Hi
I'm not sure I can think of many uses for this, tame is not something
you are intended to just apply blindly, do you have any use cases?
I think the -aCcdghIiRSptuw approach is a bad idea and it would be
better to do it with named flags like -o abort,cmsg,cpath. Maybe take a
look at getsubopt(3), although I don't know if that API is in vogue
anymore.
Also adding TAME_EXEC seems like a different change entirely?
On Mon, Jul 20, 2015 at 01:00:00AM -0700, Jeremy Evans wrote:
> I'm not sure if this makes sense, since tame(2) was designed to operate
> on processes after they have already been initialized, and this would
> set the allowed operations before initializing the process.
>
> It's a fairly simple change to get the basics working as shown here,
> but it's currently not very useful as more complex programs generally
> can't start even if given all current tame(2) permissions.
>
> I mostly did this to get more experience working in the kernel, not
> because I think it is a good idea, but I welcome feedback all the same.
>
> First the manual, followed by the code, then the kernel and tame(2)
> manpage diff.
>
> Thanks,
> Jeremy
>
> TAME(1) General Commands Manual TAME(1)
>
> NAME
>
> tame - restrict system operations for process
>
> SYNOPSIS
>
> tame [-aCcdghIiRSptuw] utility [argument ...]
>
> DESCRIPTION
>
> tame restricts system operations using the tame(2) system call, then
> executes the utility with the given arguments. If the utility attempts to
> perform an operation which was not permitted, it will be killed by the
> system with SIGKILL.
> By default, tame restricts almost all system operations for the executed
> process, allowing only the execution of processes (TAME_EXEC), use of
> stdio (TAME_STDIO), and reading the file system (TAME_RPATH). All flags
> with the exception of -h, -R, and -S allow additional system operations.
> The options that allow additional system operations are as follows, with
> the tame(2) option that they enable:
>
> -a
> TAME_ABORT
>
> -C
> TAME_CMSG
>
> -c
> TAME_CPATH
>
> -d
> TAME_DNS
>
> -g
> TAME_GETPW
>
> -I
> TAME_IOCTL
>
> -i
> TAME_INET
>
> -p
> TAME_PROC
>
> -t
> TAME_TMPPATH
>
> -u
> TAME_UNIX
>
> -w
> TAME_WPATH
>
> The following options restrict system operations that are allowed by
> default:
>
> -R
> TAME_RW
>
> -r
> TAME_RPATH
>
> The -h option displays the usage.
> If the -r option is used, utilty must be the full path to the utility,
> tame will no longer search the PATH to find it, as it will have already
> restricted the permissions that would allow that.
>
> EXIT STATUS
>
> The tame utility exits with one of the following values:
>
> 125
> An error occurred.
>
> 126
> The utility was not found or could not be invoked.
>
> Otherwise, the exit status of tame shall be that of utility.
>
> EXAMPLES
>
> Only allow overwriting files that already exist, do not allow creating new
> files:
>
> $ tame -w cp from to
>
> SEE ALSO
>
> tame(2)
>
> HISTORY
>
> The tame() system call appeared in OpenBSD 5.8.
>
> $Mdocdate: $ OpenBSD 5.8
>
> tame.c:
>
> /* $OpenBSD: $ */
>
> /*
> * Copyright (c) 2015 Jeremy Evans <jer...@openbsd.org>
> *
> * Permission to use, copy, modify, and distribute this software for any
> * purpose with or without fee is hereby granted, provided that the above
> * copyright notice and this permission notice appear in all copies.
> *
> * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> */
>
> #include <err.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/tame.h>
> #include <unistd.h>
>
> __dead void usage(int);
>
> int
> main(int argc, char *argv[])
> {
> char ch;
> char *file;
> /* TAME_RPATH needed to find process to execute
> * TAME_EXEC needed to execute the process
> * TAME_STDIO needed by almost all processes
> */
> int tame_flags = TAME_RPATH | TAME_STDIO | TAME_EXEC;
>
> while ((ch = getopt(argc, argv, "aCcdghIiRrptuw")) != -1)
> switch (ch) {
> case 'a':
> tame_flags |= TAME_ABORT;
> break;
> case 'C':
> tame_flags |= TAME_CMSG;
> break;
> case 'c':
> tame_flags |= TAME_CPATH;
> break;
> case 'd':
> tame_flags |= TAME_DNS;
> break;
> case 'g':
> tame_flags |= TAME_GETPW;
> break;
> case 'I':
> tame_flags |= TAME_IOCTL;
> break;
> case 'i':
> tame_flags |= TAME_INET;
> break;
> case 'p':
> tame_flags |= TAME_PROC;
> break;
> case 'R':
> tame_flags &= ~TAME_RW;
> break;
> case 'r':
> tame_flags &= ~TAME_RPATH;
> break;
> case 't':
> tame_flags |= TAME_TMPPATH;
> break;
> case 'u':
> tame_flags |= TAME_UNIX;
> break;
> case 'w':
> tame_flags |= TAME_WPATH;
> break;
> case 'h':
> usage(0);
> break;
> default:
> usage(125);
> }
>
> argv += optind;
> argc -= optind;
>
> if(tame(tame_flags) == -1)
> err(125, NULL);
>
> if(tame_flags & TAME_RPATH) {
> if(execvp(argv[0], argv) == -1)
> err(126, NULL);
> } else {
> if(execv(argv[0], argv) == -1)
> err(126, NULL);
> }
>
> }
>
> void
> usage(int status)
> {
> fprintf(stderr, "usage: tame [-aCcdghIipRrtuw] cmd\n");
> exit(status);
> }
>
> kernel/manpage diff:
>
> Index: sys/kern/kern_tame.c
> ===================================================================
> RCS file: /cvs/src/sys/kern/kern_tame.c,v
> retrieving revision 1.3
> diff -u -p -u -p -r1.3 kern_tame.c
> --- sys/kern/kern_tame.c 20 Jul 2015 02:43:26 -0000 1.3
> +++ sys/kern/kern_tame.c 20 Jul 2015 06:30:12 -0000
> @@ -135,6 +135,8 @@ const u_int tame_syscalls[SYS_MAXSYSCALL
> [SYS_setresgid] = _TM_PROC,
> [SYS_setresuid] = _TM_PROC,
>
> + [SYS_execve] = _TM_EXEC,
> +
> [SYS_ioctl] = _TM_IOCTL, /* very limited subset */
>
> [SYS_getentropy] = _TM_MALLOC,
> @@ -564,6 +566,12 @@ tame_sysctl_check(struct proc *p, int na
> return (0);
> if (namelen == 2 &&
> name[0] == CTL_KERN && name[1] == KERN_HOSTNAME)
> + return (0);
> +
> + /* getpagesize() */
> + if ((p->p_p->ps_tame & _TM_EXEC) &&
> + namelen == 2 &&
> + name[0] == CTL_HW && name[1] == HW_PAGESIZE)
> return (0);
>
> printf("tame: pid %d %s sysctl %d: %d %d %d %d %d %d\n",
> Index: sys/sys/tame.h
> ===================================================================
> RCS file: /cvs/src/sys/sys/tame.h,v
> retrieving revision 1.1
> diff -u -p -u -p -r1.1 tame.h
> --- sys/sys/tame.h 19 Jul 2015 02:35:35 -0000 1.1
> +++ sys/sys/tame.h 20 Jul 2015 05:43:06 -0000
> @@ -36,6 +36,7 @@
> #define _TM_GETPW 0x00000800 /* enough to enable YP */
> #define _TM_PROC 0x00001000 /* fork, waitpid, etc */
> #define _TM_CPATH 0x00002000 /* allow create, mkdir, or inode mods */
> +#define _TM_EXEC 0x00004000 /* exec new processes */
>
> #define _TM_ABORT 0x08000000 /* SIGABRT instea of SIGKILL */
>
> @@ -59,6 +60,7 @@
> #define TAME_GETPW (TAME_STDIO | _TM_GETPW)
> #define TAME_PROC (_TM_PROC)
> #define TAME_CPATH (_TM_CPATH)
> +#define TAME_EXEC (_TM_EXEC)
> #define TAME_ABORT (_TM_ABORT)
>
> #ifdef _KERNEL
> Index: lib/libc/sys/tame.2
> ===================================================================
> RCS file: /cvs/src/lib/libc/sys/tame.2,v
> retrieving revision 1.9
> diff -u -p -u -p -r1.9 tame.2
> --- lib/libc/sys/tame.2 19 Jul 2015 17:08:35 -0000 1.9
> +++ lib/libc/sys/tame.2 20 Jul 2015 07:11:57 -0000
> @@ -166,6 +166,10 @@ a few system calls become able to allow
> .Xr recvfrom 2 ,
> .Xr socket 2 ,
> .Xr connect 2 .
> +.It Ar TAME_EXEC
> +Allows the execution of processes via the
> +.Xr execve 2
> +function.
> .It Ar TAME_GETPW
> This allows read-only opening of files in
> .Pa /etc
>
