I'm not sure if this makes sense, since tame(2) was designed to operate on processes after they have already been initialized, and this would set the allowed operations before initializing the process.
It's a fairly simple change to get the basics working as shown here, but it's currently not very useful as more complex programs generally can't start even if given all current tame(2) permissions. I mostly did this to get more experience working in the kernel, not because I think it is a good idea, but I welcome feedback all the same. First the manual, followed by the code, then the kernel and tame(2) manpage diff. Thanks, Jeremy TAME(1) General Commands Manual TAME(1) NAME tame - restrict system operations for process SYNOPSIS tame [-aCcdghIiRSptuw] utility [argument ...] DESCRIPTION tame restricts system operations using the tame(2) system call, then executes the utility with the given arguments. If the utility attempts to perform an operation which was not permitted, it will be killed by the system with SIGKILL. By default, tame restricts almost all system operations for the executed process, allowing only the execution of processes (TAME_EXEC), use of stdio (TAME_STDIO), and reading the file system (TAME_RPATH). All flags with the exception of -h, -R, and -S allow additional system operations. The options that allow additional system operations are as follows, with the tame(2) option that they enable: -a TAME_ABORT -C TAME_CMSG -c TAME_CPATH -d TAME_DNS -g TAME_GETPW -I TAME_IOCTL -i TAME_INET -p TAME_PROC -t TAME_TMPPATH -u TAME_UNIX -w TAME_WPATH The following options restrict system operations that are allowed by default: -R TAME_RW -r TAME_RPATH The -h option displays the usage. If the -r option is used, utilty must be the full path to the utility, tame will no longer search the PATH to find it, as it will have already restricted the permissions that would allow that. EXIT STATUS The tame utility exits with one of the following values: 125 An error occurred. 126 The utility was not found or could not be invoked. Otherwise, the exit status of tame shall be that of utility. EXAMPLES Only allow overwriting files that already exist, do not allow creating new files: $ tame -w cp from to SEE ALSO tame(2) HISTORY The tame() system call appeared in OpenBSD 5.8. $Mdocdate: $ OpenBSD 5.8 tame.c: /* $OpenBSD: $ */ /* * Copyright (c) 2015 Jeremy Evans <jer...@openbsd.org> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include <err.h> #include <stdio.h> #include <stdlib.h> #include <sys/tame.h> #include <unistd.h> __dead void usage(int); int main(int argc, char *argv[]) { char ch; char *file; /* TAME_RPATH needed to find process to execute * TAME_EXEC needed to execute the process * TAME_STDIO needed by almost all processes */ int tame_flags = TAME_RPATH | TAME_STDIO | TAME_EXEC; while ((ch = getopt(argc, argv, "aCcdghIiRrptuw")) != -1) switch (ch) { case 'a': tame_flags |= TAME_ABORT; break; case 'C': tame_flags |= TAME_CMSG; break; case 'c': tame_flags |= TAME_CPATH; break; case 'd': tame_flags |= TAME_DNS; break; case 'g': tame_flags |= TAME_GETPW; break; case 'I': tame_flags |= TAME_IOCTL; break; case 'i': tame_flags |= TAME_INET; break; case 'p': tame_flags |= TAME_PROC; break; case 'R': tame_flags &= ~TAME_RW; break; case 'r': tame_flags &= ~TAME_RPATH; break; case 't': tame_flags |= TAME_TMPPATH; break; case 'u': tame_flags |= TAME_UNIX; break; case 'w': tame_flags |= TAME_WPATH; break; case 'h': usage(0); break; default: usage(125); } argv += optind; argc -= optind; if(tame(tame_flags) == -1) err(125, NULL); if(tame_flags & TAME_RPATH) { if(execvp(argv[0], argv) == -1) err(126, NULL); } else { if(execv(argv[0], argv) == -1) err(126, NULL); } } void usage(int status) { fprintf(stderr, "usage: tame [-aCcdghIipRrtuw] cmd\n"); exit(status); } kernel/manpage diff: Index: sys/kern/kern_tame.c =================================================================== RCS file: /cvs/src/sys/kern/kern_tame.c,v retrieving revision 1.3 diff -u -p -u -p -r1.3 kern_tame.c --- sys/kern/kern_tame.c 20 Jul 2015 02:43:26 -0000 1.3 +++ sys/kern/kern_tame.c 20 Jul 2015 06:30:12 -0000 @@ -135,6 +135,8 @@ const u_int tame_syscalls[SYS_MAXSYSCALL [SYS_setresgid] = _TM_PROC, [SYS_setresuid] = _TM_PROC, + [SYS_execve] = _TM_EXEC, + [SYS_ioctl] = _TM_IOCTL, /* very limited subset */ [SYS_getentropy] = _TM_MALLOC, @@ -564,6 +566,12 @@ tame_sysctl_check(struct proc *p, int na return (0); if (namelen == 2 && name[0] == CTL_KERN && name[1] == KERN_HOSTNAME) + return (0); + + /* getpagesize() */ + if ((p->p_p->ps_tame & _TM_EXEC) && + namelen == 2 && + name[0] == CTL_HW && name[1] == HW_PAGESIZE) return (0); printf("tame: pid %d %s sysctl %d: %d %d %d %d %d %d\n", Index: sys/sys/tame.h =================================================================== RCS file: /cvs/src/sys/sys/tame.h,v retrieving revision 1.1 diff -u -p -u -p -r1.1 tame.h --- sys/sys/tame.h 19 Jul 2015 02:35:35 -0000 1.1 +++ sys/sys/tame.h 20 Jul 2015 05:43:06 -0000 @@ -36,6 +36,7 @@ #define _TM_GETPW 0x00000800 /* enough to enable YP */ #define _TM_PROC 0x00001000 /* fork, waitpid, etc */ #define _TM_CPATH 0x00002000 /* allow create, mkdir, or inode mods */ +#define _TM_EXEC 0x00004000 /* exec new processes */ #define _TM_ABORT 0x08000000 /* SIGABRT instea of SIGKILL */ @@ -59,6 +60,7 @@ #define TAME_GETPW (TAME_STDIO | _TM_GETPW) #define TAME_PROC (_TM_PROC) #define TAME_CPATH (_TM_CPATH) +#define TAME_EXEC (_TM_EXEC) #define TAME_ABORT (_TM_ABORT) #ifdef _KERNEL Index: lib/libc/sys/tame.2 =================================================================== RCS file: /cvs/src/lib/libc/sys/tame.2,v retrieving revision 1.9 diff -u -p -u -p -r1.9 tame.2 --- lib/libc/sys/tame.2 19 Jul 2015 17:08:35 -0000 1.9 +++ lib/libc/sys/tame.2 20 Jul 2015 07:11:57 -0000 @@ -166,6 +166,10 @@ a few system calls become able to allow .Xr recvfrom 2 , .Xr socket 2 , .Xr connect 2 . +.It Ar TAME_EXEC +Allows the execution of processes via the +.Xr execve 2 +function. .It Ar TAME_GETPW This allows read-only opening of files in .Pa /etc