This proposal doesn't make any sense.
What will you do. Add it to every program? Or add it to none of them?
The underlying problem is that the syscall creates a file in some
random place. You haven't handled that.
> On Thu, Apr 20, 2017 at 09:52:58AM +0200, Sebastien Marie wrote:
> > Could you send two separated diffs ? One for uint64_t stuff and another
> > for profil(2) ?
>
> Here's the prof diff. Thanks for the feedback, I will review it more
> closely later today.
>
> Index: lib/libc/sys/pledge.2
> ===================================================================
> RCS file: /cvs/src/lib/libc/sys/pledge.2,v
> retrieving revision 1.41
> diff -u -p -r1.41 pledge.2
> --- lib/libc/sys/pledge.2 28 Mar 2017 16:07:07 -0000 1.41
> +++ lib/libc/sys/pledge.2 20 Apr 2017 09:10:34 -0000
> @@ -543,6 +543,14 @@ for more information on using the sndio
> Allow
> .Dv BIOCGSTATS
> operation for statistics collection from a bpf device.
> +.It Va prof
> +Allows the
> +.Xr profil 2
> +system call and write to a file named
> +.Pa gmon.out
> +in current working directory of the process.
> +Required when profiling a pledged program using
> +.Xr gprof 1 .
> .El
> .Pp
> A whitelist of permitted paths may be provided in
> Index: sys/kern/kern_pledge.c
> ===================================================================
> RCS file: /cvs/src/sys/kern/kern_pledge.c,v
> retrieving revision 1.204
> diff -u -p -r1.204 kern_pledge.c
> --- sys/kern/kern_pledge.c 17 Apr 2017 20:22:14 -0000 1.204
> +++ sys/kern/kern_pledge.c 20 Apr 2017 09:10:34 -0000
> @@ -352,6 +352,8 @@ const uint64_t pledge_syscalls[SYS_MAXSY
> [SYS_flock] = PLEDGE_FLOCK | PLEDGE_YPACTIVE,
>
> [SYS_swapctl] = PLEDGE_VMINFO, /* XXX should limit to "get" operations
> */
> +
> + [SYS_profil] = PLEDGE_PROF,
> };
>
> static const struct {
> @@ -375,6 +377,7 @@ static const struct {
> { "mcast", PLEDGE_MCAST },
> { "pf", PLEDGE_PF },
> { "proc", PLEDGE_PROC },
> + { "prof", PLEDGE_PROF },
> { "prot_exec", PLEDGE_PROTEXEC },
> { "ps", PLEDGE_PS },
> { "recvfd", PLEDGE_RECVFD },
> @@ -717,6 +720,13 @@ pledge_namei(struct proc *p, struct name
> if ((ni->ni_pledge == PLEDGE_RPATH) &&
> strcmp(path, "/etc/localtime") == 0)
> return (0);
> +
> + /* profil(2) */
> + if ((p->p_p->ps_pledge & PLEDGE_PROF) &&
> + (ni->ni_pledge & ~(PLEDGE_WPATH | PLEDGE_CPATH)) == 0 &&
> + strcmp(path, "gmon.out") == 0) {
> + return (0);
> + }
>
> break;
> case SYS_readlink:
> Index: sys/sys/pledge.h
> ===================================================================
> RCS file: /cvs/src/sys/sys/pledge.h,v
> retrieving revision 1.30
> diff -u -p -r1.30 pledge.h
> --- sys/sys/pledge.h 23 Jan 2017 04:25:05 -0000 1.30
> +++ sys/sys/pledge.h 20 Apr 2017 09:10:34 -0000
> @@ -59,6 +59,7 @@
> #define PLEDGE_CHOWN 0x0000000080000000ULL /* chown(2) family */
> #define PLEDGE_CHOWNUID 0x0000000100000000ULL /* allow owner/group
> changes */
> #define PLEDGE_BPF 0x0000000200000000ULL /* bpf ioctl */
> +#define PLEDGE_PROF 0x0000000400000000ULL /* profil(2) */
>
> /*
> * Bits outside PLEDGE_USERSET are used by the kernel itself
> @@ -105,6 +106,7 @@ static struct {
> { PLEDGE_VMM, "vmm" },
> { PLEDGE_CHOWNUID, "chown" },
> { PLEDGE_BPF, "bpf" },
> + { PLEDGE_PROF, "prof" },
> { 0, NULL },
> };
> #endif
>
