[PATCH] Additional pledge(2) documentation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Additional pledge(2) documentation

William Orr-2
Hey,

I was working on an application that uses pledge, and without diving
into the source, I found it difficult to figure out what sysctl's are
permitted at different pledge levels.

This documents the set of different sysctl ops that are allowed at
different pledge levels, and adds some additional documentation around
ioctl's as well.

Thanks!

Index: lib/libc/sys/pledge.2
===================================================================
RCS file: /cvs/src/lib/libc/sys/pledge.2,v
retrieving revision 1.48
diff -u -b -w -p -r1.48 pledge.2
--- lib/libc/sys/pledge.2 12 Dec 2017 11:11:18 -0000 1.48
+++ lib/libc/sys/pledge.2 4 Jan 2018 08:51:41 -0000
@@ -141,6 +141,25 @@ support:
 .Xr getifaddrs 3 ,
 .Xr uname 3 ,
 system sensor readings.
+Specifically:
+.Va hw.sensors.* ,
+.Va kern.domainname ,
+.Va kern.hostname ,
+.Va net.route.0.0.rt_ifnames ,
+.Va kern.ostype ,
+.Va kern.osrelease ,
+.Va kern.osversion ,
+.Va kern.clockrate ,
+.Va kern.argmax ,
+.Va kern.ngroups ,
+.Va kern.sysvshm ,
+.Va kern.posix1version ,
+.Va hw.machine ,
+.Va hw.pagesize ,
+.Va vm.psstrings ,
+.Va hw.ncpu ,
+and
+.Va vm.loadavg .
 .Pp
 .It Fn pledge
 Can only reduce permissions for
@@ -322,6 +341,14 @@ domains:
 .Xr setsockopt 2 ,
 .Xr getsockopt 2 .
 .Pp
+The following
+.Xr sysctl 2
+operations are allowed:
+.Pp
+.Va net.route.0.0.rt_iflist ,
+.Va net.route.0.inet.rt_iflist ,
+.Va net.route.0.inet6.rt_iflist
+.Pp
 .Xr setsockopt 2
 has been reduced in functionality substantially.
 .It Va mcast
@@ -390,6 +417,15 @@ a few system calls become able to allow
 .Xr recvfrom 2 ,
 .Xr socket 2 ,
 .Xr connect 2 .
+.Pp
+The following
+.Xr sysctl 2
+operations are allowed:
+.Pp
+.Va net.route.0.0.rt_iflist ,
+.Va net.route.0.inet.rt_iflist ,
+.Va net.route.0.inet6.rt_iflist
+.Pp
 .It Va getpw
 This allows read-only opening of files in
 .Pa /etc
@@ -491,19 +527,39 @@ and
 .Xr adjfreq 2
 system calls.
 .It Va ps
-Allows enough
+Allows the following
 .Xr sysctl 3
 interfaces to allow inspection of processes operating on the system using
 programs like
-.Xr ps 1 .
+.Xr ps 1 :
+.Pp
+.Va kern.fscale ,
+.Va kern.boottime ,
+.Va kern.consdev ,
+.Va kern.cptime ,
+.Va kern.cptime2 ,
+.Va kern.procargs.* ,
+.Va kern.proc.* ,
+.Va kern.proc_cwd.* ,
+.Va kern.physmem ,
+.Va kern.ccpu ,
+.Va vm.maxslp
 .It Va vminfo
-Allows enough
+Allows the following
 .Xr sysctl 3
 interfaces to allow inspection of the system's virtual memory by
 programs like
 .Xr top 1
 and
-.Xr vmstat 8 .
+.Xr vmstat 8 :
+.Pp
+.Va vm.uvmexp ,
+.Va vfs.generic.bcachestat ,
+.Va kern.fscale ,
+.Va kern.boottime ,
+.Va kern.consdev ,
+.Va kern.cptime ,
+.Va kern.cptime2
 .It Va id
 Allows the following system calls which can change the rights of a
 process:
@@ -562,6 +618,85 @@ Allow
 operation for statistics collection from a
 .Xr bpf 4
 device.
+.It Va disklabel
+Allows a subset of
+.Xr ioctl 2
+operations on
+.Xr diskmap 4
+devices:
+.Pp
+.Dv DIOCGDINFO ,
+.Dv DIOCGPDINFO ,
+.Dv DIOCRLDINFO ,
+.Dv DIOCWDINFO ,
+.Dv BIOCDISK ,
+.Dv BIOCINQ ,
+.Dv BIOCINSTALLBOOT ,
+.Dv BIOCVOL ,
+.Dv DIOCMAP .
+.Pp
+Also enables the use of the following
+.Xr sysctl 2
+operations:
+.Pp
+.Va kern.rawpartition ,
+.Va kern.maxpartitions ,
+.Va machdep.chr2blk .
+.It Va route
+Allows a subset of read-only
+.Xr ioctl 2
+operations on network interfaces:
+.Pp
+.Dv SIOCGIFADDR ,
+.Dv SIOCGIFAFLAG_IN6 ,
+.Dv SIOCGIFALIFETIME_IN6 ,
+.Dv SIOCGIFDESCR ,
+.Dv SIOCGIFFLAGS ,
+.Dv SIOCGIFMETRIC ,
+.Dv SIOCGIFGMEMB ,
+.Dv SIOCGIFRDOMAIN ,
+.Dv SIOCGIFDSTADDR_IN6 ,
+.Dv SIOCGIFNETMASK_IN6 ,
+.Dv SIOCGIFXFLAGS ,
+.Dv SIOCGNBRINFO_IN6 ,
+.Dv SIOCGIFINFO_IN6 ,
+.Dv SIOCGIFMEDIA .
+.Pp
+Also allows the following
+.Xr sysctl 2
+operations:
+.Pp
+.Va net.route.0.*.dump ,
+.Va net.route.0.0.rt_table ,
+.Va net.route.0.inet.rt_table ,
+.Va net.route.0.inet6.rt_table ,
+.Va net.route.0.0.flags.llinfo ,
+.Va net.route.0.inet.flags.llinfo ,
+.Va net.route.0.inet6.flags.llinfo ,
+.Va net.route.0.0.rt_iflist ,
+.Va net.route.0.inet.rt_iflist ,
+.Va net.route.0.inet6.rt_iflist .
+.It Va vmm
+Allows the following
+.Xr ioctl 2
+operations on the
+.Xr vmm 4
+device:
+.Pp
+.Dv VMM_IOC_TERM ,
+.Dv VMM_IOC_RUN ,
+.Dv VMM_IOC_RESETCPU ,
+.Dv VMM_IOC_INTR ,
+.Dv VMM_IOC_READREGS ,
+.Dv VMM_IOC_WRITEREGS .
+.Pp
+In combination with
+.Va proc ,
+it additionally allows:
+.Pp
+.Dv VMM_IOC_CREATE
+and
+.Dv VMM_IOC_INFO .
 .It Va error
 Rather than killing the process upon violation, indicate error with
 .Er ENOSYS .

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Additional pledge(2) documentation

Sebastien Marie-3
On Thu, Jan 04, 2018 at 03:02:23AM -0600, William Orr wrote:

> Hey,
>
> I was working on an application that uses pledge, and without diving
> into the source, I found it difficult to figure out what sysctl's are
> permitted at different pledge levels.
>
> This documents the set of different sysctl ops that are allowed at
> different pledge levels, and adds some additional documentation around
> ioctl's as well.
>

Documenting pledge(2) is complex: it should document the expected
behaviour, and not the implementation details.

Thanks.
--
Sebastien Marie