IABSD.fr/src/libexec

Branch :


Log

Author Commit Date CI Message
447a4a13 2019-09-02 12:43:54 Remove some duplicate symbol definitions. ok visa@ guenther@
e83568d5 2019-08-31 04:22:12 Delete the last argument to fit recent _dl_find_symbol change. ok guenther@
88157d21 2019-08-23 04:38:55 update tradcpp to 0.5.3
1a3f6550 2019-08-09 22:52:13 Use NULL for second gettimeofday(2) argument; ok deraadt@ kettenis@
5bec4ecb 2019-08-09 21:31:07 Fix pointless cast: (struct timezone *)0 -> NULL
0256fee7 2019-08-06 13:34:36 By now we are already confident that pledge(2) "just works(tm)" and that it can be used to effectively remove filesystem access. That being said, in spamd(8) when I pledge(2)d it the main priv process got "stdio inet" which means there's no fs access at all so calling chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove them. OK deraadt@ and no objections from schwarze@
90273bfb 2019-08-06 04:01:41 Factor out TEXTREL mprotecting from the per-arch files into _dl_rtld(), hiding the actual grotty bits in inline functions ok mpi@
143e5acc 2019-08-04 23:51:45 Simplify _dl_find_symbol(). Currently, it returns three values: - the symbol it found, returned via the second argument - the base offset of the the object it was found in, via the return value - optionally: the object it was found in, returned via the last argument Instead, return a struct with the symbol and object pointers and let the caller get the base offset from the object's obj_base member. On at least aarch64, amd64, mips64, powerpc, and sparc64, a two word struct like this is passed in registers. ok mpi@, kettenis@
715d984b 2019-08-03 19:56:40 The ABI says JUMP_SLOT relocations don't have an addend, so don't add it in ok kettenis@
8f3b0808 2019-08-03 19:36:55 Suppress DWARF2 warnings on clang archs by building with -gdwarf-4 ok deraadt@, kettenis@
75866a61 2019-07-30 13:44:00 shorten the failure message, it should not wrap a line.
49f581ec 2019-07-25 17:32:33 Fix copy pasto, re-add missing goto in error path.
4053af61 2019-07-25 14:53:21 Yet another workaround for crappy libpcap API design Add an internal version of pcap_open_live that ensures bpf(4) devices are opened read-only before locking. Neither pflogd(8) or spamlogd(8) require write access to bpf(4). Inspired by similar solution in OpenBSD tcpdump(8). pflogd(8) was safe since being unveiled last year, but spamlogd(8) was having /dev/bpf opened O_RDWR. Issue discovered by bluhm@'s unveil(2) accounting commit. ok deraadt@, mestre@ (thanks for testing spamlogd!)
fd9fa3ac 2019-07-24 18:41:05 Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if running in default, cannot get anywhere near the filesystem since its only promises are "stdio inet". Furthermore, in blacklist mode this same codepath is not chroot'ed but once again it gets the same pledge(2). Therefore we can remove the BUGS section from spamd(8)'s manpage. OK millert@ deraadt@
518321a8 2019-07-21 03:54:16 In 2004, we upgraded to binutils 2.14 with did -zcombreloc by default. In 2013, I implemented the single-entry LRU cache that gets the maximal symbol reuse from combreloc. Since then, the ld.so generic relocation symcache has been a waste of CPU and memory with 0% hit-rate, so kill it. ok mpi@
6eb4f976 2019-07-14 03:23:12 ld.so's $ORIGIN handling when argv[0] is a relative path was broken by the change in __getcwd(2)'s return value. Fix it by switching to the __realpath(2) syscall, eliminating the ld.so copy of realpath(). problem caught by regress and noted by bluhm@ ok deraadt@
515e489c 2019-07-03 03:24:01 snprintf/vsnprintf return < 0 on error, rather than -1.
395f4ca8 2019-07-01 15:58:38 Compile with -fno-jump-tables to avoid relocations in _dl_boot_bind() when building with clang. ok deraadt@, visa@
f4b4f15b 2019-07-01 15:57:34 Remove stray comma. ok deraadt@, visa@
696e08c4 2019-06-28 13:47:33 When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
df69c215 2019-06-28 13:32:41 When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
9e74ecfa 2019-06-23 18:54:24 Explicitly lock unveil. Noticed when testing the recent ps(1) commit exposing the unveil state of running processes. ok deraadt@
b6ddd2f4 2019-06-20 20:53:56 after installing new kernel, do a sync(8) to encourage lazy buffers to make it to disk (discussion with tedu)
9dfb6b44 2019-06-07 16:27:47 make gc workaround compile on non-clang
549b7b61 2019-06-04 02:35:40 Disable the unmapping of ld.so's boot data for now, as boehm-gc apparently follows some pointer into the middle of it. Best to keep things working while tracking down the wonkiness. problem noted by naddy@
de26657e 2019-05-12 23:32:42 Indentation fix
5c3b452c 2019-05-11 21:02:35 Prune visited leaves when walking dependencies to call init functions in topological sort order, reducing it to O(n) from O(2^n) (ouch!) diff from Nathanael Rensen (nathanael(at)list.polymorpheus.com) Much testing and pleading by robert@ and ajacoutot@ ok drahn@ mpi@
c0197e40 2019-05-10 13:29:21 ld.so boot cleanup support: - put functions and data which are only used before calling the executable's start function into their own page-aligned segments for unmapping (only done on amd64, arm64, armv7, powerpc, and sparc64 so far) - pass .init_array and .preinit_array functions an addition argument which is a callback to get a structure which includes a function that frees the boot text and data - sometimes delay doing RELRO processing: for a shared-object marked DF_1_INITFIRST do it after the object's .init_array, for the executable do it after the .preinit_array - improve test-ld.so to link against libpthread and trigger its initialization late libc changes to use this will come later ok kettenis@
7a7d71fb 2019-05-08 23:56:48 rm dead code and simplify ftpd_popen. this code has only called its statically linked ls_main for some time now. from Jan Klemkow ok deraadt
466246de 2019-05-08 22:15:48 On retguard systems, remove the ld.so-local stack-protector handling functions because retguard uses hard-traps instead. ok mortimer.
9542d0df 2019-05-01 14:13:12 Pull tname initialization up since it's used in an error path. Pointed out by jsg, just fix it deraadt@
9d9b0c10 2019-04-21 04:11:42 Now that all Elf_foo types are correct, we don't need to use Elf32_Word anywhere and can use Elf_Word instead. ok guenther
4e986f76 2019-04-21 03:41:13 On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes. This was previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h> vary, but that doesn't match the spec and breaks libelf so it's gone away. Implement the variation here by defining our own type locally for this. ok deraadt@
aadc5739 2019-04-19 08:59:40 Prevent clang from using builtins and jump tables in _dl_boot_bind() on mips64. They need relocation and consequently cannot be used in that function. OK kettenis@
87311ea8 2019-02-14 07:26:31 spelling/consistency fix; from nam nguyen
1afb3ec2 2019-02-10 21:11:42 Simplify NFS check Instead of getting all filesystems with df(1), filter /usr/share/ and check with mount(1) whether it's NFS, make df error out directly if the filesystem type matches nfs. OK sthen tb
6e31582a 2019-02-03 03:44:06 _dl_cerror is trivial on powerpc; just inline the handling into the stubs based on a diff from miod@
d7a24b57 2019-02-03 02:20:36 _dl_cerror is trivial on alpha and m88k; just inline the hanlding into the stubs noted by miod@
c00e8a00 2019-01-25 18:13:13 On i386, ensure that the first PT_LOAD segment is below the W^X line unless it is writable. lld places read-only sections below the gap so this is needed to be able to retain W^X with lld. Note however the read-only sections below the W^X line are now executable on pre-NX machines and a possible source of gadgets. This is a change from Gnu ld where RO sections were ordered above the W^X line and not executable. okay drahn@ kettenis@ deraadt@
bf198cc6 2019-01-25 00:19:25 I am retiring my old email address; replace it with my OpenBSD one.
89807220 2018-12-11 18:19:55 Flip snprintf(3) error check to align it with the man page example. No functional change. suggested by tb@; from Jan Klemkow
83b130e1 2018-12-11 18:03:11 Convert some variables with non-negative values to unsigned type to avoid comparison of integers of different signs. from Jan Klemkow; OK tb@
522be859 2018-12-05 04:28:32 Delete an unused struct member that has hid out here for 17 years
f939acc2 2018-12-03 05:29:56 DT_MIPS_RLD_MAP is an offset, so relocate it when present. This fixes handling of lld-linked executables on mips64. problem reported by visa@ and worked out with him
ac51d06c 2018-11-28 03:18:00 Implement support for DT_GNU_HASH, taking all the interesting bits from Matt Dillon's implementation in DragonFlyBSD commit 7629c631. One difference is that as long as DT_HASH is still present, ld.so will use that to get the total number of symbols rather than walking the GNU hash chains. Note that the GPLv2 binutils we have doesn't support DT_GNU_HASH, so this only helps archs were lld is used. ok kettenis@ mpi@
c9db2c6c 2018-11-22 21:37:29 Make alpha less special: _dl_boot_bind() is written to complete relocation of ld.so's GOT without using it, so _reloc_alpha_got() merely made the call to _dl_boot_bind() from asm simpler...while itself being a call that required special handling. diff and muild baking by miod@ ok guenther@
d4ca23ac 2018-11-20 01:38:59 On mips64, DT_DEBUG doesn't need mprotecting if it's in the GNU_RELRO segment ok visa@
3e05b07b 2018-11-17 01:40:51 need to closefrom(0) before execve(), otherwise tty isn't properly 'hung up'; some testing by Theodore Wynnychenko
25205068 2018-11-16 21:15:47 Finish ld.so's transition to GNU_RELRO: eliminate support for using __got_{start,end} to find a region to mark read-only. It was only used for binaries that didn't have a GNU_RELRO segment, but all archs have been using that for over a year. Since support for insecure-PLT layouts on powerpc and alpha have been removed, all archs handle GNU_RELRO the same way and the support can be moved from the MD code to the MI code. ok mpi@
49fb1b57 2018-11-16 05:05:44 Borrow an idea from DragonFly BSD: factor out the "does this symbol match what we're looking up?" logic from _dl_find_symbol_obj() into matched_symbol(), so that the former is just the "iterate across the hash" logic. matched_symbol() returns zero on "not found", one on "found strong symbol", and negative one on "found weak symbol". The last of those lets the caller give up on this object after finding a weak symbol, as there's no point in continuing to search for a strong symbol in the same object. ok mpi@
b5a21baa 2018-11-15 21:25:44 Put all the symbol lookup parameters (except the object being searched) and the return pointers into a structure and pass that to _dl_find_symbol_obj(). Set sl->sl_obj_out in _dl_find_symbol_obj() so that the callers don't need to each record the object. ok mpi@
bf6d4de2 2018-11-15 03:04:10 Theodore Wynnychenko discovered the gettytab "lo=path" feature didn't work anymore with unveil wired to /usr/bin/login. So let's parse gettytab a bit earlier to learn which login path to unveil. Later in the loop gettytab is re-parsed, if the login changes re-exec getty to reach the unveil from the top. ok millert, also discussed with mestre
9e9d93fd 2018-11-12 02:33:42 Delete support for non-secureplt binaries. The secure PLT format has been the default for years and ports doesn't appear to have anything patching to use the old format. ok deraadt@
b8058d5b 2018-11-09 07:53:14 Delete superfluous libc reach-around variables, left over from the old syscall stubs. Prompted by miod@'s poke on m88k ok visa@
043a04f9 2018-11-09 06:16:37 Delete superfluous libc reacharounds. Replace magic numbers with symbolic constants in ldasm.S Let the kernel do the cacheflush optimization. from miod@
989dfc87 2018-11-09 05:31:57 Delete support for obsolete BSS PLT format, which was last known to be used by the dearly departed editors/emacs21 port. Per naddy@, we'll keep an eye out for issues in the next ports bulk build
133128c4 2018-11-02 07:26:25 ld.so's malloc has no runtime option processing, so remove the setting flags and replace them by constants. ok deraadt@ guenther@
2668a398 2018-10-25 16:41:38 The compilers already put static arrays in .rodata when not written to; marking them const will keep a source change from silently moving them back to .data ok deraadt@ kettenis@
800fd717 2018-10-25 06:42:35 When spamd(8) runs in greylist mode in the parent process (which runs greywatcher()) we know that the only files that it will ever access are PATH_SPAMD_DB in rw mode, alloweddomains_file in r and that it will need to execute PATH_PFCTL so we can unveil(2) them with those permissions. OK deraadt@ millert@ beck@
222d93a5 2018-10-25 06:41:50 The only file that spamlogd(8) needs to access after calling pledge(2) is PATH_SPAMD_DB, so unveil(2) it with O_RDWR permissions. OK millert@ beck@
d1b0fb8f 2018-10-23 04:01:45 Delay processing of ld.so's own PT_GNU_RELRO section until after environment processing and malloc initialization, and then move variables set by those steps, including malloc's mopts structure, into the .data.rel.ro segment. This protects more data and eliminates the extra padding of the mopts. ok kettenis@
c43131ad 2018-10-22 17:31:24 More "explicitely" -> "explicitly" in various comments. ok guenther@ tb@ deraadt@
10200827 2018-10-22 01:59:08 Use int, not char*, for booleans ok millert@
6b54b65f 2018-10-01 22:53:48 Add retguard to arm64 ld.so. ok kettenis@
fbe777cf 2018-09-30 13:29:24 Remove the hopefully last remnants of kerberos in there: arg_login, arg_notickets and invokinguser. ok kn@ millert@
0aed10eb 2018-09-25 20:02:43 document HUP; based on a diff from katherine rohl, shortened by request of deraadt
51d464e8 2018-09-24 22:56:54 unveil maildir, utmp, /tmp, and /dev. For the vast number of people using biff.
239b4933 2018-09-24 21:30:00 unveil(2) in getty. This has been in snaps for more than 2 months, since I worry that a mistake in here will cause significant grief.
f9343fea 2018-09-02 08:28:05 update tradcpp to 0.5.2 ok miko@ bcallah@ deraadt@
92ffaf13 2018-08-29 15:56:46 make ld.so build reproducible by including a FILE symbol and by removing -x from ld; this is only used for syspatch creation so builds are still randomized just as before ok guenther@
3f17513b 2018-08-08 22:59:33 lockspool only plays with files in _PATH_MAILDIR, so unveil that path.
19a58c97 2018-08-03 15:14:18 Move pledge to after getopt, when the finger program becomes known (defaults to /usr/bin/finger, but can be redefined with -P option). Then unveil that program for "x" (execution), and pledge as before. No other filesystem accesses occur after that point.
4e61412a 2018-07-24 09:27:44 Fix address calculation for _DYNAMIC. We want to address of _DYNAMIC itself, not the address of its GOT entry. The current code mixed the high bits of the GOT entry address with the low bits of the true address. This only worked by accident for small binaries where _DYNAMIC and its GOT entry happen to reside on the same page. ok guenther@, mortimer@
f6633b27 2018-07-09 10:12:14 unify the various per-arch syscall.h as much as possible ok kettenis guenther
e88f0f1e 2018-06-28 02:23:27 add missing ${LIBCRYPTO} to DPADD OK deraadt@ millert@ jca@
acd0de91 2018-06-16 16:06:03 Add add PIE support for m88k (requires gcc4 toolchain) Convert __cerror to hidden visibility. from miod@
d8b2e2b8 2018-06-14 23:19:27 silence a compiler warning OK millert
05b936d7 2018-06-13 15:02:09 Call pledge(2) earlier before opening the auth channel and readpassphrase() Before this change, only the password validation was pledged, now it also includes some more code including the "Password:" prompt. To pledge the code earlier, the getpwnam_shadow() had to be moved up - it works under "getpw" but it does not return the actual password hash under pledge. This also works with yp(ldap). OK deraadt@ tb@ brynet@
9b203ab7 2018-06-13 14:54:42 Remove #ifdef PASSWD, it was always enabled and is a leftover from krb5 days. No other uses of -DPASSWD were found in the tree. OK deraadt@ tb@ brynet@
51e0f611 2018-06-08 19:24:46 Bail out if fchmod(2) fails. Don't quietly install ld.so.hints with mode 0600 because this adds overhead to shlib lookup for non-root processes. From Nan Xiao. ok guenther@
8b424531 2018-06-01 03:27:59 Bump ELF_RANDOMIZE_LIMIT to 1MB. ok deraadt@
1ed8c407 2018-05-15 20:37:48 On arm64 negate the whole 64-bit register otherwise system call wrappers that return ssize_t will not return a negative value upon error. Fixes dynamical loading of shared objects using dlopen(). ok guenther@
a3f3badc 2018-05-01 09:45:39 Add an explanation to relink.log what a failed checksum of /bsd means and show how to re-enable KARL. Prodded by and OK deraadt Feedback and OK tb
16d4e635 2018-04-27 06:49:06 Make sure ld.so doesn't use floating point registers, as the lazy-binding stub doesn't preserve them and some may be used for passing arguments ok kettenis@ deraadt@ mlarkin@
f4147939 2018-04-26 12:42:50 Use <fcntl.h> instead of <sys/file.h> for open() and friends. Delete a bunch of unnecessary #includes and sort to match style(9) while doing the above cleanup. ok deraadt@ krw@
673dbe7e 2018-04-26 08:57:07 nuke trailing whitespace
91659d32 2018-03-09 14:55:44 Add support for the DF_TEXTREL flag. ok patrick@, millert@
4e496f3d 2018-02-09 22:13:04 Use a static chacha instance to fill randomdata sections. Avoids looping over a syscall for randomdata sections larger than 256B. ok djm@ deraadt@ kettenis@
2b5a4592 2018-02-07 18:59:20 sync with libc malloc: use consistent style for for loop in unmap(), no functional change
9777ac55 2018-02-04 20:41:58 Expand Type strings by one space, to fit ld.so, in the same ugly way "exe " was being handled.
5efa8d23 2018-02-01 11:14:23 don't forget to increment loop var; infinite loops spotted by sthen@
242436d2 2018-01-30 21:08:05 No need to add ffs.c as we use .VPATH to reach over into libc/string. ok otto@
544a2704 2018-01-30 20:15:25 provide ffs, gcc generates calls to it, even when __builtin_ffs() is used. ok deraadt@
bf73d255 2018-01-30 17:45:53 kill a gcc warning
8ddaed9e 2018-01-30 16:40:20 port over the malloc changes from libc. prompted by deraadt@
04885a94 2018-01-18 08:17:39 Unlike other archs, mips64 needs ld.so to know about symbol visibility and skip symbol lookup on protected symbols. Add visibility #defines to <sys/exec_elf.h> to support that. ok kettenis@ visa@
c2030654 2017-12-24 01:50:50 Fix one possible buffer overflow and one underflow. Also some minor cleanups. From Jan Kokemueller. OK deraadt@
1e3b5417 2017-12-21 00:32:55 Implement missing bits to support lazy binding. Note that the code deliberately does not save the floating-point argument registers before calling _dl_bind(). Doing so would force an FPU context switch upon every function call through the PLT. But since we compile ld.so with -march=armv8-a+nofp+nosimd this is safe since nothing in the _dl_bind() codepath uses he FPU registers. ok guenther@, drahn@
8215ea78 2017-12-12 15:33:34 ld.so's syscall _dl_* API/ABI doesn't reurn errno, but -errno. Reviewing behaviour artifacts with pledge, I discover a close(-ENOSYS).. ok guenther
7aa9dd3f 2017-12-12 07:47:58 spacing