![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / sys
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.14, Fri Oct 9 01:10:27 2015 UTC (2 years, 10 months ago) by deraadt
Branch: MAIN
CVS Tags: HEAD
Changes since 1.13: +1 -1 lines
FILE REMOVED
Rename tame() to pledge(). This fairly interface has evolved to be more strict than anticipated. It allows a programmer to pledge/promise/covenant that their program will operate within an easily defined subset of the Unix environment, or it pays the price.
Revision 1.13 / (download) - annotate - [select for diffs], Thu Oct 8 17:29:43 2015 UTC (2 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.12: +2 -1 lines
Diff to previous 1.12 (colored)
Expose a small set of multicast join operators under the request "mcast". This will be used by a few daemons. If they lack this feature, then they would need to operate without tame. Discussed with renato
Revision 1.12 / (download) - annotate - [select for diffs], Wed Oct 7 19:52:54 2015 UTC (2 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.11: +2 -1 lines
Diff to previous 1.11 (colored)
Split out routing sysctl's from tame "inet", and put them into the new tame "route" request. Now routing daemons and tools (such as arp), can narrowly ask for either feature. One thing remains available in both cases -- support for getifaddr()'s, since libc and programs often use that in close association with socket creation. ok benno sthen beck, some discussion with renato
Revision 1.11 / (download) - annotate - [select for diffs], Wed Oct 7 03:47:43 2015 UTC (2 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +3 -1 lines
Diff to previous 1.10 (colored)
Add the tame "exec" request. This allows processes which request "exec" to call execve(2), potentially fork(2) beforehands if they asked for "proc". Calling execve is what "shells" (ksh, tmux, etc) have as their primary purpose. But meantime, if such a shell has a nasty bug, we want to mitigate the process from opening a socket or calling 100+ other system calls. Unfortunately silver bullets are in short supply, so if our goal is to stay in a POSIX-y environment, we have to let shells call execve(). POSIX ate the world, so choices do we all have? Warning for many: silver bullets are even more rare in other OS ecosystems, so please accept this as a narrow lowering of the bar in a very raised environment. Commited from a machine running tame "proc exec" ksh, make, etc.
Revision 1.10 / (download) - annotate - [select for diffs], Tue Oct 6 15:21:26 2015 UTC (2 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.9: +7 -4 lines
Diff to previous 1.9 (colored)
Add new "tty" request, which allows TIOCGETA, TIOCGPGRP, TIOCGWINSZ, TIOCSBRK, TIOCCDTR, TIOCSETA, TIOCSETAW, and TIOCSETAF on tty vnodes. This helps programs which call tcsetattr(), tcgetattr(), or readpassphrase(). Especially the latter - tame's goal is to satisfy the libc requirements of security-sensitive programs. Remove TIOCSETAF from the basic "ioctl" request, because it is a "set" option. "ioctl" is slowly turning into a "request information, cannot set options" package. Split the "cmsg" request into "sendfd" and "recvfd". Non-SCM_RIGHTS messages are currently flowing through freely and we'll need to think about that. This split lets us more strictly describe what our many fd-passing programs will do.
Revision 1.9 / (download) - annotate - [select for diffs], Tue Oct 6 14:55:41 2015 UTC (2 years, 10 months ago) by claudio
Branch: MAIN
Changes since 1.8: +4 -3 lines
Diff to previous 1.8 (colored)
Rework the tame cmsg handler to make it work both ways. While on recv one mbuf blob with all the cmsgs inside while on send cmsgs in an mbuf chain, one mbuf per message. Adjust the calls accordingly. Putting it in so deraadt@ can move forward.
Revision 1.8 / (download) - annotate - [select for diffs], Wed Sep 30 11:36:07 2015 UTC (2 years, 10 months ago) by semarie
Branch: MAIN
Changes since 1.7: +2 -1 lines
Diff to previous 1.7 (colored)
implement new "prot_exec" tame(2) request: - by default, a tamed-program don't have the possibility to use PROT_EXEC for mmap(2) or mprotect(2) - for that, use the request "prot_exec" (that could be dropped later) initial idea from deraadt@ and kettenis@ "make complete sense" beck@ ok deraadt@
Revision 1.7 / (download) - annotate - [select for diffs], Fri Sep 11 15:29:47 2015 UTC (2 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.6: +20 -37 lines
Diff to previous 1.6 (colored)
Convert _TM_ flags to TAME_ flags, collapsing the entire mapping layer because the strings select the right options. Mechanical conversion. ok guenther
Revision 1.6 / (download) - annotate - [select for diffs], Wed Sep 9 17:56:59 2015 UTC (2 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.5: +6 -10 lines
Diff to previous 1.5 (colored)
Move to next tame() API. The flags are now passed as a very simple string, which results in tame() code placements being much more recognizeable. tame() can be moved to unistd.h and does not need cpp symbols to turn the bits on and off. The resulting API is a bit unexpected, but simplifies the mapping to enabling bits in the kernel substantially. vague ok's from various including guenther doug semarie
Revision 1.5 / (download) - annotate - [select for diffs], Wed Aug 26 05:20:06 2015 UTC (3 years ago) by doug
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
Convert paths argument of tame(2) to const char **. The path will not be modified and this reduces casts. Discussed with many. ok deraadt@
Revision 1.4 / (download) - annotate - [select for diffs], Sat Aug 22 20:18:50 2015 UTC (3 years ago) by deraadt
Branch: MAIN
Changes since 1.3: +17 -3 lines
Diff to previous 1.3 (colored)
Move to tame(int flags, char *paths[]) API/ABI. The pathlist is a whitelist of dirs and files; anything else returns ENOENT. Recommendation is to use a narrowly defined list. Also add TAME_FATTR, which permits explicit change operations against "struct stat" fields. Some other TAME_ flags are refined slightly. Not cranking libc now, since nothing commited in base uses this and the timing is uncomfortable for others. Discussed with many; thanks for a few bug fixes from semarie, doug, guenther. ok guenther
Revision 1.3 / (download) - annotate - [select for diffs], Tue Jul 28 15:22:25 2015 UTC (3 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.2: +4 -4 lines
Diff to previous 1.2 (colored)
normalize disclaimer to license.template; noted by reyk
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jul 27 17:48:06 2015 UTC (3 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)
typo
Revision 1.1 / (download) - annotate - [select for diffs], Sun Jul 19 02:35:35 2015 UTC (3 years, 1 month ago) by deraadt
Branch: MAIN
tame(2) is a subsystem which restricts programs into a "reduced feature operating model". This is the kernel component; various changes should proceed in-tree for a while before userland programs start using it. ok miod, discussions and help from many