CVSROOT: /cvs
Module name: src
Changes by: dera...@cvs.openbsd.org 2025/07/16 22:58:00
Modified files:
sys/kern : kern_pledge.c
Log message:
When pledge was designed, I noticed that the libc DNS code would
poll for newer "/etc/resolv.conf" using stat(2), so I permitted that
operation in the pledge_namei() callback for the "dns" promise.
Recent review found that libc DNS should actually be doing open(2)
then fstat(2), and obviously the callback permits open(2). So libc
was changed a few weeks ago to not use stat(2).
We have now cranked libc for other reasons, and since we expect people to
keep their kernel and libc in the same era (certainly less than a month),
so I'm deleting the stat(2) approval in pledge_namei().
Something remains that I am uncomfortable with. Some go libraries
also do stat(2)+open(2), rather than open(2)+fstat(2), and many years
ago tedu wanted to do pledge in go programs. I'm uncomfortable
because pledge is a contract with libc, not with some arbitrary
external library that isn't actually trying to jive with the kernel's
increasingly tightened security model. I leave that code until a
grumpy day.
