pledge(2) for the i3 window manager

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

pledge(2) for the i3 window manager

Theo Buehler
I understand that pledging a port adds complexity to its maintenance
and I am not convinced the patch below should be committed to the ports
tree.

However, since there appears to be a considerable numer of users of i3
among OpenBSD users, there might be some interest in this patch, so I'd
like to share it.  I'd need some positive test reports to be persuaded
to try to upstream this.

I'm running variations of this patch for about three weeks now.

Note that i3status is not included.  It is not currently possible to
pledge this program without severly cutting down its features.

Index: x11/i3/Makefile
===================================================================
RCS file: /cvs/ports/x11/i3/Makefile,v
retrieving revision 1.98
diff -u -p -r1.98 Makefile
--- x11/i3/Makefile 4 Oct 2015 08:48:12 -0000 1.98
+++ x11/i3/Makefile 20 Dec 2015 12:47:01 -0000
@@ -3,6 +3,7 @@
 COMMENT = improved dynamic tiling window manager
 
 DISTNAME = i3-4.11
+REVISION = 0
 CATEGORIES = x11
 
 EXTRACT_SUFX = .tar.bz2
Index: x11/i3/patches/patch-i3-msg_main_c
===================================================================
RCS file: x11/i3/patches/patch-i3-msg_main_c
diff -N x11/i3/patches/patch-i3-msg_main_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ x11/i3/patches/patch-i3-msg_main_c 20 Dec 2015 12:47:01 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+pledge for i3-msg:
+rpath and unix needed for talking to the i3 socket in /tmp
+
+--- i3-msg/main.c.orig Sun Dec  6 01:38:41 2015
++++ i3-msg/main.c Sun Dec  6 01:39:44 2015
+@@ -119,6 +119,8 @@ static yajl_callbacks reply_callbacks = {
+ };
+
+ int main(int argc, char *argv[]) {
++    if (pledge("stdio rpath unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
+     char *env_socket_path = getenv("I3SOCK");
+     if (env_socket_path)
+         socket_path = sstrdup(env_socket_path);
Index: x11/i3/patches/patch-i3-nagbar_main_c
===================================================================
RCS file: /cvs/ports/x11/i3/patches/patch-i3-nagbar_main_c,v
retrieving revision 1.7
diff -u -p -r1.7 patch-i3-nagbar_main_c
--- x11/i3/patches/patch-i3-nagbar_main_c 4 Oct 2015 08:48:12 -0000 1.7
+++ x11/i3/patches/patch-i3-nagbar_main_c 20 Dec 2015 12:47:01 -0000
@@ -1,6 +1,14 @@
 $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2015/10/04 08:48:12 dcoppa Exp $
+
+surprisingly wide pledge for this program
+
+wpath cpath for writing a script
+rpath getpw for checking access permissions
+proc exec for executing the script
+unix for talking to the i3 socket
+
 --- i3-nagbar/main.c.orig Wed Sep 30 08:55:10 2015
-+++ i3-nagbar/main.c Fri Oct  2 16:58:54 2015
++++ i3-nagbar/main.c Sun Dec  6 01:23:02 2015
 @@ -170,7 +170,7 @@ static void handle_button_release(xcb_connection_t *co
      }
 
@@ -9,4 +17,14 @@ $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2
 +    sasprintf(&terminal_cmd, "${X11BASE}/bin/xterm -e %s", link_path);
      printf("argv0 = %s\n", argv0);
      printf("terminal_cmd = %s\n", terminal_cmd);
+
+@@ -464,6 +464,9 @@ int main(int argc, char *argv[]) {
+
+     font = load_font(pattern, true);
+     set_font(&font);
++
++    if (pledge("stdio rpath wpath cpath getpw proc exec unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
+
+     xcb_rectangle_t win_pos = get_window_position();
 
Index: x11/i3/patches/patch-i3bar_src_main_c
===================================================================
RCS file: x11/i3/patches/patch-i3bar_src_main_c
diff -N x11/i3/patches/patch-i3bar_src_main_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ x11/i3/patches/patch-i3bar_src_main_c 20 Dec 2015 12:47:01 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+stdio rpath unix for talking to the i3 socket
+wpath for logging
+proc exec to execute the bar
+
+--- i3bar/src/main.c.orig Sun Dec  6 01:08:28 2015
++++ i3bar/src/main.c Sun Dec  6 01:07:08 2015
+@@ -95,6 +95,9 @@ int main(int argc, char **argv) {
+     char *socket_path = getenv("I3SOCK");
+     char *i3_default_sock_path = "/tmp/i3-ipc.sock";
+
++    if (pledge("stdio rpath wpath proc exec unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
++
+     /* Initialize the standard config to use 0 as default */
+     memset(&config, '\0', sizeof(config_t));
+
Index: x11/i3/patches/patch-src_main_c
===================================================================
RCS file: x11/i3/patches/patch-src_main_c
diff -N x11/i3/patches/patch-src_main_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ x11/i3/patches/patch-src_main_c 20 Dec 2015 12:47:01 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+
+stdio rpath unix for talking to the i3 socket in /tmp
+wpath cpath are needed for the restart-in-place functionality
+proc exec for executing programs
+
+--- src/main.c.orig Wed Sep 30 08:55:10 2015
++++ src/main.c Sun Dec  6 00:36:10 2015
+@@ -785,6 +785,11 @@ int main(int argc, char *argv[]) {
+         xcb_free_pixmap(conn, pixmap);
+     }
+
++    /* can't pledge if shm_* calls are used */
++    if (shmlog_size == 0)
++        if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
++            err(EXIT_FAILURE, "pledge");
++
+     struct sigaction action;
+
+     action.sa_sigaction = handle_signal;

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

David Coppa
On Sun, Dec 20, 2015 at 2:02 PM, Theo Buehler <[hidden email]> wrote:
> I understand that pledging a port adds complexity to its maintenance
> and I am not convinced the patch below should be committed to the ports
> tree.
>
> However, since there appears to be a considerable numer of users of i3
> among OpenBSD users, there might be some interest in this patch, so I'd
> like to share it.  I'd need some positive test reports to be persuaded
> to try to upstream this.

Please refactor your diff on a very current -current, I've committed
an update for i3 yesterday...

And please also protect the pledge code with "#if defined(__OpenBSD__)"

Ciao!
David

> I'm running variations of this patch for about three weeks now.
>
> Note that i3status is not included.  It is not currently possible to
> pledge this program without severly cutting down its features.
>
> Index: x11/i3/Makefile
> ===================================================================
> RCS file: /cvs/ports/x11/i3/Makefile,v
> retrieving revision 1.98
> diff -u -p -r1.98 Makefile
> --- x11/i3/Makefile     4 Oct 2015 08:48:12 -0000       1.98
> +++ x11/i3/Makefile     20 Dec 2015 12:47:01 -0000
> @@ -3,6 +3,7 @@
>  COMMENT =      improved dynamic tiling window manager
>
>  DISTNAME =     i3-4.11
> +REVISION =     0
>  CATEGORIES =   x11
>
>  EXTRACT_SUFX = .tar.bz2
> Index: x11/i3/patches/patch-i3-msg_main_c
> ===================================================================
> RCS file: x11/i3/patches/patch-i3-msg_main_c
> diff -N x11/i3/patches/patch-i3-msg_main_c
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ x11/i3/patches/patch-i3-msg_main_c  20 Dec 2015 12:47:01 -0000
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +
> +pledge for i3-msg:
> +rpath and unix needed for talking to the i3 socket in /tmp
> +
> +--- i3-msg/main.c.orig Sun Dec  6 01:38:41 2015
> ++++ i3-msg/main.c      Sun Dec  6 01:39:44 2015
> +@@ -119,6 +119,8 @@ static yajl_callbacks reply_callbacks = {
> + };
> +
> + int main(int argc, char *argv[]) {
> ++    if (pledge("stdio rpath unix", NULL) == -1)
> ++        err(EXIT_FAILURE, "pledge");
> +     char *env_socket_path = getenv("I3SOCK");
> +     if (env_socket_path)
> +         socket_path = sstrdup(env_socket_path);
> Index: x11/i3/patches/patch-i3-nagbar_main_c
> ===================================================================
> RCS file: /cvs/ports/x11/i3/patches/patch-i3-nagbar_main_c,v
> retrieving revision 1.7
> diff -u -p -r1.7 patch-i3-nagbar_main_c
> --- x11/i3/patches/patch-i3-nagbar_main_c       4 Oct 2015 08:48:12 -0000       1.7
> +++ x11/i3/patches/patch-i3-nagbar_main_c       20 Dec 2015 12:47:01 -0000
> @@ -1,6 +1,14 @@
>  $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2015/10/04 08:48:12 dcoppa Exp $
> +
> +surprisingly wide pledge for this program
> +
> +wpath cpath for writing a script
> +rpath getpw for checking access permissions
> +proc exec for executing the script
> +unix for talking to the i3 socket
> +
>  --- i3-nagbar/main.c.orig      Wed Sep 30 08:55:10 2015
> -+++ i3-nagbar/main.c   Fri Oct  2 16:58:54 2015
> ++++ i3-nagbar/main.c   Sun Dec  6 01:23:02 2015
>  @@ -170,7 +170,7 @@ static void handle_button_release(xcb_connection_t *co
>       }
>
> @@ -9,4 +17,14 @@ $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2
>  +    sasprintf(&terminal_cmd, "${X11BASE}/bin/xterm -e %s", link_path);
>       printf("argv0 = %s\n", argv0);
>       printf("terminal_cmd = %s\n", terminal_cmd);
> +
> +@@ -464,6 +464,9 @@ int main(int argc, char *argv[]) {
> +
> +     font = load_font(pattern, true);
> +     set_font(&font);
> ++
> ++    if (pledge("stdio rpath wpath cpath getpw proc exec unix", NULL) == -1)
> ++        err(EXIT_FAILURE, "pledge");
> +
> +     xcb_rectangle_t win_pos = get_window_position();
>
> Index: x11/i3/patches/patch-i3bar_src_main_c
> ===================================================================
> RCS file: x11/i3/patches/patch-i3bar_src_main_c
> diff -N x11/i3/patches/patch-i3bar_src_main_c
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ x11/i3/patches/patch-i3bar_src_main_c       20 Dec 2015 12:47:01 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +stdio rpath unix for talking to the i3 socket
> +wpath for logging
> +proc exec to execute the bar
> +
> +--- i3bar/src/main.c.orig      Sun Dec  6 01:08:28 2015
> ++++ i3bar/src/main.c   Sun Dec  6 01:07:08 2015
> +@@ -95,6 +95,9 @@ int main(int argc, char **argv) {
> +     char *socket_path = getenv("I3SOCK");
> +     char *i3_default_sock_path = "/tmp/i3-ipc.sock";
> +
> ++    if (pledge("stdio rpath wpath proc exec unix", NULL) == -1)
> ++        err(EXIT_FAILURE, "pledge");
> ++
> +     /* Initialize the standard config to use 0 as default */
> +     memset(&config, '\0', sizeof(config_t));
> +
> Index: x11/i3/patches/patch-src_main_c
> ===================================================================
> RCS file: x11/i3/patches/patch-src_main_c
> diff -N x11/i3/patches/patch-src_main_c
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ x11/i3/patches/patch-src_main_c     20 Dec 2015 12:47:01 -0000
> @@ -0,0 +1,20 @@
> +$OpenBSD$
> +
> +stdio rpath unix for talking to the i3 socket in /tmp
> +wpath cpath are needed for the restart-in-place functionality
> +proc exec for executing programs
> +
> +--- src/main.c.orig    Wed Sep 30 08:55:10 2015
> ++++ src/main.c Sun Dec  6 00:36:10 2015
> +@@ -785,6 +785,11 @@ int main(int argc, char *argv[]) {
> +         xcb_free_pixmap(conn, pixmap);
> +     }
> +
> ++    /* can't pledge if shm_* calls are used */
> ++    if (shmlog_size == 0)
> ++        if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
> ++            err(EXIT_FAILURE, "pledge");
> ++
> +     struct sigaction action;
> +
> +     action.sa_sigaction = handle_signal;

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Bryan C. Everly-2
Should we consider applying this diff to upstream to avoid the
maintenance issue?

Thanks,
Bryan

> On Dec 20, 2015, at 8:31 AM, David Coppa <[hidden email]> wrote:
>
>> On Sun, Dec 20, 2015 at 2:02 PM, Theo Buehler <[hidden email]> wrote:
>> I understand that pledging a port adds complexity to its maintenance
>> and I am not convinced the patch below should be committed to the ports
>> tree.
>>
>> However, since there appears to be a considerable numer of users of i3
>> among OpenBSD users, there might be some interest in this patch, so I'd
>> like to share it.  I'd need some positive test reports to be persuaded
>> to try to upstream this.
>
> Please refactor your diff on a very current -current, I've committed
> an update for i3 yesterday...
>
> And please also protect the pledge code with "#if defined(__OpenBSD__)"
>
> Ciao!
> David
>
>> I'm running variations of this patch for about three weeks now.
>>
>> Note that i3status is not included.  It is not currently possible to
>> pledge this program without severly cutting down its features.
>>
>> Index: x11/i3/Makefile
>> ===================================================================
>> RCS file: /cvs/ports/x11/i3/Makefile,v
>> retrieving revision 1.98
>> diff -u -p -r1.98 Makefile
>> --- x11/i3/Makefile     4 Oct 2015 08:48:12 -0000       1.98
>> +++ x11/i3/Makefile     20 Dec 2015 12:47:01 -0000
>> @@ -3,6 +3,7 @@
>> COMMENT =      improved dynamic tiling window manager
>>
>> DISTNAME =     i3-4.11
>> +REVISION =     0
>> CATEGORIES =   x11
>>
>> EXTRACT_SUFX = .tar.bz2
>> Index: x11/i3/patches/patch-i3-msg_main_c
>> ===================================================================
>> RCS file: x11/i3/patches/patch-i3-msg_main_c
>> diff -N x11/i3/patches/patch-i3-msg_main_c
>> --- /dev/null   1 Jan 1970 00:00:00 -0000
>> +++ x11/i3/patches/patch-i3-msg_main_c  20 Dec 2015 12:47:01 -0000
>> @@ -0,0 +1,16 @@
>> +$OpenBSD$
>> +
>> +pledge for i3-msg:
>> +rpath and unix needed for talking to the i3 socket in /tmp
>> +
>> +--- i3-msg/main.c.orig Sun Dec  6 01:38:41 2015
>> ++++ i3-msg/main.c      Sun Dec  6 01:39:44 2015
>> +@@ -119,6 +119,8 @@ static yajl_callbacks reply_callbacks = {
>> + };
>> +
>> + int main(int argc, char *argv[]) {
>> ++    if (pledge("stdio rpath unix", NULL) == -1)
>> ++        err(EXIT_FAILURE, "pledge");
>> +     char *env_socket_path = getenv("I3SOCK");
>> +     if (env_socket_path)
>> +         socket_path = sstrdup(env_socket_path);
>> Index: x11/i3/patches/patch-i3-nagbar_main_c
>> ===================================================================
>> RCS file: /cvs/ports/x11/i3/patches/patch-i3-nagbar_main_c,v
>> retrieving revision 1.7
>> diff -u -p -r1.7 patch-i3-nagbar_main_c
>> --- x11/i3/patches/patch-i3-nagbar_main_c       4 Oct 2015 08:48:12 -0000       1.7
>> +++ x11/i3/patches/patch-i3-nagbar_main_c       20 Dec 2015 12:47:01 -0000
>> @@ -1,6 +1,14 @@
>> $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2015/10/04 08:48:12 dcoppa Exp $
>> +
>> +surprisingly wide pledge for this program
>> +
>> +wpath cpath for writing a script
>> +rpath getpw for checking access permissions
>> +proc exec for executing the script
>> +unix for talking to the i3 socket
>> +
>> --- i3-nagbar/main.c.orig      Wed Sep 30 08:55:10 2015
>> -+++ i3-nagbar/main.c   Fri Oct  2 16:58:54 2015
>> ++++ i3-nagbar/main.c   Sun Dec  6 01:23:02 2015
>> @@ -170,7 +170,7 @@ static void handle_button_release(xcb_connection_t *co
>>      }
>>
>> @@ -9,4 +17,14 @@ $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2
>> +    sasprintf(&terminal_cmd, "${X11BASE}/bin/xterm -e %s", link_path);
>>      printf("argv0 = %s\n", argv0);
>>      printf("terminal_cmd = %s\n", terminal_cmd);
>> +
>> +@@ -464,6 +464,9 @@ int main(int argc, char *argv[]) {
>> +
>> +     font = load_font(pattern, true);
>> +     set_font(&font);
>> ++
>> ++    if (pledge("stdio rpath wpath cpath getpw proc exec unix", NULL) == -1)
>> ++        err(EXIT_FAILURE, "pledge");
>> +
>> +     xcb_rectangle_t win_pos = get_window_position();
>>
>> Index: x11/i3/patches/patch-i3bar_src_main_c
>> ===================================================================
>> RCS file: x11/i3/patches/patch-i3bar_src_main_c
>> diff -N x11/i3/patches/patch-i3bar_src_main_c
>> --- /dev/null   1 Jan 1970 00:00:00 -0000
>> +++ x11/i3/patches/patch-i3bar_src_main_c       20 Dec 2015 12:47:01 -0000
>> @@ -0,0 +1,18 @@
>> +$OpenBSD$
>> +
>> +stdio rpath unix for talking to the i3 socket
>> +wpath for logging
>> +proc exec to execute the bar
>> +
>> +--- i3bar/src/main.c.orig      Sun Dec  6 01:08:28 2015
>> ++++ i3bar/src/main.c   Sun Dec  6 01:07:08 2015
>> +@@ -95,6 +95,9 @@ int main(int argc, char **argv) {
>> +     char *socket_path = getenv("I3SOCK");
>> +     char *i3_default_sock_path = "/tmp/i3-ipc.sock";
>> +
>> ++    if (pledge("stdio rpath wpath proc exec unix", NULL) == -1)
>> ++        err(EXIT_FAILURE, "pledge");
>> ++
>> +     /* Initialize the standard config to use 0 as default */
>> +     memset(&config, '\0', sizeof(config_t));
>> +
>> Index: x11/i3/patches/patch-src_main_c
>> ===================================================================
>> RCS file: x11/i3/patches/patch-src_main_c
>> diff -N x11/i3/patches/patch-src_main_c
>> --- /dev/null   1 Jan 1970 00:00:00 -0000
>> +++ x11/i3/patches/patch-src_main_c     20 Dec 2015 12:47:01 -0000
>> @@ -0,0 +1,20 @@
>> +$OpenBSD$
>> +
>> +stdio rpath unix for talking to the i3 socket in /tmp
>> +wpath cpath are needed for the restart-in-place functionality
>> +proc exec for executing programs
>> +
>> +--- src/main.c.orig    Wed Sep 30 08:55:10 2015
>> ++++ src/main.c Sun Dec  6 00:36:10 2015
>> +@@ -785,6 +785,11 @@ int main(int argc, char *argv[]) {
>> +         xcb_free_pixmap(conn, pixmap);
>> +     }
>> +
>> ++    /* can't pledge if shm_* calls are used */
>> ++    if (shmlog_size == 0)
>> ++        if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
>> ++            err(EXIT_FAILURE, "pledge");
>> ++
>> +     struct sigaction action;
>> +
>> +     action.sa_sigaction = handle_signal;
>

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Theo Buehler
In reply to this post by David Coppa
On Sun, Dec 20, 2015 at 02:30:24PM +0100, David Coppa wrote:

> On Sun, Dec 20, 2015 at 2:02 PM, Theo Buehler <[hidden email]> wrote:
> > I understand that pledging a port adds complexity to its maintenance
> > and I am not convinced the patch below should be committed to the ports
> > tree.
> >
> > However, since there appears to be a considerable numer of users of i3
> > among OpenBSD users, there might be some interest in this patch, so I'd
> > like to share it.  I'd need some positive test reports to be persuaded
> > to try to upstream this.
>
> Please refactor your diff on a very current -current, I've committed
> an update for i3 yesterday...
>
> And please also protect the pledge code with "#if defined(__OpenBSD__)"

Thanks!

Index: Makefile
===================================================================
RCS file: /var/cvs/ports/x11/i3/Makefile,v
retrieving revision 1.99
diff -u -p -r1.99 Makefile
--- Makefile 18 Dec 2015 15:53:08 -0000 1.99
+++ Makefile 20 Dec 2015 14:06:08 -0000
@@ -3,7 +3,7 @@
 COMMENT = improved dynamic tiling window manager
 
 DISTNAME = i3-4.11
-REVISION = 0
+REVISION = 1
 CATEGORIES = x11
 
 EXTRACT_SUFX = .tar.bz2
Index: patches/patch-i3-msg_main_c
===================================================================
RCS file: patches/patch-i3-msg_main_c
diff -N patches/patch-i3-msg_main_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-i3-msg_main_c 20 Dec 2015 13:52:48 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+pledge for i3-msg:
+rpath and unix needed for talking to the i3 socket in /tmp
+
+--- i3-msg/main.c.orig Wed Sep 30 08:55:10 2015
++++ i3-msg/main.c Sun Dec 20 14:42:51 2015
+@@ -119,6 +119,10 @@ static yajl_callbacks reply_callbacks = {
+ };
+
+ int main(int argc, char *argv[]) {
++#if defined(__OpenBSD__)
++    if (pledge("stdio rpath unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
++#endif
+     char *env_socket_path = getenv("I3SOCK");
+     if (env_socket_path)
+         socket_path = sstrdup(env_socket_path);
Index: patches/patch-i3-nagbar_main_c
===================================================================
RCS file: /var/cvs/ports/x11/i3/patches/patch-i3-nagbar_main_c,v
retrieving revision 1.7
diff -u -p -r1.7 patch-i3-nagbar_main_c
--- patches/patch-i3-nagbar_main_c 4 Oct 2015 08:48:12 -0000 1.7
+++ patches/patch-i3-nagbar_main_c 20 Dec 2015 14:05:53 -0000
@@ -1,6 +1,14 @@
 $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2015/10/04 08:48:12 dcoppa Exp $
+
+surprisingly wide pledge for this program
+
+"wpath cpath" for writing a script
+"rpath getpw" for checking access permissions
+"proc exec" for executing the script
+"unix" for talking to the i3 socket
+
 --- i3-nagbar/main.c.orig Wed Sep 30 08:55:10 2015
-+++ i3-nagbar/main.c Fri Oct  2 16:58:54 2015
++++ i3-nagbar/main.c Sun Dec 20 15:00:22 2015
 @@ -170,7 +170,7 @@ static void handle_button_release(xcb_connection_t *co
      }
 
@@ -9,4 +17,16 @@ $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2
 +    sasprintf(&terminal_cmd, "${X11BASE}/bin/xterm -e %s", link_path);
      printf("argv0 = %s\n", argv0);
      printf("terminal_cmd = %s\n", terminal_cmd);
+
+@@ -464,6 +464,11 @@ int main(int argc, char *argv[]) {
+
+     font = load_font(pattern, true);
+     set_font(&font);
++
++#if defined(__OpenBSD__)
++    if (pledge("stdio rpath wpath cpath getpw proc exec unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
++#endif
+
+     xcb_rectangle_t win_pos = get_window_position();
 
Index: patches/patch-i3bar_src_main_c
===================================================================
RCS file: patches/patch-i3bar_src_main_c
diff -N patches/patch-i3bar_src_main_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-i3bar_src_main_c 20 Dec 2015 13:52:48 -0000
@@ -0,0 +1,20 @@
+$OpenBSD$
+
+stdio rpath unix for talking to the i3 socket
+wpath for logging
+proc exec to execute the bar
+
+--- i3bar/src/main.c.orig Wed Sep 30 08:55:10 2015
++++ i3bar/src/main.c Sun Dec 20 14:43:24 2015
+@@ -95,6 +95,11 @@ int main(int argc, char **argv) {
+     char *socket_path = getenv("I3SOCK");
+     char *i3_default_sock_path = "/tmp/i3-ipc.sock";
+
++#if defined(__OpenBSD__)
++    if (pledge("stdio rpath wpath proc exec unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
++#endif
++
+     /* Initialize the standard config to use 0 as default */
+     memset(&config, '\0', sizeof(config_t));
+
Index: patches/patch-src_main_c
===================================================================
RCS file: /var/cvs/ports/x11/i3/patches/patch-src_main_c,v
retrieving revision 1.14
diff -u -p -r1.14 patch-src_main_c
--- patches/patch-src_main_c 18 Dec 2015 15:53:09 -0000 1.14
+++ patches/patch-src_main_c 20 Dec 2015 14:02:42 -0000
@@ -2,8 +2,14 @@ $OpenBSD: patch-src_main_c,v 1.14 2015/1
 
 Bugfix: add keymap fall back (_XKB_RULES_NAMES, then defaults)
 
+add pledge:
+
+"stdio rpath unix" for talking to the i3 socket in /tmp
+"wpath cpath" are needed for the restart-in-place functionality
+"proc exec" for executing programs
+
 --- src/main.c.orig Wed Sep 30 08:55:10 2015
-+++ src/main.c Fri Dec 18 13:58:58 2015
++++ src/main.c Sun Dec 20 14:58:54 2015
 @@ -87,6 +87,7 @@ struct ws_assignments_head ws_assignments = TAILQ_HEAD
 
  /* We hope that those are supported and set them to true */
@@ -20,3 +26,17 @@ Bugfix: add keymap fall back (_XKB_RULES
      if (!extreply->present) {
          DLOG("xkb is not present on this server\n");
      } else {
+@@ -784,6 +786,13 @@ int main(int argc, char *argv[]) {
+         xcb_free_gc(conn, gc);
+         xcb_free_pixmap(conn, pixmap);
+     }
++
++#if defined(__OpenBSD__)
++    /* can't pledge if shm_* calls are used */
++    if (shmlog_size == 0)
++        if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
++            err(EXIT_FAILURE, "pledge");
++#endif
+
+     struct sigaction action;
+

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Theo Buehler
In reply to this post by Bryan C. Everly-2
On Sun, Dec 20, 2015 at 09:14:45AM -0500, Bryan Everly wrote:
> Should we consider applying this diff to upstream to avoid the
> maintenance issue?

I think we should.  As I wrote:

> >> I'd need some positive test reports to be persuaded
> >> to try to upstream this.

I think we need some good testing first, then we can decide what to do
with it.

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Ralf Horstmann-2
In reply to this post by Theo Buehler
Hi,

the diff prevents i3bar from starting here:
    i3bar(26685): syscall 289 ""

gdb shows this:
    #0  0x00000ae4d48740ca in shmget () at <stdin>:2
    #1  0x00000ae502e15ae4 in can_use_shm () from /usr/local/lib/libcairo.so.12.3
    #2  0x00000ae502e15c3b in _cairo_xcb_connection_query_shm () from /usr/local/lib/libcairo.so.12.3
    #3  0x00000ae502e16330 in _cairo_xcb_connection_get () from /usr/local/lib/libcairo.so.12.3
    #4  0x00000ae502e18675 in _cairo_xcb_screen_get () from /usr/local/lib/libcairo.so.12.3
    #5  0x00000ae502e1c40a in cairo_xcb_surface_create () from /usr/local/lib/libcairo.so.12.3
    #6  0x00000ae20f90f9a0 in load_pango_font (font=0x7f7ffffed3b0, desc=Variable "desc" is not available.
    ) at libi3/font.c:80
    #7  0x00000ae20f90fd0c in load_font (pattern=0xae4b22fd0c0 "pango:DejaVu Sans Mono 10", fallback=true)
        at libi3/font.c:196
    #8  0x00000ae20f9077e4 in init_xcb_late (fontname=Variable "fontname" is not available.
    ) at i3bar/src/xcb.c:1226
    #9  0x00000ae20f90c190 in got_bar_config (
        reply=0xae461156200 "{\"id\":\"bar-1\",\"outputs\":[\"LVDS1\"],\"tray_padding\":2,\"mode\":\"dock\",\"hidden_state\":\"hide\",\"modifier\":\"Mod4\",\"position\":\"bottom\",\"status_command\":\"i3status --config ~/.i3status-small.conf\",\"font\":\"pango:D"...) at i3bar/src/ipc.c:98
    #10 0x00000ae20f90be33 in got_data (loop=Variable "loop" is not available.
    ) at i3bar/src/ipc.c:263
    #11 0x00000ae4a9b5afae in ev_invoke_pending () from /usr/local/lib/libev.so.3.1
    #12 0x00000ae4a9b5f5e5 in ev_run () from /usr/local/lib/libev.so.3.1
    #13 0x00000ae20f90b7ba in main (argc=Variable "argc" is not available.
    ) at ev.h:835

I have a font configuration in .i3/config, which triggers this:
    font pango:DejaVu Sans Mono 10

After commenting that out, i3bar starts again.

Regards,
Ralf

* Theo Buehler <[hidden email]> [2015-12-20 15:21]:

> On Sun, Dec 20, 2015 at 02:30:24PM +0100, David Coppa wrote:
> > On Sun, Dec 20, 2015 at 2:02 PM, Theo Buehler <[hidden email]> wrote:
> > > I understand that pledging a port adds complexity to its maintenance
> > > and I am not convinced the patch below should be committed to the ports
> > > tree.
> > >
> > > However, since there appears to be a considerable numer of users of i3
> > > among OpenBSD users, there might be some interest in this patch, so I'd
> > > like to share it.  I'd need some positive test reports to be persuaded
> > > to try to upstream this.
> >
> > Please refactor your diff on a very current -current, I've committed
> > an update for i3 yesterday...
> >
> > And please also protect the pledge code with "#if defined(__OpenBSD__)"
>
> Thanks!
>
> Index: Makefile
> ===================================================================
> RCS file: /var/cvs/ports/x11/i3/Makefile,v
> retrieving revision 1.99
> diff -u -p -r1.99 Makefile
> --- Makefile 18 Dec 2015 15:53:08 -0000 1.99
> +++ Makefile 20 Dec 2015 14:06:08 -0000
> @@ -3,7 +3,7 @@
>  COMMENT = improved dynamic tiling window manager
>  
>  DISTNAME = i3-4.11
> -REVISION = 0
> +REVISION = 1
>  CATEGORIES = x11
>  
>  EXTRACT_SUFX = .tar.bz2
> Index: patches/patch-i3-msg_main_c
> ===================================================================
> RCS file: patches/patch-i3-msg_main_c
> diff -N patches/patch-i3-msg_main_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-i3-msg_main_c 20 Dec 2015 13:52:48 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +pledge for i3-msg:
> +rpath and unix needed for talking to the i3 socket in /tmp
> +
> +--- i3-msg/main.c.orig Wed Sep 30 08:55:10 2015
> ++++ i3-msg/main.c Sun Dec 20 14:42:51 2015
> +@@ -119,6 +119,10 @@ static yajl_callbacks reply_callbacks = {
> + };
> +
> + int main(int argc, char *argv[]) {
> ++#if defined(__OpenBSD__)
> ++    if (pledge("stdio rpath unix", NULL) == -1)
> ++        err(EXIT_FAILURE, "pledge");
> ++#endif
> +     char *env_socket_path = getenv("I3SOCK");
> +     if (env_socket_path)
> +         socket_path = sstrdup(env_socket_path);
> Index: patches/patch-i3-nagbar_main_c
> ===================================================================
> RCS file: /var/cvs/ports/x11/i3/patches/patch-i3-nagbar_main_c,v
> retrieving revision 1.7
> diff -u -p -r1.7 patch-i3-nagbar_main_c
> --- patches/patch-i3-nagbar_main_c 4 Oct 2015 08:48:12 -0000 1.7
> +++ patches/patch-i3-nagbar_main_c 20 Dec 2015 14:05:53 -0000
> @@ -1,6 +1,14 @@
>  $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2015/10/04 08:48:12 dcoppa Exp $
> +
> +surprisingly wide pledge for this program
> +
> +"wpath cpath" for writing a script
> +"rpath getpw" for checking access permissions
> +"proc exec" for executing the script
> +"unix" for talking to the i3 socket
> +
>  --- i3-nagbar/main.c.orig Wed Sep 30 08:55:10 2015
> -+++ i3-nagbar/main.c Fri Oct  2 16:58:54 2015
> ++++ i3-nagbar/main.c Sun Dec 20 15:00:22 2015
>  @@ -170,7 +170,7 @@ static void handle_button_release(xcb_connection_t *co
>       }
>  
> @@ -9,4 +17,16 @@ $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2
>  +    sasprintf(&terminal_cmd, "${X11BASE}/bin/xterm -e %s", link_path);
>       printf("argv0 = %s\n", argv0);
>       printf("terminal_cmd = %s\n", terminal_cmd);
> +
> +@@ -464,6 +464,11 @@ int main(int argc, char *argv[]) {
> +
> +     font = load_font(pattern, true);
> +     set_font(&font);
> ++
> ++#if defined(__OpenBSD__)
> ++    if (pledge("stdio rpath wpath cpath getpw proc exec unix", NULL) == -1)
> ++        err(EXIT_FAILURE, "pledge");
> ++#endif
> +
> +     xcb_rectangle_t win_pos = get_window_position();
>  
> Index: patches/patch-i3bar_src_main_c
> ===================================================================
> RCS file: patches/patch-i3bar_src_main_c
> diff -N patches/patch-i3bar_src_main_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-i3bar_src_main_c 20 Dec 2015 13:52:48 -0000
> @@ -0,0 +1,20 @@
> +$OpenBSD$
> +
> +stdio rpath unix for talking to the i3 socket
> +wpath for logging
> +proc exec to execute the bar
> +
> +--- i3bar/src/main.c.orig Wed Sep 30 08:55:10 2015
> ++++ i3bar/src/main.c Sun Dec 20 14:43:24 2015
> +@@ -95,6 +95,11 @@ int main(int argc, char **argv) {
> +     char *socket_path = getenv("I3SOCK");
> +     char *i3_default_sock_path = "/tmp/i3-ipc.sock";
> +
> ++#if defined(__OpenBSD__)
> ++    if (pledge("stdio rpath wpath proc exec unix", NULL) == -1)
> ++        err(EXIT_FAILURE, "pledge");
> ++#endif
> ++
> +     /* Initialize the standard config to use 0 as default */
> +     memset(&config, '\0', sizeof(config_t));
> +
> Index: patches/patch-src_main_c
> ===================================================================
> RCS file: /var/cvs/ports/x11/i3/patches/patch-src_main_c,v
> retrieving revision 1.14
> diff -u -p -r1.14 patch-src_main_c
> --- patches/patch-src_main_c 18 Dec 2015 15:53:09 -0000 1.14
> +++ patches/patch-src_main_c 20 Dec 2015 14:02:42 -0000
> @@ -2,8 +2,14 @@ $OpenBSD: patch-src_main_c,v 1.14 2015/1
>  
>  Bugfix: add keymap fall back (_XKB_RULES_NAMES, then defaults)
>  
> +add pledge:
> +
> +"stdio rpath unix" for talking to the i3 socket in /tmp
> +"wpath cpath" are needed for the restart-in-place functionality
> +"proc exec" for executing programs
> +
>  --- src/main.c.orig Wed Sep 30 08:55:10 2015
> -+++ src/main.c Fri Dec 18 13:58:58 2015
> ++++ src/main.c Sun Dec 20 14:58:54 2015
>  @@ -87,6 +87,7 @@ struct ws_assignments_head ws_assignments = TAILQ_HEAD
>  
>   /* We hope that those are supported and set them to true */
> @@ -20,3 +26,17 @@ Bugfix: add keymap fall back (_XKB_RULES
>       if (!extreply->present) {
>           DLOG("xkb is not present on this server\n");
>       } else {
> +@@ -784,6 +786,13 @@ int main(int argc, char *argv[]) {
> +         xcb_free_gc(conn, gc);
> +         xcb_free_pixmap(conn, pixmap);
> +     }
> ++
> ++#if defined(__OpenBSD__)
> ++    /* can't pledge if shm_* calls are used */
> ++    if (shmlog_size == 0)
> ++        if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
> ++            err(EXIT_FAILURE, "pledge");
> ++#endif
> +
> +     struct sigaction action;
> +
>

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Theo Buehler
On Sun, Dec 20, 2015 at 06:59:56PM +0100, Ralf Horstmann wrote:
> gdb shows this:
>     #0  0x00000ae4d48740ca in shmget () at <stdin>:2
[...]
>     #8  0x00000ae20f9077e4 in init_xcb_late (fontname=Variable "fontname" is not available.

Whoops, I missed that one.  Thanks for the backtrace.  This means that
we can't pledge i3bar since init_xcb_late can be called at any point
during the runtime to update the configuration (including fonts).

Updated diff below.

Index: Makefile
===================================================================
RCS file: /var/cvs/ports/x11/i3/Makefile,v
retrieving revision 1.99
diff -u -p -r1.99 Makefile
--- Makefile 18 Dec 2015 15:53:08 -0000 1.99
+++ Makefile 20 Dec 2015 14:06:08 -0000
@@ -3,7 +3,7 @@
 COMMENT = improved dynamic tiling window manager
 
 DISTNAME = i3-4.11
-REVISION = 0
+REVISION = 1
 CATEGORIES = x11
 
 EXTRACT_SUFX = .tar.bz2
Index: patches/patch-i3-msg_main_c
===================================================================
RCS file: patches/patch-i3-msg_main_c
diff -N patches/patch-i3-msg_main_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-i3-msg_main_c 20 Dec 2015 13:52:48 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+pledge for i3-msg:
+rpath and unix needed for talking to the i3 socket in /tmp
+
+--- i3-msg/main.c.orig Wed Sep 30 08:55:10 2015
++++ i3-msg/main.c Sun Dec 20 14:42:51 2015
+@@ -119,6 +119,10 @@ static yajl_callbacks reply_callbacks = {
+ };
+
+ int main(int argc, char *argv[]) {
++#if defined(__OpenBSD__)
++    if (pledge("stdio rpath unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
++#endif
+     char *env_socket_path = getenv("I3SOCK");
+     if (env_socket_path)
+         socket_path = sstrdup(env_socket_path);
Index: patches/patch-i3-nagbar_main_c
===================================================================
RCS file: /var/cvs/ports/x11/i3/patches/patch-i3-nagbar_main_c,v
retrieving revision 1.7
diff -u -p -r1.7 patch-i3-nagbar_main_c
--- patches/patch-i3-nagbar_main_c 4 Oct 2015 08:48:12 -0000 1.7
+++ patches/patch-i3-nagbar_main_c 20 Dec 2015 14:05:53 -0000
@@ -1,6 +1,14 @@
 $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2015/10/04 08:48:12 dcoppa Exp $
+
+surprisingly wide pledge for this program
+
+"wpath cpath" for writing a script
+"rpath getpw" for checking access permissions
+"proc exec" for executing the script
+"unix" for talking to the i3 socket
+
 --- i3-nagbar/main.c.orig Wed Sep 30 08:55:10 2015
-+++ i3-nagbar/main.c Fri Oct  2 16:58:54 2015
++++ i3-nagbar/main.c Sun Dec 20 15:00:22 2015
 @@ -170,7 +170,7 @@ static void handle_button_release(xcb_connection_t *co
      }
 
@@ -9,4 +17,16 @@ $OpenBSD: patch-i3-nagbar_main_c,v 1.7 2
 +    sasprintf(&terminal_cmd, "${X11BASE}/bin/xterm -e %s", link_path);
      printf("argv0 = %s\n", argv0);
      printf("terminal_cmd = %s\n", terminal_cmd);
+
+@@ -464,6 +464,11 @@ int main(int argc, char *argv[]) {
+
+     font = load_font(pattern, true);
+     set_font(&font);
++
++#if defined(__OpenBSD__)
++    if (pledge("stdio rpath wpath cpath getpw proc exec unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
++#endif
+
+     xcb_rectangle_t win_pos = get_window_position();
 
Index: patches/patch-src_main_c
===================================================================
RCS file: /var/cvs/ports/x11/i3/patches/patch-src_main_c,v
retrieving revision 1.14
diff -u -p -r1.14 patch-src_main_c
--- patches/patch-src_main_c 18 Dec 2015 15:53:09 -0000 1.14
+++ patches/patch-src_main_c 20 Dec 2015 18:25:02 -0000
@@ -2,8 +2,14 @@ $OpenBSD: patch-src_main_c,v 1.14 2015/1
 
 Bugfix: add keymap fall back (_XKB_RULES_NAMES, then defaults)
 
+add pledge:
+
+"stdio rpath unix" for talking to the i3 socket in /tmp
+"wpath cpath" are needed for the restart-in-place functionality
+"proc exec" for executing programs
+
 --- src/main.c.orig Wed Sep 30 08:55:10 2015
-+++ src/main.c Fri Dec 18 13:58:58 2015
++++ src/main.c Sun Dec 20 14:58:54 2015
 @@ -87,6 +87,7 @@ struct ws_assignments_head ws_assignments = TAILQ_HEAD
 
  /* We hope that those are supported and set them to true */
@@ -20,3 +26,17 @@ Bugfix: add keymap fall back (_XKB_RULES
      if (!extreply->present) {
          DLOG("xkb is not present on this server\n");
      } else {
+@@ -784,6 +786,13 @@ int main(int argc, char *argv[]) {
+         xcb_free_gc(conn, gc);
+         xcb_free_pixmap(conn, pixmap);
+     }
++
++#if defined(__OpenBSD__)
++    /* can't pledge if shm_* calls are used */
++    if (shmlog_size == 0)
++        if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
++            err(EXIT_FAILURE, "pledge");
++#endif
+
+     struct sigaction action;
+

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Ralf Horstmann-2
* Theo Buehler <[hidden email]> [2015-12-20 19:26]:

> On Sun, Dec 20, 2015 at 06:59:56PM +0100, Ralf Horstmann wrote:
> > gdb shows this:
> >     #0  0x00000ae4d48740ca in shmget () at <stdin>:2
> [...]
> >     #8  0x00000ae20f9077e4 in init_xcb_late (fontname=Variable "fontname" is not available.
>
> Whoops, I missed that one.  Thanks for the backtrace.  This means that
> we can't pledge i3bar since init_xcb_late can be called at any point
> during the runtime to update the configuration (including fonts).
>
> Updated diff below.

That works better. No other issues noticed so far.

Thanks,
Ralf

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

David Coppa
On Mon, Dec 21, 2015 at 12:21 AM, Ralf Horstmann <[hidden email]> wrote:

> * Theo Buehler <[hidden email]> [2015-12-20 19:26]:
>> On Sun, Dec 20, 2015 at 06:59:56PM +0100, Ralf Horstmann wrote:
>> > gdb shows this:
>> >     #0  0x00000ae4d48740ca in shmget () at <stdin>:2
>> [...]
>> >     #8  0x00000ae20f9077e4 in init_xcb_late (fontname=Variable "fontname" is not available.
>>
>> Whoops, I missed that one.  Thanks for the backtrace.  This means that
>> we can't pledge i3bar since init_xcb_late can be called at any point
>> during the runtime to update the configuration (including fonts).
>>
>> Updated diff below.
>
> That works better. No other issues noticed so far.
>
> Thanks,
> Ralf

Works fine for me too with my regular workflow.

So I'd say put this in as local patches.
If you don't hear any loud scream for the next two weeks or so, send
it upstream with a pull request on github.

Thanks!
David
--
"If you try a few times and give up, you'll never get there. But if
you keep at it... There's a lot of problems in the world which can
really be solved by applying two or three times the persistence that
other people will."
                -- Stewart Nelson

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Josh Grosse
On Mon, Dec 21, 2015 at 10:30:43AM +0100, David Coppa wrote:
> So I'd say put this in as local patches.
> If you don't hear any loud scream for the next two weeks or so, send
> it upstream with a pull request on github.

Just built from commit; no loud screams from me, not even a wimper.
Working without issue.

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Jiri B-2
In reply to this post by Theo Buehler
Respect for your work but I'm asking myself - what is
the attack vector?

IMO pdf viewers, browsers and similar apps would have
much bigger sense to pledge(). Unfortunatelly they are
huge beasts :/

j.

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

dan mclaughlin
In reply to this post by Theo Buehler
On Mon, 21 Dec 2015 09:51:07 -0500 Jiri B <[hidden email]> wrote:
> Respect for your work but I'm asking myself - what is
> the attack vector?
>
> IMO pdf viewers, browsers and similar apps would have
> much bigger sense to pledge(). Unfortunatelly they are
> huge beasts :/
>
> j.
>

yes they are huge beasts, but they can still be forced into cages. half my
posts seem to refer to back to this, but.. you can try:

'isolating untrusted programs in ssh chroot jails'
https://marc.info/?l=openbsd-misc&m=142676615612510&w=2

i run my browser and pdf viewers in them. i make sure too that my pdf/djvu
viewers don't have net access either using pf. i try to leverage most of
the mitigation facilities available in base (though so far i haven't yet
seriously experimented with systrace).

Mr. Coppa previously reported that he managed it with firefox. i mention
the programs i could and couldn't jail in the post.

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Jiri B-2
In reply to this post by Theo Buehler
On Mon, Dec 21, 2015 at 03:34:43PM -0500, dan mclaughlin wrote:

> yes they are huge beasts, but they can still be forced into cages. half my
> posts seem to refer to back to this, but.. you can try:
>
> 'isolating untrusted programs in ssh chroot jails'
> https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
>
> i run my browser and pdf viewers in them. i make sure too that my pdf/djvu
> viewers don't have net access either using pf. i try to leverage most of
> the mitigation facilities available in base (though so far i haven't yet
> seriously experimented with systrace).
>
> Mr. Coppa previously reported that he managed it with firefox. i mention
> the programs i could and couldn't jail in the post.

I don't understand why do you switch topic from pledge()
to chroots...

j.

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

dan mclaughlin
In reply to this post by Theo Buehler
On Tue, 22 Dec 2015 03:53:54 -0500 Jiri B <[hidden email]> wrote:

> On Mon, Dec 21, 2015 at 03:34:43PM -0500, dan mclaughlin wrote:
> > yes they are huge beasts, but they can still be forced into cages. half my
> > posts seem to refer to back to this, but.. you can try:
> >
> > 'isolating untrusted programs in ssh chroot jails'
> > https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
> >
> > i run my browser and pdf viewers in them. i make sure too that my pdf/djvu
> > viewers don't have net access either using pf. i try to leverage most of
> > the mitigation facilities available in base (though so far i haven't yet
> > seriously experimented with systrace).
> >
> > Mr. Coppa previously reported that he managed it with firefox. i mention
> > the programs i could and couldn't jail in the post.
>
> I don't understand why do you switch topic from pledge()
> to chroots...
>
> j.
>

you originally said:
> Respect for your work but I'm asking myself - what is
> the attack vector?
>
> IMO pdf viewers, browsers and similar apps would have
> much bigger sense to pledge(). Unfortunatelly they are
> huge beasts :/
>

"unfortunately they are huge beasts", and you are right.

in this post https://marc.info/?l=openbsd-ports&m=144822758614817&w=2

Theo said:
> You can't pledge a program if you don't understand what it is doing,
> and why.
>
> Misapplication of pledge like this will result in a nightmare.

it's hard to understand what a huge beast is doing, so while pledge is a good
thing, it may not work for such things, *especially* modern web browsers.

so as an alternative, i mentioned the mitigation facilities in base that can
at least help. dedicated user, chroot, X11 security extensions, Xephyr, pf.
i also mentioned systrace(1), even though i have not used it much myself,
because it does similar things to pledge (ie restricting syscalls, etc).

at the very least, in a chroot running as a non-priviledged user, it should
remove a great deal of the attack surface. and those facilities can be used
now, rather than waiting for someone to pledge() those programs later.

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

Theo Buehler
In reply to this post by David Coppa
With the help of semarie@ we managed to get an improved version of these
patches upstream:

https://github.com/i3/i3/pull/2161

Many thanks also to bcook@ and landry@ for their handholding while I was
fighting a hopeless battle with git.

The current version of the patches has the flaw that

$ i3-msg 'shmlog on'

will trigger a pledge abort of i3.  The attached patch is semarie@'s fix
for that problem.

ok?

Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/i3/Makefile,v
retrieving revision 1.101
diff -u -p -r1.101 Makefile
--- Makefile 15 Jan 2016 19:57:24 -0000 1.101
+++ Makefile 17 Jan 2016 22:29:18 -0000
@@ -3,7 +3,7 @@
 COMMENT = improved dynamic tiling window manager
 
 DISTNAME = i3-4.11
-REVISION = 1
+REVISION = 2
 CATEGORIES = x11
 
 EXTRACT_SUFX = .tar.bz2
Index: patches/patch-src_log_c
===================================================================
RCS file: /cvs/ports/x11/i3/patches/patch-src_log_c,v
retrieving revision 1.10
diff -u -p -r1.10 patch-src_log_c
--- patches/patch-src_log_c 4 Oct 2015 08:48:12 -0000 1.10
+++ patches/patch-src_log_c 17 Jan 2016 22:29:18 -0000
@@ -3,7 +3,7 @@ $OpenBSD: patch-src_log_c,v 1.10 2015/10
 OpenBSD lacks pthread_condattr_setpshared()
 
 --- src/log.c.orig Wed Sep 30 08:55:10 2015
-+++ src/log.c Fri Oct  2 16:58:54 2015
++++ src/log.c Sun Jan 17 23:10:44 2016
 @@ -20,7 +20,9 @@
  #include <sys/mman.h>
  #include <sys/stat.h>
@@ -14,7 +14,49 @@ OpenBSD lacks pthread_condattr_setpshare
 
  #include "util.h"
  #include "log.h"
-@@ -154,11 +156,13 @@ void open_logbuffer(void) {
+@@ -58,6 +60,8 @@ static char *loglastwrap;
+ static int logbuffer_size;
+ /* File descriptor for shm_open. */
+ static int logbuffer_shm;
++/* Size (in bytes) of physical memory */
++static long long physical_mem_bytes;
+
+ /*
+  * Writes the offsets for the next write and for the last wrap to the
+@@ -89,6 +93,16 @@ void init_logging(void) {
+             }
+         }
+     }
++    if (physical_mem_bytes == 0) {
++#if defined(__APPLE__)
++        int mib[2] = {CTL_HW, HW_MEMSIZE};
++        size_t length = sizeof(long long);
++        sysctl(mib, 2, &physical_mem_bytes, &length, NULL, 0);
++#else
++        physical_mem_bytes = (long long)sysconf(_SC_PHYS_PAGES) *
++                             sysconf(_SC_PAGESIZE);
++#endif
++    }
+     /* Start SHM logging if shmlog_size is > 0. shmlog_size is SHMLOG_SIZE by
+      * default on development versions, and 0 on release versions. If it is
+      * not > 0, the user has turned it off, so let's close the logbuffer. */
+@@ -108,15 +122,6 @@ void open_logbuffer(void) {
+          * For 512 MiB of RAM this will lead to a 5 MiB log buffer.
+          * At the moment (2011-12-10), no testcase leads to an i3 log
+          * of more than ~ 600 KiB. */
+-    long long physical_mem_bytes;
+-#if defined(__APPLE__)
+-    int mib[2] = {CTL_HW, HW_MEMSIZE};
+-    size_t length = sizeof(long long);
+-    sysctl(mib, 2, &physical_mem_bytes, &length, NULL, 0);
+-#else
+-    physical_mem_bytes = (long long)sysconf(_SC_PHYS_PAGES) *
+-                         sysconf(_SC_PAGESIZE);
+-#endif
+     logbuffer_size = min(physical_mem_bytes * 0.01, shmlog_size);
+ #if defined(__FreeBSD__)
+     sasprintf(&shmlogname, "/tmp/i3-log-%d", getpid());
+@@ -154,11 +159,13 @@ void open_logbuffer(void) {
 
      header = (i3_shmlog_header *)logbuffer;
 
@@ -28,7 +70,7 @@ OpenBSD lacks pthread_condattr_setpshare
 
      logwalk = logbuffer + sizeof(i3_shmlog_header);
      loglastwrap = logbuffer + logbuffer_size;
-@@ -273,8 +277,10 @@ static void vlog(const bool print, const char *fmt, va
+@@ -273,8 +280,10 @@ static void vlog(const bool print, const char *fmt, va
 
          store_log_markers();
 
Index: patches/patch-src_main_c
===================================================================
RCS file: /cvs/ports/x11/i3/patches/patch-src_main_c,v
retrieving revision 1.15
diff -u -p -r1.15 patch-src_main_c
--- patches/patch-src_main_c 21 Dec 2015 10:16:03 -0000 1.15
+++ patches/patch-src_main_c 17 Jan 2016 22:29:18 -0000
@@ -9,7 +9,7 @@ add pledge:
 "proc exec" for executing programs
 
 --- src/main.c.orig Wed Sep 30 08:55:10 2015
-+++ src/main.c Sun Dec 20 14:58:54 2015
++++ src/main.c Sun Jan 17 17:55:53 2016
 @@ -87,6 +87,7 @@ struct ws_assignments_head ws_assignments = TAILQ_HEAD
 
  /* We hope that those are supported and set them to true */
@@ -26,16 +26,14 @@ add pledge:
      if (!extreply->present) {
          DLOG("xkb is not present on this server\n");
      } else {
-@@ -784,6 +786,13 @@ int main(int argc, char *argv[]) {
+@@ -784,6 +786,11 @@ int main(int argc, char *argv[]) {
          xcb_free_gc(conn, gc);
          xcb_free_pixmap(conn, pixmap);
      }
 +
 +#if defined(__OpenBSD__)
-+    /* can't use pledge if shm* calls are used */
-+    if (shmlog_size == 0)
-+        if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
-+            err(EXIT_FAILURE, "pledge");
++    if (pledge("stdio rpath wpath cpath proc exec unix", NULL) == -1)
++        err(EXIT_FAILURE, "pledge");
 +#endif
 
      struct sigaction action;

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) for the i3 window manager

David Coppa
On Sun, Jan 17, 2016 at 11:37 PM, Theo Buehler <[hidden email]> wrote:

> With the help of semarie@ we managed to get an improved version of these
> patches upstream:
>
> https://github.com/i3/i3/pull/2161
>
> Many thanks also to bcook@ and landry@ for their handholding while I was
> fighting a hopeless battle with git.
>
> The current version of the patches has the flaw that
>
> $ i3-msg 'shmlog on'
>
> will trigger a pledge abort of i3.  The attached patch is semarie@'s fix
> for that problem.
>
> ok?

This is upstream now
(https://github.com/i3/i3/commit/a1d1f456a1fbf44bfa5c6a9d041023ac498b0c46)
Isn't it?
So, ok for me to commit to our port.

Thanks a lot for improving this and doing all the leg-work to have it
upstreamed!

Ciao,
David