Re: split pledge "ioctl" into "bpf" and "tape"

2017-01-23 Thread Theo de Raadt 
>Theo de Raadt wrote:
>> So let's just split these cases out.  "ioctl"'s number gets reused for
>> tape, and a new "bpf" promise is added..  That paves the way for a
>> more complex diff coming in a few hours.
>
>The mention of bpf made me worried that dhclient would be affected, but I
>checked and it's not. So this shouldn't cause trouble crossing over.

the "bpf" pledge allows only one tiny minor operation.   that is not new.

the programs you are thinking of perform all their bpf setup before
pledge (or don't pledge at all).  after that they simply read/write.

Re: split pledge "ioctl" into "bpf" and "tape"

2017-01-23 Thread Ted Unangst 
Theo de Raadt wrote:
> So let's just split these cases out.  "ioctl"'s number gets reused for
> tape, and a new "bpf" promise is added..  That paves the way for a
> more complex diff coming in a few hours.

The mention of bpf made me worried that dhclient would be affected, but I
checked and it's not. So this shouldn't cause trouble crossing over.

Re: split pledge "ioctl" into "bpf" and "tape"

2017-01-22 Thread Mark Kettenis 
> From: Theo de Raadt 
> Date: Sun, 22 Jan 2017 20:52:14 -0700
> 
> Early during pledge development the "ioctl" promise was a kitchen
> sink of options until we could differentiate use cases, identify
> common patterns, and then create domain-specific promises.
> 
> only 4 cases remain of "ioctl" remain:
> 
> - pax/tar/cpio experience great difficulty finding tape drives quite
>   late, so they need a few MTIO ioctls.  this is not easily fixable
>   in the program, let's create a "tape" promise.
> - tcpdump and pflogd need a single bpf ioctl to collect status information
>   at termination
> - httpd wants SIOCGIFGROUP during the config file parser, but kernel code
>   indicates this is a pretty safe piece of code, so let's serve it with
>   the "inet" promise.
> 
> So let's just split these cases out.  "ioctl"'s number gets reused for
> tape, and a new "bpf" promise is added..  That paves the way for a
> more complex diff coming in a few hours.

ok kettenis@

> Index: sys/sys/pledge.h
> ===
> RCS file: /cvs/src/sys/sys/pledge.h,v
> retrieving revision 1.29
> diff -u -p -u -r1.29 pledge.h
> --- sys/sys/pledge.h  3 Jul 2016 04:36:08 -   1.29
> +++ sys/sys/pledge.h  23 Jan 2017 03:22:23 -
> @@ -36,7 +36,7 @@
>  #define PLEDGE_FLOCK 0x0080ULL   /* file locking */
>  #define PLEDGE_UNIX  0x0100ULL   /* AF_UNIX sockets */
>  #define PLEDGE_ID0x0200ULL   /* allow setuid, setgid, etc */
> -#define PLEDGE_IOCTL 0x0400ULL   /* Select ioctl */
> +#define PLEDGE_TAPE  0x0400ULL   /* Tape ioctl */
>  #define PLEDGE_GETPW 0x0800ULL   /* YP enables if ypbind.lock */
>  #define PLEDGE_PROC  0x1000ULL   /* fork, waitpid, etc */
>  #define PLEDGE_SETTIME   0x2000ULL   /* able to set/adj 
> time/freq */
> @@ -58,6 +58,7 @@
>  #define PLEDGE_VMM   0x4000ULL   /* vmm ioctls */
>  #define PLEDGE_CHOWN 0x8000ULL   /* chown(2) family */
>  #define PLEDGE_CHOWNUID  0x0001ULL   /* allow owner/group 
> changes */
> +#define PLEDGE_BPF   0x0002ULL   /* bpf ioctl */
>  
>  /*
>   * Bits outside PLEDGE_USERSET are used by the kernel itself
> @@ -82,7 +83,7 @@ static struct {
>   { PLEDGE_FLOCK, "flock" },
>   { PLEDGE_UNIX,  "unix" },
>   { PLEDGE_ID,"id" },
> - { PLEDGE_IOCTL, "ioctl" },
> + { PLEDGE_TAPE,  "tape" },
>   { PLEDGE_GETPW, "getpw" },
>   { PLEDGE_PROC,  "proc" },
>   { PLEDGE_SETTIME,   "settime" },
> @@ -103,6 +104,7 @@ static struct {
>   { PLEDGE_DRM,   "drm" },
>   { PLEDGE_VMM,   "vmm" },
>   { PLEDGE_CHOWNUID,  "chown" },
> + { PLEDGE_BPF,   "bpf" },
>   { 0, NULL },
>  };
>  #endif
> Index: sys/kern/kern_pledge.c
> ===
> RCS file: /cvs/src/sys/kern/kern_pledge.c,v
> retrieving revision 1.190
> diff -u -p -u -r1.190 kern_pledge.c
> --- sys/kern/kern_pledge.c23 Jan 2017 03:17:55 -  1.190
> +++ sys/kern/kern_pledge.c23 Jan 2017 03:28:08 -
> @@ -235,8 +235,7 @@ const uint64_t pledge_syscalls[SYS_MAXSY
>  
>   /*
>* FIONREAD/FIONBIO for "stdio"
> -  * A few non-tty ioctl available using "ioctl"
> -  * tty-centric ioctl available using "tty"
> +  * Other ioctl are selectively allowed based upon other pledges.
>*/
>   [SYS_ioctl] = PLEDGE_STDIO,
>  
> @@ -360,6 +359,7 @@ static const struct {
>   uint64_t flags;
>  } pledgereq[] = {
>   { "audio",  PLEDGE_AUDIO },
> + { "bpf",PLEDGE_BPF },
>   { "chown",  PLEDGE_CHOWN | PLEDGE_CHOWNUID },
>   { "cpath",  PLEDGE_CPATH },
>   { "disklabel",  PLEDGE_DISKLABEL },
> @@ -372,7 +372,6 @@ static const struct {
>   { "getpw",  PLEDGE_GETPW },
>   { "id", PLEDGE_ID },
>   { "inet",   PLEDGE_INET },
> - { "ioctl",  PLEDGE_IOCTL },
>   { "mcast",  PLEDGE_MCAST },
>   { "pf", PLEDGE_PF },
>   { "proc",   PLEDGE_PROC },
> @@ -384,6 +383,7 @@ static const struct {
>   { "sendfd", PLEDGE_SENDFD },
>   { "settime",PLEDGE_SETTIME },
>   { "stdio",  PLEDGE_STDIO },
> + { "tape",   PLEDGE_TAPE },
>   { "tmppath",PLEDGE_TMPPATH },
>   { "tty",PLEDGE_TTY },
>   { "unix",   PLEDGE_UNIX },
> @@ -1127,23 +1127,27 @@ pledge_ioctl(struct proc *p, long com, s
>   return (ENOTTY);
>   }
>  
> - /*
> -  * Further sets of ioctl become available, but are checked a
> -  * bit more carefully against the vnode.
> -  */
> - if