For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which mig

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

show more ...

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by A

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

If we pass `file' via args then we need to unveil(2) it with read permission,
otherwise if omitted we need to unveil(2) both _PATH_UNIX and _PATH_KSYMS with
same permissions.

Unconditionally we need

If we pass `file' via args then we need to unveil(2) it with read permission,
otherwise if omitted we need to unveil(2) both _PATH_UNIX and _PATH_KSYMS with
same permissions.

Unconditionally we need to also unveil(2) dbdir, which by default is
_PATH_VARDB but can be changed via args (-o directory), with read/write/create
permissions. There are a couple of temp files that will be created but it's
inside dbdir so there's no need to unveil(2) them individually.

Since we already call pledge(2) before, twice, we need to add "unveil" promise
to both of them, and finally call pledge(2) once again with the needed promises
except "unveil".

OK millert@

show more ...

The call to setegid(2) was replaced with setresgid(2) a while ago.
Adjust error message accordingly.

use setresgid() rather than setegid, all 3 gids can go the same way.
discussion with millert

missing pledge "getpw" for getgrnam(3)

Set the effective gid to kmem so the fchown of kvm_bsd.db is allowed
by pledge(2). This requires pledge "id" but that can be dropped
immediately after the setegid() call. From Theo Buehler

there is a retry path in here which contains rename() and fchown().
Use a slightly larger pledge, earlier on.
from gregor best

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

semarie points out i am already forgetting the rules are very tight around
*chown, even "proc fattr" won't let you do such a job. remove early pledge(),
only leave call after fchown, before when sym

semarie points out i am already forgetting the rules are very tight around
*chown, even "proc fattr" won't let you do such a job. remove early pledge(),
only leave call after fchown, before when symbol table work gets done.

show more ...

oops, a chown appears late on the code. to satisfy this pledge
"stdio rpath wpath cpath getpw fattr proc" early on; "proc fattr"
allows doing work with other uids on the file. after opening the
db,

oops, a chown appears late on the code. to satisfy this pledge
"stdio rpath wpath cpath getpw fattr proc" early on; "proc fattr"
allows doing work with other uids on the file. after opening the
db, do the chown (replace with fchown since we know fd) and then
pledge "stdio rpath"; "rpath" due to tmpfile rename() at the end.
mistake spotted by mpi

show more ...

kvm_mkdb & dev_mkdb are quite similar. pledge "stdio rpath wpath cpath"
except kvm_mkdb also does "getpw".

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

the kvm database only needs to be readable by kmem group. make it so.

Make sure the correct errno is reported by warn* or err* and not
the errno of an intervening cleanup operation like close/unlink/etc.

Diff from Doug Hogan (doug (at) acyclic.org)

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(th

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

show more ...

fix off-by-ones in path truncation checks. from Han Boetes; ok deraadt@

add -o option to generate kvm database in alternate directory;
manpage nits jmc@ ok tedu@

ansi and protos

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

use snamesize and realloc properly. ok tdeval@

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be don

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

show more ...

Document -v

Give more precise error messages in case of failure

Only print "already up to date" if in verbose mode