If a fd came from libc doing the __pledge_open(2) system call, do not
allow write(2), chmod(2), chflags(2), chown(2), ftruncate(2), or fdpassing.
pledge_open(2) is an unexported interface that libc will use (soon) to
open 2 devices (null and tty), about 9 files (based upon pledge promises),
and files within the zoneinfo directory. This works because libc only
reads from those fd. Currently those files are openable by non-libc code,
but soon only static libc code will be able to do those opens.
This does not transition libc to using the new system call, yet.
Based upon long discussions with david leadbeater and beck.
Introduce __pledge_open(2) system call which is pretty much the same as
open(2), except libc will use it to differentiate certain well-controlled
pathnames which follow special rules in pledge and can be accessed even
when "rpath" or unveil(2) don't allow so.
The kernel gets the system call BEFORE libc starts using it; soon there
will be more commits which will require at least this kernel.
Long discusions with david leadbeater and and beck
As a temporary hack, model the timezone change for America/Vancouver
as occurring on 2026-11-01 02:00, not on 2026-03-09. This allows
for a transition period where America/Vancouver still shows as PDT.
It also replaces "-07" with "MST" post-transition until such time
as a better abbreviation is chosen.
With it's own daemonization / fd cleaning code, ssh-agent opens /dev/null
O_RDWR after a pledge without "wpath". This is allowed in current pledge
because "/dev/null" is implicitly allowed to be opened even with the most
restrictive pledges or unveils. This is a design decision in pledge made
at the very beginning, to satisfy libc requirements. We've finally had
enough experience and know how to fix that in the near-future, but need
to review and fix all code which opens these implicit paths.
The fix is to add "wpath", so that "/dev/null" can be opened O_RDWR.
But that is uncomfortable, so we add unveil() allowing "/" with "r",
4 unveil "x" for the potential askpass and helpers to be execve'd,
and "/dev/null" with "wr". As a result filesystem access is substantially
more restricted than before, and ssh-agent is ready for the future pledge
change.
ok djm dtucker
Stop doing access() before execve(). It is a TOCTOU, but also it
forces use of unveil "rx" instead of "x".
This is done by using a pipe() through the fork+execve attempt to
expose execve failure and create the same error return as the access()
used to do.
ok djm dtucker
Use the (no YP, non-threaded) cleaned up copy of getpwent.c placed into
usr.bin/chpass instead of reaching around into libc and using crazy cpp
options.
In the near future the libc version will have more substantial changes
(intersecting with pledge and unveil) which are much more difficult to
manage using cpp features, so we stop this reacharound into libc subtree.
zlib: avoid double assignment to strm->msg
harmless merge error from
commit 4480ad49db70b6d2b90da94cc0d4755aace8a632
Author: tb <tb at openbsd.org>
Date: Sun Jun 30 05:16:17 2024 +0000
cast string literals with z_const char *
from upstream 2ba25b2ddab9aa939c321d087fcfca573a9cca55
zlib: fix heap info leak in deflateCopy (ZLB-01-005)
commit 84045903ee415efbfaf6d3d443224c2f3a1daea0
Author: Mark Adler <git at madler.net>
Date: Sat Jan 10 21:34:20 2026 -0800
Copy only the initialized deflate state in deflateCopy.
To avoid the propagation and possible disclosure of uninitialized
memory contents.
