I have worried about secret unveil failures, and I am happy with
this approach.
Alexander Bluhm <alexander.bl...@gmx.net> wrote:
> On Thu, Jul 18, 2019 at 04:13:10PM +0200, Alexander Bluhm wrote:
> > Hi,
> >
> > Can we track unveil(2) violators in process accounting lastcomm(1)?
> > This makes it easier to find them.
>
> Could I put that in? Process accounting is cheap and does not hurt.
>
> I have added it localy to my daily mail like pledge. Then I will
> notice how many bugs or false positives we have.
>
> bluhm
>
> > $ lastcomm | grep -e '-[A-Z]U'
> > pflogd -FU root __ 0.00 secs Thu Jul 18 14:19
> > (2:33:22.00)
> >
> > Seems that pflogd(8) has to be investigated.
> >
> > Also we keep record about programs that may be exploited and do
> > something illegal. We have the same mechanism for pledge(2).
> >
> > Not sure if we want it for both EACCES and ENOENT cases. If it
> > creates false positives, we can change that later to EACCES only.
> >
> > ok?
> >
> > bluhm
> >
> > Index: kern/kern_unveil.c
> > ===================================================================
> > RCS file: /data/mirror/openbsd/cvs/src/sys/kern/kern_unveil.c,v
> > retrieving revision 1.27
> > diff -u -p -r1.27 kern_unveil.c
> > --- kern/kern_unveil.c 14 Jul 2019 03:26:02 -0000 1.27
> > +++ kern/kern_unveil.c 18 Jul 2019 12:01:24 -0000
> > @@ -18,6 +18,7 @@
> >
> > #include <sys/param.h>
> >
> > +#include <sys/acct.h>
> > #include <sys/mount.h>
> > #include <sys/filedesc.h>
> > #include <sys/proc.h>
> > @@ -823,6 +824,7 @@ unveil_check_final(struct proc *p, struc
> > " vnode %p\n",
> > p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_vp);
> > #endif
> > + p->p_p->ps_acflag |= AUNVEIL;
> > if (uv->uv_flags & UNVEIL_USERSET)
> > return EACCES;
> > else
> > @@ -865,10 +867,11 @@ unveil_check_final(struct proc *p, struc
> > * EACCESS. Otherwise, use any covering match
> > * that we found above this dir.
> > */
> > - if (uv->uv_flags & UNVEIL_USERSET)
> > + if (uv->uv_flags & UNVEIL_USERSET) {
> > + p->p_p->ps_acflag |= AUNVEIL;
> > return EACCES;
> > - else
> > - goto done;
> > + }
> > + goto done;
> > }
> > /* directory flags match, update match */
> > if (uv->uv_flags & UNVEIL_USERSET)
> > @@ -881,6 +884,7 @@ unveil_check_final(struct proc *p, struc
> > printf("unveil: %s(%d) flag mismatch for terminal '%s'\n",
> > p->p_p->ps_comm, p->p_p->ps_pid, tname->un_name);
> > #endif
> > + p->p_p->ps_acflag |= AUNVEIL;
> > return EACCES;
> > }
> > /* name and flags match in this dir. update match*/
> > @@ -903,8 +907,10 @@ done:
> > p->p_p->ps_comm, p->p_p->ps_pid, ni->ni_cnd.cn_nameptr,
> > ni->ni_unveil_match->uv_vp);
> > #endif
> > + p->p_p->ps_acflag |= AUNVEIL;
> > return EACCES;
> > }
> > + p->p_p->ps_acflag |= AUNVEIL;
> > return ENOENT;
> > }
> >
> > Index: sys/acct.h
> > ===================================================================
> > RCS file: /data/mirror/openbsd/cvs/src/sys/sys/acct.h,v
> > retrieving revision 1.7
> > diff -u -p -r1.7 acct.h
> > --- sys/acct.h 8 Jun 2017 17:14:02 -0000 1.7
> > +++ sys/acct.h 18 Jul 2019 11:37:27 -0000
> > @@ -63,6 +63,7 @@ struct acct {
> > #define AXSIG 0x10 /* killed by a signal */
> > #define APLEDGE 0x20 /* killed due to pledge violation */
> > #define ATRAP 0x40 /* memory access violation */
> > +#define AUNVEIL 0x80 /* unveil access violation */
> > u_int8_t ac_flag; /* accounting flags */
> > };
>
