> From: Theo de Raadt
> Date: Sun, 22 Jan 2017 20:52:14 -0700
>
> Early during pledge development the "ioctl" promise was a kitchen
> sink of options until we could differentiate use cases, identify
> common patterns, and then create domain-specific promises.
>
> only 4 cases remain of "ioctl" remain:
>
> - pax/tar/cpio experience great difficulty finding tape drives quite
> late, so they need a few MTIO ioctls. this is not easily fixable
> in the program, let's create a "tape" promise.
> - tcpdump and pflogd need a single bpf ioctl to collect status information
> at termination
> - httpd wants SIOCGIFGROUP during the config file parser, but kernel code
> indicates this is a pretty safe piece of code, so let's serve it with
> the "inet" promise.
>
> So let's just split these cases out. "ioctl"'s number gets reused for
> tape, and a new "bpf" promise is added.. That paves the way for a
> more complex diff coming in a few hours.
ok kettenis@
> Index: sys/sys/pledge.h
> ===
> RCS file: /cvs/src/sys/sys/pledge.h,v
> retrieving revision 1.29
> diff -u -p -u -r1.29 pledge.h
> --- sys/sys/pledge.h 3 Jul 2016 04:36:08 - 1.29
> +++ sys/sys/pledge.h 23 Jan 2017 03:22:23 -
> @@ -36,7 +36,7 @@
> #define PLEDGE_FLOCK 0x0080ULL /* file locking */
> #define PLEDGE_UNIX 0x0100ULL /* AF_UNIX sockets */
> #define PLEDGE_ID0x0200ULL /* allow setuid, setgid, etc */
> -#define PLEDGE_IOCTL 0x0400ULL /* Select ioctl */
> +#define PLEDGE_TAPE 0x0400ULL /* Tape ioctl */
> #define PLEDGE_GETPW 0x0800ULL /* YP enables if ypbind.lock */
> #define PLEDGE_PROC 0x1000ULL /* fork, waitpid, etc */
> #define PLEDGE_SETTIME 0x2000ULL /* able to set/adj
> time/freq */
> @@ -58,6 +58,7 @@
> #define PLEDGE_VMM 0x4000ULL /* vmm ioctls */
> #define PLEDGE_CHOWN 0x8000ULL /* chown(2) family */
> #define PLEDGE_CHOWNUID 0x0001ULL /* allow owner/group
> changes */
> +#define PLEDGE_BPF 0x0002ULL /* bpf ioctl */
>
> /*
> * Bits outside PLEDGE_USERSET are used by the kernel itself
> @@ -82,7 +83,7 @@ static struct {
> { PLEDGE_FLOCK, "flock" },
> { PLEDGE_UNIX, "unix" },
> { PLEDGE_ID,"id" },
> - { PLEDGE_IOCTL, "ioctl" },
> + { PLEDGE_TAPE, "tape" },
> { PLEDGE_GETPW, "getpw" },
> { PLEDGE_PROC, "proc" },
> { PLEDGE_SETTIME, "settime" },
> @@ -103,6 +104,7 @@ static struct {
> { PLEDGE_DRM, "drm" },
> { PLEDGE_VMM, "vmm" },
> { PLEDGE_CHOWNUID, "chown" },
> + { PLEDGE_BPF, "bpf" },
> { 0, NULL },
> };
> #endif
> Index: sys/kern/kern_pledge.c
> ===
> RCS file: /cvs/src/sys/kern/kern_pledge.c,v
> retrieving revision 1.190
> diff -u -p -u -r1.190 kern_pledge.c
> --- sys/kern/kern_pledge.c23 Jan 2017 03:17:55 - 1.190
> +++ sys/kern/kern_pledge.c23 Jan 2017 03:28:08 -
> @@ -235,8 +235,7 @@ const uint64_t pledge_syscalls[SYS_MAXSY
>
> /*
>* FIONREAD/FIONBIO for "stdio"
> - * A few non-tty ioctl available using "ioctl"
> - * tty-centric ioctl available using "tty"
> + * Other ioctl are selectively allowed based upon other pledges.
>*/
> [SYS_ioctl] = PLEDGE_STDIO,
>
> @@ -360,6 +359,7 @@ static const struct {
> uint64_t flags;
> } pledgereq[] = {
> { "audio", PLEDGE_AUDIO },
> + { "bpf",PLEDGE_BPF },
> { "chown", PLEDGE_CHOWN | PLEDGE_CHOWNUID },
> { "cpath", PLEDGE_CPATH },
> { "disklabel", PLEDGE_DISKLABEL },
> @@ -372,7 +372,6 @@ static const struct {
> { "getpw", PLEDGE_GETPW },
> { "id", PLEDGE_ID },
> { "inet", PLEDGE_INET },
> - { "ioctl", PLEDGE_IOCTL },
> { "mcast", PLEDGE_MCAST },
> { "pf", PLEDGE_PF },
> { "proc", PLEDGE_PROC },
> @@ -384,6 +383,7 @@ static const struct {
> { "sendfd", PLEDGE_SENDFD },
> { "settime",PLEDGE_SETTIME },
> { "stdio", PLEDGE_STDIO },
> + { "tape", PLEDGE_TAPE },
> { "tmppath",PLEDGE_TMPPATH },
> { "tty",PLEDGE_TTY },
> { "unix", PLEDGE_UNIX },
> @@ -1127,23 +1127,27 @@ pledge_ioctl(struct proc *p, long com, s
> return (ENOTTY);
> }
>
> - /*
> - * Further sets of ioctl become available, but are checked a
> - * bit more carefully against the vnode.
> - */
> - if