" },
{ PLEDGE_PF,"pf" },
{ PLEDGE_ROUTE, "route" },
{ PLEDGE_WROUTE,"wroute" },
{ PLEDGE_AUDIO, "audio" },
{ PLEDGE_VIDEO, "video" },
+ { PLEDGE_DRM, "drm" },
{ PLEDGE_BPF, "bpf" },
+ { PLEDGE_DISKLABEL, "disklabel" },
{ PLEDGE_UNVEIL,"unveil" },
{ PLEDGE_ERROR, "error" },
- { PLEDGE_DISKLABEL, "disklabel" },
- { PLEDGE_DRM, "drm" },
- { PLEDGE_VMM, "vmm" },
{ 0, NULL },
};
#endif
