[PATCH] pledge: allow kern.somaxconn sysctl for inet

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] pledge: allow kern.somaxconn sysctl for inet

Jimmy Brush
No golang tcp server can be pledged without this change because it
queries kern.somaxconn before it listens on a tcp socket[1][2][3].

I cannot think of any advantage this change would give an attacker
who has compromised a pledged process.

[1] https://golang.org/src/net/sock_posix.go#L57
[2] https://golang.org/src/net/net.go#L373
[3] https://golang.org/src/net/sock_bsd.go#L27

---
 sys/kern/kern_pledge.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c
index 9f436df4893..8d1203198ed 100644
--- sys/kern/kern_pledge.c
+++ sys/kern/kern_pledge.c
@@ -904,6 +904,12 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, void *new)
  return (0);
  }
 
+ if ((p->p_p->ps_pledge & PLEDGE_INET)) {
+ if (miblen == 2 && /* kern.somaxconn */
+    mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
+ return (0);
+ }
+
  if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET | PLEDGE_DNS))) {
  if (miblen == 6 && /* getifaddrs() */
     mib[0] == CTL_NET && mib[1] == PF_ROUTE &&

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] pledge: allow kern.somaxconn sysctl for inet

Claudio Jeker
On Mon, Feb 03, 2020 at 12:52:05AM +0000, Jimmy Brush wrote:

> No golang tcp server can be pledged without this change because it
> queries kern.somaxconn before it listens on a tcp socket[1][2][3].
>
> I cannot think of any advantage this change would give an attacker
> who has compromised a pledged process.
>
> [1] https://golang.org/src/net/sock_posix.go#L57
> [2] https://golang.org/src/net/net.go#L373
> [3] https://golang.org/src/net/sock_bsd.go#L27
>
> ---
>  sys/kern/kern_pledge.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c
> index 9f436df4893..8d1203198ed 100644
> --- sys/kern/kern_pledge.c
> +++ sys/kern/kern_pledge.c
> @@ -904,6 +904,12 @@ pledge_sysctl(struct proc *p, int miblen, int *mib, void *new)
>   return (0);
>   }
>  
> + if ((p->p_p->ps_pledge & PLEDGE_INET)) {
> + if (miblen == 2 && /* kern.somaxconn */
> +    mib[0] == CTL_KERN && mib[1] == KERN_SOMAXCONN)
> + return (0);
> + }
> +
>   if ((p->p_p->ps_pledge & (PLEDGE_ROUTE | PLEDGE_INET | PLEDGE_DNS))) {
>   if (miblen == 6 && /* getifaddrs() */
>      mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
>

I think go should not query the sysctl and instead just use a reasonably
high default (or let users choose). The kernel will then use the minimum
of the two values. At least this is what all other daemons do.
Guess that option will not happen...

--
:wq Claudio