remove unneeded includes

remove unneeded forward struct declarations

Pledge "vmm" for ccp(4) ioctl(2).

Limit ccp ioctls to processes that pledge vmm. Specific psp device
ioctls for AMD SEV will allowed for vmd(8).

from hshoexer@; input deraadt@ jsg@

pledge(2): stdio: permit restricted profil(2) for moncontrol(3)

Currently, pledged '-pg' binaries get killed in _mcleanup() when they
try to disable profil(2) via moncontrol(3).

Disabling profil(2)

pledge(2): stdio: permit restricted profil(2) for moncontrol(3)

Currently, pledged '-pg' binaries get killed in _mcleanup() when they
try to disable profil(2) via moncontrol(3).

Disabling profil(2) is harmless. Add profil(2) to the "stdio"
pledge(2) promise and permit profil(2) calls when the scale argument
is zero. Enabling profil(2) remains forbidden in pledged processes.

This gets us one step closer to making '-pg' binaries compatible with
pledge(2). The next step is to decide how to exfiltrate the profiling
data from the process during _mcleanup().

Prompted by semarie@. Cleaned up by deraadt@. With input from
deraadt@, espie@, and semarie@.

"Looks good" deraadt@
pledge(2) pieces ok semarie@

show more ...

remove ppath_destroy() prototype; function was never committed

Restrict pledge("vminfo") callers to read-only swapctl(2) operations.

Those are the read-only operations allowed for non-root users:
SWAP_NSWAP and SWAP_STATS. Users of pledge("vminfo") in base whi

Restrict pledge("vminfo") callers to read-only swapctl(2) operations.

Those are the read-only operations allowed for non-root users:
SWAP_NSWAP and SWAP_STATS. Users of pledge("vminfo") in base which also
call swapctl(2) with said commands: top(1) and pstat(8).

No regression spotted with top(1) and pstat(8) -s/-T.

ok deraadt@

show more ...

Delete the YPACTIVE toggling code when "getpw" code access/open are done to
/var/run/ypbind.lock. "getpw" is now only allows ypconnect(2) and the minimum
unveil bypasses.
Still allow open/acesss to

Delete the YPACTIVE toggling code when "getpw" code access/open are done to
/var/run/ypbind.lock. "getpw" is now only allows ypconnect(2) and the minimum
unveil bypasses.
Still allow open/acesss to file for a little while, because getpwent/getgrent/etc
were opening it unconditionally to hint for YPACTIVE.
That code should be deleted before 7.2

show more ...

backout last step: the path checks are too strong until everyone has a
new libc..

the PLEDGE_YPACTIVE "hack" bit related to "getpw" pledge goes away. libc
no longer does accesses /var/run/ypbind.lock to trigger extra permissions
for userland-opening of files & sockets to engage w

the PLEDGE_YPACTIVE "hack" bit related to "getpw" pledge goes away. libc
no longer does accesses /var/run/ypbind.lock to trigger extra permissions
for userland-opening of files & sockets to engage with ypserver for YP/LDAP
lookups. libc now uses the super secret special ypconnect() system call
to perform socket-setup.
Delete some other things which are no longer reached via libc/rpc
ok jmatthew, miod

show more ...

Sort ID->pledge name translation in the same order as the manual page
(which are idiomatically sorted rather than numerically), so that ps(1)
"-o pledge" is easier to understand.
from Josh Rickmar
ok

Sort ID->pledge name translation in the same order as the manual page
(which are idiomatically sorted rather than numerically), so that ps(1)
"-o pledge" is easier to understand.
from Josh Rickmar
ok semarie kn dv

show more ...

Declare pledgenames[] as const.

OK deraadt@

the pledge STATLIE code is no longer needed, as discussed with beck.
it actually isn't reached...

Add "video" promise.

Allows a subset of ioctls on video(4) devices, subset selected from
video(1) and firefox webrtc implementation.

ok semarie@ deraadt@

Get rid of PLEDGE_STAT, which was a hack used for unveil.
We use UNVEIL_INSPECT instead in the unveil flags for the same
purpose, and now add traversed vnodes of a path with UNVEIL_INSPECT
instead of

Get rid of PLEDGE_STAT, which was a hack used for unveil.
We use UNVEIL_INSPECT instead in the unveil flags for the same
purpose, and now add traversed vnodes of a path with UNVEIL_INSPECT
instead of with 0 flags and voodoo in unveil_flagmatch. This
allows us to uncontort the logic of unveil_flagmatch a bunch.
helpful review and ok from semarie@

show more ...

Unveiling unveil(2).
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start usin

Unveiling unveil(2).
This brings unveil into the tree, disabled by default - Currently
this will return EPERM on all attempts to use it until we are
fully certain it is ready for people to start using, but this
now allows for others to do more tweaking and experimentation.

Still needs to send the unveil's across forks and execs before
fully enabling.

Many thanks to robert@ and deraadt@ for extensive testing.
ok deraadt@

show more ...

Introduce "wroute" promise.

For now this allows configuring an IPv6 address on an interface and
reading the net.inet6.ip6.soiikey sysctl. To be used by slaacd.

prodding & OK deraadt

prot_exec is the correct name; spotted by landry

Change `so_state' and `so_error' to unsigned int such that they can
be atomically read from any context.

ok bluhm@, visa@

pledge()'s 2nd argument becomes char *execpromises, which becomes the
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of

pledge()'s 2nd argument becomes char *execpromises, which becomes the
pledge for a new execve image immediately upon start. Also introduces
"error" which makes violations return -1 ENOSYS instead of killing the
program ("error" may not be handed to a setuid/setgid program, which
may be missing/ignoring syscall return values and would continue with
inconsistant state)
Discussion with many
florian has used this to improve the strictness of a daemon

show more ...

Remove old deactivated pledge path code. A replacement mechanism is
being brewed.
ok beck

only 32 bits of the pledgecode were passed up via ktrace
from Anton Lindqvist
ok semarie

Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.

introduces new promise "chown" to allow changing owner/group with *chown(2) family

it splits PLEDGE_FATTR in two ("fattr" stills grant the 2 flags, so no functional changes):
- PLEDGE_CHOWN : to b

introduces new promise "chown" to allow changing owner/group with *chown(2) family

it splits PLEDGE_FATTR in two ("fattr" stills grant the 2 flags, so no functional changes):
- PLEDGE_CHOWN : to be able to call *chown(2) syscalls
- PLEDGE_FATTR : the rest

it introduces "chown" which grant:
- PLEDGE_CHOWN : be able to call *chown(2)
- PLEDGE_CHOWNUID : be able to modifying owner/group

ok deraadt@ tedu@

show more ...

1) Split pledge whitelist path handling out of pledge_namei() and into
pledge_namei_wlpath(). Call the wlpath check only at the end of namei
after the namei lookup would otherwise succeed.
2) A

1) Split pledge whitelist path handling out of pledge_namei() and into
pledge_namei_wlpath(). Call the wlpath check only at the end of namei
after the namei lookup would otherwise succeed.
2) Add support to namei to keep the path that was looked up, without the
symlinks in it, and use that path for whitelist path lookups. This
means that paths in pledge whitelists will need to always be the
real path to an intended file to whitelist, without symlinks. Any
symlinks to the "real" file will then be allowed
ok deraadt@ semarie@

show more ...

drop "abort" promise, and make it the default behaviour.
The current code has already setted it by default since 1.74

any pledge failure tries to make a coredump (default rules for coredump still
ap

drop "abort" promise, and make it the default behaviour.
The current code has already setted it by default since 1.74

any pledge failure tries to make a coredump (default rules for coredump still
applies: so setuid binaries don't create them locally).

ok deraadt@

show more ...