On Thu, Jul 18, 2019 at 04:13:10PM +0200, Alexander Bluhm wrote:
> Hi,
>
> Can we track unveil(2) violators in process accounting lastcomm(1)?
> This makes it easier to find them.
Could I put that in? Process accounting is cheap and does not hurt.
I have added it localy to my daily mail like pledge. Then I will
notice how many bugs or false positives we have.
bluhm
> $ lastcomm | grep -e '-[A-Z]U'
> pflogd -FU root __ 0.00 secs Thu Jul 18 14:19 (2:33:22.00)
>
> Seems that pflogd(8) has to be investigated.
>
> Also we keep record about programs that may be exploited and do
> something illegal. We have the same mechanism for pledge(2).
>
> Not sure if we want it for both EACCES and ENOENT cases. If it
> creates false positives, we can change that later to EACCES only.
>
> ok?
>
> bluhm
>
> Index: kern/kern_unveil.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/kern/kern_unveil.c,v
> retrieving revision 1.27
> diff -u -p -r1.27 kern_unveil.c
> --- kern/kern_unveil.c 14 Jul 2019 03:26:02 -0000 1.27
> +++ kern/kern_unveil.c 18 Jul 2019 12:01:24 -0000
> @@ -18,6 +18,7 @@
>
> #include <sys/param.h>
>
> +#include <sys/acct.h>
> #include <sys/mount.h>
> #include <sys/filedesc.h>
> #include <sys/proc.h>
> @@ -823,6 +824,7 @@ unveil_check_final(struct proc *p, struc
> " vnode %p\n",
> p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_vp);
> #endif
> + p->p_p->ps_acflag |= AUNVEIL;
> if (uv->uv_flags & UNVEIL_USERSET)
> return EACCES;
> else
> @@ -865,10 +867,11 @@ unveil_check_final(struct proc *p, struc
> * EACCESS. Otherwise, use any covering match
> * that we found above this dir.
> */
> - if (uv->uv_flags & UNVEIL_USERSET)
> + if (uv->uv_flags & UNVEIL_USERSET) {
> + p->p_p->ps_acflag |= AUNVEIL;
> return EACCES;
> - else
> - goto done;
> + }
> + goto done;
> }
> /* directory flags match, update match */
> if (uv->uv_flags & UNVEIL_USERSET)
> @@ -881,6 +884,7 @@ unveil_check_final(struct proc *p, struc
> printf("unveil: %s(%d) flag mismatch for terminal '%s'\n",
> p->p_p->ps_comm, p->p_p->ps_pid, tname->un_name);
> #endif
> + p->p_p->ps_acflag |= AUNVEIL;
> return EACCES;
> }
> /* name and flags match in this dir. update match*/
> @@ -903,8 +907,10 @@ done:
> p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_cnd.cn_nameptr,
> ni->ni_unveil_match->uv_vp);
> #endif
> + p->p_p->ps_acflag |= AUNVEIL;
> return EACCES;
> }
> + p->p_p->ps_acflag |= AUNVEIL;
> return ENOENT;
> }
>
> Index: sys/acct.h
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/sys/acct.h,v
> retrieving revision 1.7
> diff -u -p -r1.7 acct.h
> --- sys/acct.h 8 Jun 2017 17:14:02 -0000 1.7
> +++ sys/acct.h 18 Jul 2019 11:37:27 -0000
> @@ -63,6 +63,7 @@ struct acct {
> #define AXSIG 0x10 /* killed by a signal */
> #define APLEDGE 0x20 /* killed due to pledge violation */
> #define ATRAP 0x40 /* memory access violation */
> +#define AUNVEIL 0x80 /* unveil access violation */
> u_int8_t ac_flag; /* accounting flags */
> };
