unveil ssh-pkcs11-helper too; fixes breakage spotted by anton@
If SK/P11/askpass is overridden by environment, only unveil the requested
path and not both the requested one and the default.
feedback/ok deraadt@
Use __pledge_open(2) for files that libc urgently needs even in lower
promise levels. You must be running a kernel at least 4 days old.
Soon, another commit will happen that breaks compatibility even further,
and you'll need new static binaries and new libc.so, along with a new
kernel. This removes an old pledge design decision which is weak.
Long discussions with david leadbeater and beck
We've never seen this panic where *_fast_ipi() fails because a cpu isn't
responding. I don't think we can see the panic -- I think we are so low
that panic code will misbehave and more likely we see a hang.
It is easier to accept this impossible failure, decrement the counter, and
carry on.
Inside libc, getpwent.c does not use dbopen() and instead uses unexported
db functions. The copy of the code outside libc, must use dbopen().
-DFORCE_DBOPEN was used with #ifdef, but now that the file is an edited copy
that is no longer neccessary.
Add an additional "int fd" argument to the low-level db __{hash,rec,bt}_open()
functions to provide for the caller allocating the fd itself.
ok guenther
If a fd came from libc doing the __pledge_open(2) system call, do not
allow write(2), chmod(2), chflags(2), chown(2), ftruncate(2), or fdpassing.
pledge_open(2) is an unexported interface that libc will use (soon) to
open 2 devices (null and tty), about 9 files (based upon pledge promises),
and files within the zoneinfo directory. This works because libc only
reads from those fd. Currently those files are openable by non-libc code,
but soon only static libc code will be able to do those opens.
This does not transition libc to using the new system call, yet.
Based upon long discussions with david leadbeater and beck.
