On Sun, Apr 10, 2016 at 01:43:17PM +0200, Theo Buehler wrote:
> This is a first stab at updating the list of syscalls in the pledge(2)
> manpage and at the same time I'd like to clarify some simple things.
I agree some update/cleanup is needed.
But I think we shouldn't try to document the whole allow/forbids rules
exhaustively, but only the most important parts of the system. As
example, documenting __getcwd(2) which is internal and doesn't have man
page makes no sens (because you had to go in the code source to know
what it is).
In the same way, for ioctl(2) or sysctl(3) flags, just having the list
of allowed flags is far to be useful: you had to know the exact meaning
of each flag for understand the intented usage of the promise. A global
description (with the list of flags) is more important to have.
tb@, thanks for your work ! I have some comments below.
> I'm wondering about the chflags(2), chown(2) and chmod(2) families of
> system calls. They are currently listed up to four times: once at the
> beginning where it is explained that they have general restrictions,
> which makes sense. Then they are also listed under "fattr", "rpath" and
> "wpath". Wouldn't "fattr" with a corresponding note about possible
> additional need for "rpath" and "wpath" be better?
after reading code, chflags(2), chown(2) and chmod(2) families should be
allowed only with "fattr".
there are present under "rpath" and "wpath" sections since 1.1, is it a
copy/paste error ?
I think there could be removed.
> The following aren't listed in the manpage. Should some of them be?
>
> [SYS_kbind] = PLEDGE_ALWAYS,
> [SYS___get_tcb] = PLEDGE_ALWAYS,
> [SYS_sendsyslog] = PLEDGE_ALWAYS, /* stack protector reporting */
> [SYS_osendsyslog] = PLEDGE_ALWAYS, /* obsolete sendsyslog */
> [SYS_thrkill] = PLEDGE_ALWAYS, /* raise, abort, stack pro */
> [SYS_utrace] = PLEDGE_ALWAYS, /* ltrace(1) from ld.so */
I think that internal (like SYS___get_tcb) or obsolete (like
SYS_osendsyslog) syscalls should not be documented.
for others, I dunno. Most of them are in PLEDGE_ALWAYS because of stack
protector reporting, so even if pledged, the program can still report
errors to system.
> I'm definitely not the right person to talk about these either:
>
> [SYS___tfork] = PLEDGE_STDIO,
> [SYS_sched_yield] = PLEDGE_STDIO,
> [SYS___thrsleep] = PLEDGE_STDIO,
> [SYS___thrwakeup] = PLEDGE_STDIO,
> [SYS___threxit] = PLEDGE_STDIO,
> [SYS___thrsigdivert] = PLEDGE_STDIO,
maybe sched_yield(2) ? others are internals, and related to pthreads.
so just saying that pthreads are allowed with "stdio" should be enough.
> getsockopt(2) and setsockopt(2) are currently discussed under "inet" and
> "unix". Should the "narrow whitelist" also be mentioned under "stdio"?
>
> [SYS_setsockopt] = PLEDGE_STDIO, /* narrow whitelist */
> [SYS_getsockopt] = PLEDGE_STDIO, /* narrow whitelist */
if documented under "stdio", it should be clear what is allowed (just
mentioning the syscalls would be error prone), and preferably why.
Currently only SO_RCVBUF and SO_ERROR are allowed when you have only
"stdio". There are allowed in "stdio" because there are really common.
> The kill(2) call is only mentioned under "proc". The special case of
> "killing self" currently isn't mentioned and probably should be:
> /*
> * Can kill self with "stdio". Killing another pid
> * requires "proc"
> */
> [SYS_o58_kill] = PLEDGE_STDIO,
> [SYS_kill] = PLEDGE_STDIO,
I agree it should be explicitly documented.
> Not added since there is ongoing discussion about it:
>
> [SYS_chroot] = PLEDGE_ID, /* also requires PLEDGE_PROC */
>
> What about this one? It is not currently mentioned at all.
> /*
> * Classify as RPATH|WPATH, because of path information leakage.
> * WPATH due to unknown use of mk*temp(3) on non-/tmp paths..
> */
> [SYS___getcwd] = PLEDGE_RPATH | PLEDGE_WPATH,
as __getcwd(2) doesn't have man page and is internal, it shouldn't be
documented in pledge(2) too.
> Finally, I added bind(2) and getsockname(2) to "dns". Was that a simple
> omission or is there more to it?
moving target :)
I agree for adding them too.
> Index: pledge.2
> ===================================================================
> RCS file: /var/cvs/src/lib/libc/sys/pledge.2,v
> retrieving revision 1.27
> diff -u -p -r1.27 pledge.2
> --- pledge.2 11 Mar 2016 06:36:51 -0000 1.27
> +++ pledge.2 10 Apr 2016 10:26:25 -0000
> @@ -92,7 +92,8 @@ Use of the "tty" and "ioctl" promises re
> .It Xr mkfifo 2
> .It Xr mknod 2
> Setuid/setgid/sticky bits are ignored.
> -The user or group cannot be changed on a file.
> +The user cannot be changed on a file and the group can only be changed
> +to a group to which the process belongs.
it isn't completely true: you could change the user on a file only if
the "destination" uid is the effective uid of the process (and as usual
if you would have right to do that while unpledged: so being superuser).
so:
- if pledged and running as root: you could change owner of any file
to root (but to nobody else)
- in other cases, you can't change owner (pledged or not) as you
aren't superuser.
and to be complete, a failure (trying to change the owner while pledge
forbid it) isn't fatal: chown(2) will just return EPERM without killing
the process.
> .Pp
> .It Xr mmap 2
> .It Xr mprotect 2
> @@ -133,6 +134,7 @@ The following system calls are permitted
> in libc, including memory allocation, most types of IO operations on
> previously allocated file descriptors:
> .Pp
> +.Xr break 2 ,
> .Xr clock_getres 2 ,
> .Xr clock_gettime 2 ,
> .Xr close 2 ,
> @@ -142,10 +144,10 @@ previously allocated file descriptors:
> .Xr dup3 2 ,
> .Xr fchdir 2 ,
> .Xr fcntl 2 ,
> +.Xr fpathconf 2 ,
> .Xr fstat 2 ,
> .Xr fsync 2 ,
> .Xr ftruncate 2 ,
> -.Xr getdents 2 ,
> .Xr getdtablecount 2 ,
> .Xr getegid 2 ,
> .Xr getentropy 2 ,
> @@ -154,6 +156,7 @@ previously allocated file descriptors:
> .Xr getgroups 2 ,
> .Xr getitimer 2 ,
> .Xr getlogin 2 ,
> +.Xr getlogin_r 2 ,
> .Xr getpgid 2 ,
> .Xr getpgrp 2 ,
> .Xr getpid 2 ,
> @@ -161,11 +164,11 @@ previously allocated file descriptors:
> .Xr getresgid 2 ,
> .Xr getresuid 2 ,
> .Xr getrlimit 2 ,
> +.Xr getrusage 2 ,
> .Xr getsid 2 ,
> .Xr getthrid 2 ,
> .Xr gettimeofday 2 ,
> .Xr getuid 2 ,
> -.Xr getuid 2 ,
> .Xr issetugid 2 ,
> .Xr kevent 2 ,
> .Xr kqueue 2 ,
> @@ -176,12 +179,15 @@ previously allocated file descriptors:
> .Xr mprotect 2 ,
> .Xr mquery 2 ,
> .Xr munmap 2 ,
> +.Xr msync 2 ,
> .Xr nanosleep 2 ,
> .Xr pipe 2 ,
> .Xr pipe2 2 ,
> .Xr poll 2 ,
> +.Xr ppoll 2 ,
> .Xr pread 2 ,
> .Xr preadv 2 ,
> +.Xr pselect 2 ,
> .Xr pwrite 2 ,
> .Xr pwritev 2 ,
> .Xr read 2 ,
> @@ -195,9 +201,13 @@ previously allocated file descriptors:
> .Xr setitimer 2 ,
> .Xr shutdown 2 ,
> .Xr sigaction 2 ,
> +.Xr sigaltstack 2 ,
> +.Xr sigpending 2 ,
> .Xr sigprocmask 2 ,
> .Xr sigreturn 2 ,
> +.Xr sigsuspend 2 ,
> .Xr socketpair 2 ,
> +.Xr stat 2 ,
> .Xr umask 2 ,
> .Xr wait4 2 ,
> .Xr write 2 ,
> @@ -215,46 +225,52 @@ read-only effects on the filesystem:
should remove chmod, chown, chflags from "rpath"
> .Xr chdir 2 ,
> .Xr getcwd 3 ,
> .Xr openat 2 ,
> -.Xr fstatat 2 ,
> .Xr faccessat 2 ,
> -.Xr readlinkat 2 ,
> -.Xr lstat 2 ,
> +.Xr chflags 2 ,
> +.Xr chflagsat 2 ,
> .Xr chmod 2 ,
> .Xr fchmod 2 ,
> .Xr fchmodat 2 ,
> -.Xr chflags 2 ,
> -.Xr chflagsat 2 ,
> .Xr chown 2 ,
> .Xr fchown 2 ,
> .Xr fchownat 2 ,
> .Xr fstat 2 ,
> +.Xr fstatat 2 ,
> +.Xr fstatfs 2 ,
> +.Xr getdents 2 ,
> .Xr getfsstat 2 .
> +.Xr lstat 2 ,
> +.Xr pathconf 2 ,
> +.Xr readlinkat 2 ,
> +.Xr statfs 2 .
> .It Va "wpath"
> A number of system calls are allowed and may cause
> write-effects on the filesystem:
should remove chmod, chown, chflags from "wpath"
> .Pp
> .Xr getcwd 3 ,
> .Xr openat 2 ,
> -.Xr fstatat 2 ,
> .Xr faccessat 2 ,
> -.Xr readlinkat 2 ,
> -.Xr lstat 2 ,
> +.Xr chflags 2 ,
> +.Xr chflagsat 2 ,
> .Xr chmod 2 ,
> .Xr fchmod 2 ,
> .Xr fchmodat 2 ,
> -.Xr chflags 2 ,
> -.Xr chflagsat 2 ,
> .Xr chown 2 ,
> .Xr fchown 2 ,
> .Xr fchownat 2 ,
> +.Xr lchown 2 .
> .Xr fstat 2 .
> +.Xr fstatat 2 ,
> +.Xr lstat 2 ,
> +.Xr readlinkat 2 ,
> +.Xr truncate 2 .
> .It Va "cpath"
> A number of system calls and sub-modes are allowed, which may
> create new files or directories in the filesystem:
> .Pp
> .Xr rename 2 ,
> -.Xr rmdir 2 ,
> .Xr renameat 2 ,
> +.Xr rmdir 2 ,
> .Xr link 2 ,
> .Xr linkat 2 ,
> .Xr symlink 2 ,
> @@ -308,15 +324,15 @@ relating to a file:
> .Xr futimes 2 ,
> .Xr utimensat 2 ,
> .Xr futimens 2 ,
> +.Xr chflags 2 ,
> +.Xr chflagsat 2 ,
> .Xr chmod 2 ,
> .Xr fchmod 2 ,
> .Xr fchmodat 2 ,
> -.Xr chflags 2 ,
> -.Xr chflagsat 2 ,
> .Xr chown 2 ,
> +.Xr fchown 2 ,
> .Xr fchownat 2 ,
> .Xr lchown 2 ,
> -.Xr fchown 2 ,
> .Xr utimes 2 .
> .It Va "flock"
> File locking via
> @@ -353,7 +369,9 @@ a few system calls become able to allow
> .Xr sendto 2 ,
> .Xr recvfrom 2 ,
> .Xr socket 2 ,
> -.Xr connect 2 .
> +.Xr bind 2 ,
> +.Xr connect 2 ,
> +.Xr getsockname 2 .
> .It Va "getpw"
> This allows read-only opening of files in
> .Pa /etc
> @@ -376,11 +394,11 @@ operations.
> .It Va "sendfd"
> Allows sending of file descriptors using
> .Xr sendmsg 2 .
> -File descriptors referering to directories may not be passed.
> +File descriptors referring to directories may not be passed.
> .It Va "recvfd"
> Allows receiving of file descriptors using
> .Xr recvmsg 2 .
> -File descriptors referering to directories may not be passed.
> +File descriptors referring to directories may not be passed.
> .It Va "ioctl"
> Allows a subset of
> .Xr ioctl 2
> @@ -476,6 +494,8 @@ programs like
> .Xr top 1
> and
> .Xr vmstat 8 .
> +Also allows
> +.Xr swapctl 2 .
> .It Va "id"
> Allows the following system calls which can change the rights of a
> process:
>
>
with the removing of chmod, chown and chflags from rpath and wpath, it
is OK semarie@.
thanks.
--
Sebastien Marie
