Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| b75a4ace | 2023-08-15 13:50:53 | ldd can pledge "stdio rpath proc exec prot_exec". We can later bifurbicate at the dlopen vs execve split, dropping either "proc" or "prot_exec". ok gnezdo | ||
| ac42b3c8 | 2023-08-15 06:26:34 | Improve handling of dlopen(RTLD_TRACE) aka ldd, of a library that is already loaded: * add a 'trace' argument to _dl_show_objects() and exit the walk-the-objects loop if you hit that traced object * in dlopen(), pass the trace object to _dl_show_objects() * also, invoke _dl_show_objects() + exit if the object was already opened * pass NULL to _dl_show_objects() for all the other calls * oh hey, _dl_tracelib is now superfluous: _dl_show_objects() should do the walk-the-objects loop only if trace is not NULL. Problem noted by gnezdo@ ok millert@ | ||
| 15fded63 | 2023-08-15 06:23:31 | Skip the _dl_msyscall() invocation if tracing library loading. Problem noted by gnezdo@ ok millert@ | ||
| d4a5aacd | 2023-08-12 13:43:22 | Check for a full read, avoid warn when errno might be unmodified Promote size from int to size_t. From: lucas at sexy dot is Regress tests by gnezdo@ deraadt: yes | ||
| f61db8b9 | 2023-07-24 01:02:47 | I added the 2nd argument (execpromises) to pledge(2), and then hunted for more than a year code which could use it; but in all non-trivial circumstances (programs which would benefit), I was stopped by issues (in particular by environment variable behavious). But I never looked in ldd(1). This is the FIRST one which is completely obvious. spledge(NULL, "stdio rpath") ok guenther | ||
| fbc42936 | 2023-07-13 19:04:50 | - use IS_ELF() to check the ELF magic bytes - reject non-sensical program header values which would result in a crash when accessing the 0 bytes sized buffer allocated due to it ok deraadt@ kettenis@ | ||
| 4bd80098 | 2023-07-12 19:49:06 | validate alignment of ELF program headers | ||
| d198ddd1 | 2023-07-08 14:09:43 | turn an ifdef'd _dl_printf call into DL_DEB and various whitespace fixes sure deraadt@ | ||
| f81a9d33 | 2023-07-08 11:03:45 | zap stray backslash ok deraadt@ | ||
| d2364f60 | 2023-07-04 11:34:19 | The recent change to DIOCGETRULE allows applications which periodically read rules from pf(4) to consume all kernel memory. The bug has been discovered and root caused by florian@. In this particular case it was snmpd(8) what ate all kernel memory. This commit introduces DIOCXEND to pf(4) so applications such as snmpd(8) and systat(1) to close ticket/transaction when they are done with fetching the rules. This change also updates snmpd(8) and systat(1) to use newly introduced DIOCXEND ioctl(2). OK claudio@, deraadt@, kn@ | ||
| 01f59d78 | 2023-06-05 08:07:18 | use getline(3) instead of fgetln(3) while here simplify the "From " check too. ok millert@ | ||
| 2903f217 | 2023-05-18 16:33:39 | If you disable retpolineplt then _dl_bind_start is called with an indirect branch, so include an endbr64 Just In Case. ok deraadt@ | ||
| 320e1832 | 2023-05-15 12:02:40 | cast to '(long long)' instead of '(long long int)' requested by deraadt@, ok tb@ | ||
| ad520ff8 | 2023-05-10 08:03:49 | cast off_t to long long int for printing reduces the diff with opensmtpd-portable. ok tb@ | ||
| ba367c05 | 2023-04-27 12:27:56 | revert cache lookup for full pathnames | ||
| 12e285c6 | 2023-04-25 04:11:10 | endbr64 is potentially neccessary in the syscall stubs. | ||
| e00439cd | 2023-04-24 22:06:05 | Since ENTRY() already inserts a BTI instructions so don't add another one. ok patrick@ | ||
| 34280c35 | 2023-04-24 08:59:09 | do a cache lookup as well in case a full pathname is passed to dlopen | ||
| 6bae335d | 2023-04-19 12:58:15 | remove duplicate includes | ||
| 93f6aaea | 2023-04-19 12:34:23 | remove duplicate include feedback tb@ | ||
| d82bde86 | 2023-04-13 19:57:30 | Avoid an overflow in the ELF SYSV ABI hash function. The hash function is supposed to return a value less than or equal to 0x0fffffff. Due to a bug in the sample code supplied with the ELF SYSV ABI documentation, the hash function can overflow on 64-bit systems. Apply the same fix used by GNU libc, MUSL libc and FreeBSD. Prompted by https://maskray.me/blog/2023-04-12-elf-hash-function OK tb@ miod@ | ||
| c51b9268 | 2023-04-09 23:41:47 | Treat symlinks better in $ORIGIN determination in ld.so Now symlinking an executable away from the rest of its installation tree no longer prevents it from finding the libraries. This matches the behavior of other OS linkers. Prompted by a behavior change in lang/ghc test suite. Swapped the order of dirname/realpath in _dl_origin_path. Added some regress tests that pass and then bin3 that fails without this change and reflects the behavior needd for lang/ghc. Suggestion by semarie@, OK deraadt@ | ||
| 7dfdc4ec | 2023-03-31 18:45:05 | Call entry point of the executable through register x17. This allows it to be a normal C function that starts with "bti c" when BTI contro flow integretry enforcement is in place. Add "bti c" to _dl_bind_start(). Remove unused _rtld_tlsdesc() function to avoid having to add "bti c" to it. ok deraadt@ | ||
| 5b133f3f | 2023-03-08 04:43:04 | Delete obsolete /* ARGSUSED */ lint comments. ok miod@ millert@ | ||
| d103d2f2 | 2023-03-02 16:13:57 | rad_recv: verify length field in received auth_hdr_t before using it. Reported by Peter J. Philipp. OK deraadt@ | ||
| 8cef5497 | 2023-02-20 00:51:57 | Adjust inline !libc check to match the intent in ld.so right, deraadt@ | ||
| a4ba1e57 | 2023-02-18 01:22:50 | Lookup the start,len of the "execve" stub in libc.so, and tell the kernel where it is with pinsyscall(). In non-static binaries, kernel execve(2) will now insist upon being called from that small region. Arriving from a different region smells like ROP methodology, and the process is killed. | ||
| 1a0a232e | 2023-02-17 17:59:36 | Remove unused variables; ok millert@ | ||
| e148ff24 | 2023-02-10 03:22:12 | Explicitly mark the text LOAD as FLAGS(5), meaning RX, with a comment. This is the default value of the linker, but I really like placing the comment "architecturally required data islands". | ||
| 92c11255 | 2023-02-02 00:44:08 | unify spacing for LOAD FLAGS lines | ||
| c284c86c | 2023-02-02 00:43:08 | i386 and alpha ld.so also work with X-only text LOAD. There is no hardware enforcement for this, but uvm can some of it's own tricks on occasion. | ||
| 71410e9b | 2023-01-31 00:50:17 | powerpc xonly for G5 is coming. ld.so can have xonly text. ok gkoehler | ||
| 4098e116 | 2023-01-29 20:30:56 | Accumulate intermediate imutables locally before applying OK deraadt | ||
| 388165f5 | 2023-01-29 20:30:21 | Unite all nitems copies in ld.so/util.h OK deraadt | ||
| 8e81a2e9 | 2023-01-29 07:37:34 | powerpc64 xonly works; ld.so can be switched over | ||
| 79094096 | 2023-01-20 16:03:14 | amd64 now has xonly support via the PKU feature. Marking ld.so exec-only is no longer a NOP on those systems, let's do it. | ||
| 1d1793f7 | 2023-01-14 07:36:16 | Add missing void to function definition | ||
| 55822a5e | 2023-01-12 07:25:29 | Use proper sparc64 illtrap instruction as text sections filler, rather than the x86 one. | ||
| f14117cf | 2023-01-11 17:16:33 | be very paranoid like other architectures and force no-jump-tables came up in two seperate conversations with miod and kettenis | ||
| 7a839740 | 2023-01-11 16:33:36 | put LD_SCRIPT in the canonical location | ||
| c0a58aa7 | 2023-01-11 16:31:46 | Add ld.so linker scripts on the remaining platforms. | ||
| edb83f86 | 2023-01-11 16:21:32 | force-disable jump tables in ld.so building on sparc64, to ease the exonly transition for people building through an upcoming commit series | ||
| a291dbc8 | 2023-01-11 15:14:01 | the kernel on mips64 (octeon, loongson) is in good enough shape to run --execute-only ld.so (meaning FLAGS (1) on the LOAD line for the text segment, in the ld.script). the linker, when using built-in linker scripts, is not ready yet for other libraries / binaries.. | ||
| 39b8558c | 2023-01-11 01:55:17 | Add retguard to amd64 syscalls. Since we got rid of padded syscalls we have enough registers to do this. ok deraadt@ ok kettenis@ | ||
| 7e81395c | 2023-01-10 21:22:39 | hppa ld.so works with executable-only text (non-readable) | ||
| 571ef328 | 2023-01-09 15:05:49 | riscv64 ld.so is ready to be xonly ok kettenis | ||
| d857960c | 2023-01-09 13:52:42 | Rewrite the hppa assembly code to avoid reads from .text, by using the standard PIC magic. This makes the code similar to what we already use for rcrt0.o. This makes it ready for execute-only. Build C code using -fno-jump-tables to make it ready for execute-only. ok deraadt@, miod@ | ||
| 4bd9ff11 | 2023-01-09 13:45:55 | In preparation for upcoming execute-only support, change the magic branch instruction used by __canonicalize_funcptr_for_compare() from "bl" into "b". This allows __canonicalize_funcptr_for_compare() to execute the branch instead of decoding the instruction to find the address of _dl_bind(). This is the first step in the transition to a new ABI. Once an updated ld.so has been installed, we can change __canonicalize_funcptr_for_compare() (which lives in libgcc) and rebuild everything with a new libgcc. Only then we can actually make ld.so executable-only. ok deraadt@, miod@ | ||
| 6d9ddefd | 2022-12-26 20:06:43 | spelling fixes; from paul tagliamonte | ||
| 41b7dcd7 | 2022-12-25 09:39:37 | Re-enable DT_MIPS_RLD_MAP_REL tag in ld.so The linker now produces correct values for DT_MIPS_RLD_MAP_REL tags. The DT_MIPS_RLD_MAP_REL offset is relative to the entry of the original dynamic tags array. Therefore look up the tag from exe_obj->load_dyn instead of exe_obj->Dyn.info to get the correct base address. OK kettenis@ deraadt@ | ||
| 40627327 | 2022-12-24 10:52:04 | Make .text (and .btext) execute-only on arm64. ok deraadt@ | ||
| 61923635 | 2022-12-18 19:33:11 | cannot try the boot.data unmap until all the ld.script are commited, and fixed to identify the region correctly. | ||
| 13f8c82f | 2022-12-16 03:14:52 | delete // debug comment chunks. If anyone wants to debug ld.so and runs into a mimmutable related concern, you want to undo this revision to get this debug back. I do not consider this suitable for hiding behind a cpp macro. | ||
| 7e53a3c9 | 2022-12-05 07:49:07 | Add linker script for hppa. The crucial bit is that hppa needs an extra segment for .plt/.got which needs to be placed correctly. ok deraadt@ | ||
| 9034200f | 2022-12-04 15:55:26 | ld.so: Disable DT_MIPS_RLD_MAP_REL The linker produces incorrect values for DT_MIPS_RLD_MAP_REL tags. Disable the handling of the tag in the dynamic loader. The linker will be fixed in a later commit when snapshots have the updated ld.so. Discussed with and OK kettenis@ deraadt@ | ||
| 9ba2c65f | 2022-12-04 15:42:07 | The next step for mimmutable(). ld.so figures out what regions of memory of startup shared library mappings can be made immutable, and also does this for dlope() RTLD_NODELETE and subsidiary libraries. Complexity in this diff is due to the GNU_RELRO and OPENBSD_MUTABLE sections. Tested in snaps for about 3 weeks, with some bootstrap related pain felt in ports ok kettenis, much help from others. | ||
| fe251f38 | 2022-11-25 14:56:56 | Add ld.so linker script for mips64 Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. OK deraadt@ | ||
| 8fd2446c | 2022-11-14 13:21:50 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the alpha version | ||
| b6feb2a9 | 2022-11-14 13:20:23 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the i386 version | ||
| b3a51cd3 | 2022-11-14 13:13:19 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the version for sparc64, tested by pascal also | ||
| e201c79b | 2022-11-14 13:12:59 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. this is the version for powerpc, tested by pascal | ||
| 9044b3fc | 2022-11-10 16:14:50 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for powerpc64 and a modified version of the diff deraadt@ mailed out to make sure the LOADs are in increasing address order. | ||
| 82e9b32a | 2022-11-09 19:50:25 | Now that dlopen() sets object->nodelete for RTLD_NODELETE, _dl_load_dep_libs() can consider this same as the "booting" case, and instruct lower layers to do immutability. With this change in place, the not-yet-commited library-immutable diff leaves 1 page of libc (malloc related) and 6 non-RTLD_NODELETE libraries mutable in chrome. Everything else is immutable, except for the program's transient memory allocations & file mappings. This is an unexpected result. | ||
| b75fe819 | 2022-11-09 18:44:11 | dlopen() with RTLD_NODELETE should also set the object nodelete flag, so the mapping layer will know it can use mimmutable() | ||
| 7f8a129b | 2022-11-09 18:39:35 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for 32-bit arm, tested by phessler | ||
| b8b81751 | 2022-11-08 13:47:22 | In the new scheme, the main executable object needs to be marked nodelete, so that _dl_relro() will immutable it's relro. | ||
| 59d66fc3 | 2022-11-08 06:55:53 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. ok kettenis and guenther seemed to like it also This one is for riscv64, tested by jca | ||
| 8e29f60a | 2022-11-08 06:47:31 | Instead of unmapping boot.text, and then a future allocation could land in the gap, mmap a fresh MAP_FIXED MAP_ANON PROT_NONE and make it immutable for good measure ok guenther kettenis | ||
| cd3e981d | 2022-11-07 21:12:57 | Missed an ALIGN (which I will admit I do not understand, this is voodoo) | ||
| a5c19628 | 2022-11-07 20:41:38 | Since the introduction of automatic immutable from the kernel, the munmap() of ld.so boot.text region is now (silently) failing because the region is contained within the text LOAD, which is immutable. So create a new btext LOAD with flags PF_X|PF_R|PF_OPENBSD_MUTABLE, and place all boot.text objects in there. This LOAD must also be page-aligned so it doesn't skip unmapping some of the object region, previously it was hilariously unaligned. Similar changes for other architectures coming after more testing. ok kettenis and guenther seemed to like it also | ||
| f29e23ab | 2022-11-07 15:55:56 | Use variable and shorter logic for NFS check No need to hardcode a parent path if we can reuse an existing variable for the specific path that is in being used. Negate the file system type in df(1) so the `|| exit 1' can be dropped in favour of the errexit option, as is done for everything else in there. Clarify the comment how this is intentionally NOT logged, i.e. the test happens before the error trap/syslog/logfile handling. OK millert | ||
| 44e1f387 | 2022-11-07 11:03:14 | Set up logger(1) traps earlier to catch logfile setup failures If /usr is mounted read-only, kernel relinking fails silently without any log trace: # /usr/libexec/reorder_kernel /usr/libexec/reorder_kernel[35]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system This stderr line does not show up anywhere because init(8) redirects stdout and stderr to /dev/null, executes rc(8) which inherits it and thus executes reorder_kernel with both streams discarded. So install the error handler first, then try to set up a log file. Introduce ERRMSG to provide error messages to users, i.e. not say "see .../relink.log" when creating this file is what failed: # ksh ./reorder_kernel.sh ./reorder_kernel.sh[40]: cannot create /usr/share/relink/kernel/GENERIC.MP/relink.log: Read-only file system # tail -n1 /var/log/message # or xconsole(1) Nov 7 10:51:00 eru reorder_kernel.sh: failed OK tb | ||
| 07cf23bb | 2022-11-07 10:35:26 | dtors were broken by trying to reuse DF_1_NODELETE to hint that this library would never unload, and could be immutable. Pass a seperate flag for our purposes Noticed from regress tests by anton, ok kettenis | ||
| d23cb5cd | 2022-11-06 12:00:20 | TEXTREL binaries are loaded without immutable on un-writeable sections. After text relocations are finished, these regions (in the binary) can become immutable. OPENBSD_MUTABLE section always overlaps writeable LOADs, so don't be afraid of that case, it's covered. | ||
| 980da63b | 2022-11-06 11:43:19 | ld.so wants to make it's own RELRO immutable, which is obviously done right after it does mprotect PROT_READ. | ||
| 118353ea | 2022-11-06 11:38:54 | Library RELRO sections are excluded from the immutable list, because ld.so tweaks them quite late. _dl_relro() is called when that work is done, and the final mprotect PROT_READ happens. Then we can make mark it immutable. ok kettenis | ||
| 3349f56c | 2022-11-06 11:34:50 | When loading startup libraries, pass DF_1_NODELETE to indicate these are unloadable libraries. This allows us make consider making parts of those libraries immutable (in future commits) ok guenther kettenis | ||
| 1916ec13 | 2022-11-05 18:48:31 | The /var/run/ld.so.hints file is mapped into memory. It is never replaced, so the mapping can be immutable. ok kettenis | ||
| baca2ca6 | 2022-11-05 18:44:09 | teach ld.so how to call the mimmutable() system call ok kettenis | ||
| c0929e80 | 2022-10-28 15:07:25 | Implement support for DT_MIPS_RLD_MAP_REL. ok deraadt@ | ||
| 6d0d199e | 2022-10-23 06:12:06 | add a little spacing and fix Nd; | ||
| 81390b64 | 2022-10-23 01:15:33 | sort Xr; remove '.' after Nd text | ||
| 39a25297 | 2022-10-23 01:10:50 | new sentence, new line | ||
| 181c1305 | 2022-10-16 13:33:10 | don't use | operator where || was intended ok gnezdo@ kn@ martijn@ | ||
| 71bb1f4c | 2022-09-05 20:09:24 | Do not perform out-of-bounds arrray accesses for bogus relocation type values. | ||
| 3e492f6e | 2022-09-02 06:19:04 | Use a shorter system call invocation template for system calls in the range 0-127, where immediate addressing can be used to load the system call number in r0, rather than performing a memory load using pc-relative addressing. No functional change, but rm(1) runs a couple cycles faster per file now. | ||
| 411fe3cb | 2022-09-01 14:22:55 | Hook up snmpd_metrics OK tb@, sthen@ | ||
| 5e39b809 | 2022-09-01 14:20:32 | Import snmpd_metrics. This contains snmpd's mib.c (and friends) adjusted for libagentx. This standalone binary is to be used by snmpd to achieve privilege separation. If people need net-snmpd, but want some of the base snmpd metrics they can start this binary as a normal daemon and connect to net-snmpd's agentx socket. Tested, Feedback, and OK sthen@ Release build test, and OK tb@ | ||
| 07c7d596 | 2022-08-29 02:08:13 | use ansi volatile keyword, not __volatile__ ok miod@ guenther@ | ||
| ab4d5173 | 2022-08-20 14:11:31 | Support RTLD_NOLOAD in ld.so. From guenther@. OK jca@ guenther@ | ||
| aa6c9a01 | 2022-07-29 13:56:36 | Mention that ttyflags needs to be run to update per-device flags. Also includes some minor cleanup inspired by the NetBSD version. OK jmc@ sthen@ | ||
| 8b7b35eb | 2022-06-14 09:56:07 | Document search order Explain when and how LD_LIBRARY_PATH, DT_RUNPATH and DT_RPATH are used. Input OK guenther | ||
| 42d2c245 | 2022-05-24 17:15:22 | Address the clang 13 "changed binding to STB_WEAK" warning on arm (32bit): * add _?ENTRY_NB to arm/asm.h * make sure ld.so's arm asm bits see the same includes as libc * switch libc's arm bits to the generic DEFS.h * switch arm ASM bits from ENTRY to ENTRY_NB as necessary ok kettenis@ miod@ | ||
| 2f20f629 | 2022-05-13 13:20:16 | If $KERNEL_DIR.tgz exists, reorder_kernel updates the destination for logged stdout output, but forgot to handle stderr. Fix that so that the error log includes stderr output in that case (otherwise the log is usually empty). From Lauri Tirkkonen, plus comment adjusted. ok tb | ||
| 92d6eede | 2022-05-10 20:23:57 | Prevent out-of-bounds array access with binaries that use unsupported relocations. ok guenther@ | ||
| eabe4e05 | 2022-05-01 11:03:48 | Prevent out-of-bounds array access with binaries that use unsupported relocations. ok guenther@ | ||
| 41ce3b17 | 2022-03-31 17:27:13 | man pages: add missing commas between subordinate and main clauses jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@ | ||
| b9664cab | 2022-03-31 09:05:15 | 'e' is no longer an optional element for ober_scanf_elements. This caused the last attribute to be dropped. Reported by Allan Streib (astreib <at> fastmail <dot> fm) Reminded by Raf Czlonka (rczlonka <at> gmail <dot> com) OK tb@ claudio@ | ||
| 2eb64536 | 2022-02-22 08:20:35 | disable further calls to unveil(2) pointed out by brynet@ | ||
| 12dbdd46 | 2022-02-21 19:49:46 | unveil(2) "/dev" read-only instead of using chroot(2)/chdir(2). after calling the latter the program then also calls stat(2) and therefore it never actually worked correctly since they were added almost 20 years now. while here remove an implementation detail from the manpage which covered the chroot part. pointed out by and ok deraadt@ |