On Sat, Jan 29, 2022 at 06:25:32PM -0600, Matthew Martin wrote:
> On Sat, Jan 29, 2022 at 07:10:00PM -0500, Ted Unangst wrote:
> > I believe it would be better to add setrtable to id pledge.
ping
Also are there any opinions on adding LOGIN_SETRTABLE to doas?
diff --git include/login_cap.h include/login_cap.h
index d9a4c2c349c..1e831b6471a 100644
--- include/login_cap.h
+++ include/login_cap.h
@@ -53,7 +53,8 @@
#define LOGIN_SETUMASK 0x0020 /* Set umask */
#define LOGIN_SETUSER 0x0040 /* Set user */
#define LOGIN_SETENV 0x0080 /* Set environment */
-#define LOGIN_SETALL 0x00ff /* Set all. */
+#define LOGIN_SETRTABLE 0x0100 /* Set rtable */
+#define LOGIN_SETALL 0x01ff /* Set all. */
#define BI_AUTH "authorize" /* Accepted
authentication */
#define BI_REJECT "reject" /* Rejected
authentication */
diff --git lib/libc/gen/login_cap.c lib/libc/gen/login_cap.c
index 862f33b2065..65848f09ef6 100644
--- lib/libc/gen/login_cap.c
+++ lib/libc/gen/login_cap.c
@@ -52,6 +52,7 @@
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/resource.h>
+#include <sys/socket.h>
#include <err.h>
#include <errno.h>
@@ -574,7 +575,7 @@ int
setusercontext(login_cap_t *lc, struct passwd *pwd, uid_t uid, u_int flags)
{
login_cap_t *flc;
- quad_t p;
+ quad_t p, rtable;
int i;
flc = NULL;
@@ -625,6 +626,14 @@ setusercontext(login_cap_t *lc, struct passwd *pwd, uid_t
uid, u_int flags)
umask((mode_t)p);
}
+ if (flags & LOGIN_SETRTABLE) {
+ rtable = login_getcapnum(lc, "rtable", 0, 0);
+
+ if (setrtable((int)rtable) == -1) {
+ syslog(LOG_ERR, "%s: setrtable: %m", lc->lc_class);
+ }
+ }
+
if (flags & LOGIN_SETGROUP) {
if (setresgid(pwd->pw_gid, pwd->pw_gid, pwd->pw_gid) == -1) {
syslog(LOG_ERR, "setresgid(%u,%u,%u): %m",
diff --git lib/libc/sys/pledge.2 lib/libc/sys/pledge.2
index 581d274822c..ff3aa59f9e3 100644
--- lib/libc/sys/pledge.2
+++ lib/libc/sys/pledge.2
@@ -514,7 +514,8 @@ process:
.Xr setlogin 2 ,
.Xr setrlimit 2 ,
.Xr getpriority 2 ,
-.Xr setpriority 2
+.Xr setpriority 2 ,
+.Xr setrtable 2
.It Cm pf
Allows a subset of
.Xr ioctl 2
diff --git share/man/man5/login.conf.5 share/man/man5/login.conf.5
index da935fa223e..ffeafc3531c 100644
--- share/man/man5/login.conf.5
+++ share/man/man5/login.conf.5
@@ -276,6 +276,10 @@ Initial priority (nice) level.
Require home directory to login.
.\"
.Pp
+.It rtable Ta number Ta Dv 0 Ta
+Rtable to be set for the class.
+.\"
+.Pp
.It setenv Ta envlist Ta "" Ta
A list of environment variables and associated values to be set for the class.
.\"
diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c
index b876b91a18a..26b5e1fab96 100644
--- sys/kern/kern_pledge.c
+++ sys/kern/kern_pledge.c
@@ -300,6 +300,7 @@ const uint64_t pledge_syscalls[SYS_MAXSYSCALL] = {
[SYS_setresgid] = PLEDGE_ID,
[SYS_setgroups] = PLEDGE_ID,
[SYS_setlogin] = PLEDGE_ID,
+ [SYS_setrtable] = PLEDGE_ID,
[SYS_unveil] = PLEDGE_UNVEIL,
