I have worried about secret unveil failures, and I am happy with this approach.
Alexander Bluhm <alexander.bl...@gmx.net> wrote: > On Thu, Jul 18, 2019 at 04:13:10PM +0200, Alexander Bluhm wrote: > > Hi, > > > > Can we track unveil(2) violators in process accounting lastcomm(1)? > > This makes it easier to find them. > > Could I put that in? Process accounting is cheap and does not hurt. > > I have added it localy to my daily mail like pledge. Then I will > notice how many bugs or false positives we have. > > bluhm > > > $ lastcomm | grep -e '-[A-Z]U' > > pflogd -FU root __ 0.00 secs Thu Jul 18 14:19 > > (2:33:22.00) > > > > Seems that pflogd(8) has to be investigated. > > > > Also we keep record about programs that may be exploited and do > > something illegal. We have the same mechanism for pledge(2). > > > > Not sure if we want it for both EACCES and ENOENT cases. If it > > creates false positives, we can change that later to EACCES only. > > > > ok? > > > > bluhm > > > > Index: kern/kern_unveil.c > > =================================================================== > > RCS file: /data/mirror/openbsd/cvs/src/sys/kern/kern_unveil.c,v > > retrieving revision 1.27 > > diff -u -p -r1.27 kern_unveil.c > > --- kern/kern_unveil.c 14 Jul 2019 03:26:02 -0000 1.27 > > +++ kern/kern_unveil.c 18 Jul 2019 12:01:24 -0000 > > @@ -18,6 +18,7 @@ > > > > #include <sys/param.h> > > > > +#include <sys/acct.h> > > #include <sys/mount.h> > > #include <sys/filedesc.h> > > #include <sys/proc.h> > > @@ -823,6 +824,7 @@ unveil_check_final(struct proc *p, struc > > " vnode %p\n", > > p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_vp); > > #endif > > + p->p_p->ps_acflag |= AUNVEIL; > > if (uv->uv_flags & UNVEIL_USERSET) > > return EACCES; > > else > > @@ -865,10 +867,11 @@ unveil_check_final(struct proc *p, struc > > * EACCESS. Otherwise, use any covering match > > * that we found above this dir. > > */ > > - if (uv->uv_flags & UNVEIL_USERSET) > > + if (uv->uv_flags & UNVEIL_USERSET) { > > + p->p_p->ps_acflag |= AUNVEIL; > > return EACCES; > > - else > > - goto done; > > + } > > + goto done; > > } > > /* directory flags match, update match */ > > if (uv->uv_flags & UNVEIL_USERSET) > > @@ -881,6 +884,7 @@ unveil_check_final(struct proc *p, struc > > printf("unveil: %s(%d) flag mismatch for terminal '%s'\n", > > p->p_p->ps_comm, p->p_p->ps_pid, tname->un_name); > > #endif > > + p->p_p->ps_acflag |= AUNVEIL; > > return EACCES; > > } > > /* name and flags match in this dir. update match*/ > > @@ -903,8 +907,10 @@ done: > > p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_cnd.cn_nameptr, > > ni->ni_unveil_match->uv_vp); > > #endif > > + p->p_p->ps_acflag |= AUNVEIL; > > return EACCES; > > } > > + p->p_p->ps_acflag |= AUNVEIL; > > return ENOENT; > > } > > > > Index: sys/acct.h > > =================================================================== > > RCS file: /data/mirror/openbsd/cvs/src/sys/sys/acct.h,v > > retrieving revision 1.7 > > diff -u -p -r1.7 acct.h > > --- sys/acct.h 8 Jun 2017 17:14:02 -0000 1.7 > > +++ sys/acct.h 18 Jul 2019 11:37:27 -0000 > > @@ -63,6 +63,7 @@ struct acct { > > #define AXSIG 0x10 /* killed by a signal */ > > #define APLEDGE 0x20 /* killed due to pledge violation */ > > #define ATRAP 0x40 /* memory access violation */ > > +#define AUNVEIL 0x80 /* unveil access violation */ > > u_int8_t ac_flag; /* accounting flags */ > > }; >