mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2024-09-20 11:23:16 +00:00
main/doas: backport OpenBSD patch for increased rowhammer resistance
This commit backports a patch from OpenBSD upstream for increasing resistance to rowhammer attacks. A similar patch has recently been committed to sudo. The patch has not made its way into OpenDoas yet. Unfortunately, OpenDoas development seems to have stalled a bit (last commit was 2 years ago).
This commit is contained in:
parent
9db0d9f5ae
commit
935e7613cf
2 changed files with 76 additions and 1 deletions
|
@ -1,7 +1,7 @@
|
|||
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
|
||||
pkgname=doas
|
||||
pkgver=6.8.2
|
||||
pkgrel=6
|
||||
pkgrel=7
|
||||
pkgdesc="OpenBSD's temporary privilege escalation tool"
|
||||
url="https://github.com/Duncaen/OpenDoas"
|
||||
arch="all"
|
||||
|
@ -13,6 +13,7 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$p
|
|||
configuration-directory.patch
|
||||
manpage-example-path.patch
|
||||
change-PATH.patch
|
||||
rowhammer.patch
|
||||
doas.conf
|
||||
"
|
||||
builddir="$srcdir/OpenDoas-$pkgver"
|
||||
|
@ -50,5 +51,6 @@ sha512sums="
|
|||
efad2866d9d3e26266bdb37555453a436aa88ff4b8877b2ba01f7446ea095d998313aa566cafba30d426c79968d3d4a610dfbaa2e33735ab60f1283c9d9fa4ef configuration-directory.patch
|
||||
60efd196595bda2c4f036cd0080a8825a85fedcc7524c917304b342373863213b3c557b4336f1dab760f167fd8cc2a59b2e744d8a47ff8a8acebbe74b1328f4f manpage-example-path.patch
|
||||
31a87aced097ea1189c2162172788cd27b82af318db3476e1c143d3c87d99e2aa6350f63b81361d0a54482ba8dd0cfd10928ff6074a4c66248a1ec815a274f68 change-PATH.patch
|
||||
c18e0e164606466c2e59b94c463f31c8d4ba7f050938114525a70855935655d0c690662de63358ca6854d3411a486d5a85aa247895b640c3b124c957ff325fe9 rowhammer.patch
|
||||
b52a9cfe5cea9068db0f2ff09d2c2520a09603bd5cc5586031fcb2496a11b87c0b5ffc5bac2bfa9a9daafd04d9d3c8b3c93cf413a7b835c36a7a12bd60844598 doas.conf
|
||||
"
|
||||
|
|
73
main/doas/rowhammer.patch
Normal file
73
main/doas/rowhammer.patch
Normal file
|
@ -0,0 +1,73 @@
|
|||
This patch has been taken from OpenBSD upstream, it changes permit bits to make
|
||||
them more rowhammer-resistent. A similar patch has also been committed to sudo.
|
||||
|
||||
The patch has not made its way into OpenDoas yet, but at the time of writting
|
||||
OpenDoas upstream is rather stale (last commit was done 2 years ago).
|
||||
|
||||
See:
|
||||
|
||||
* https://github.com/openbsd/src/commit/38599afa1d1d1f14a897b01350e8ce94486e1788
|
||||
* https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f
|
||||
|
||||
diff --git a/doas.c b/doas.c
|
||||
index ac3a42a..93f0836 100644
|
||||
--- a/doas.c
|
||||
+++ b/doas.c
|
||||
@@ -148,8 +148,10 @@ permit(uid_t uid, gid_t *groups, int ngroups, const struct rule **lastr,
|
||||
*lastr = rules[i];
|
||||
}
|
||||
if (!*lastr)
|
||||
+ return -1;
|
||||
+ if ((*lastr)->action == PERMIT)
|
||||
return 0;
|
||||
- return (*lastr)->action == PERMIT;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -184,6 +186,7 @@ checkconfig(const char *confpath, int argc, char **argv,
|
||||
uid_t uid, gid_t *groups, int ngroups, uid_t target)
|
||||
{
|
||||
const struct rule *rule;
|
||||
+ int rv;
|
||||
|
||||
if (setresuid(uid, uid, uid) != 0)
|
||||
err(1, "setresuid");
|
||||
@@ -191,9 +194,9 @@ checkconfig(const char *confpath, int argc, char **argv,
|
||||
parseconfig(confpath, 0);
|
||||
if (!argc)
|
||||
exit(0);
|
||||
-
|
||||
- if (permit(uid, groups, ngroups, &rule, target, argv[0],
|
||||
- (const char **)argv + 1)) {
|
||||
+ rv = permit(uid, groups, ngroups, &rule, target, argv[0],
|
||||
+ (const char **)argv + 1);
|
||||
+ if (rv == 0) {
|
||||
printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
|
||||
exit(0);
|
||||
} else {
|
||||
@@ -342,8 +345,9 @@ main(int argc, char **argv)
|
||||
}
|
||||
|
||||
cmd = argv[0];
|
||||
- if (!permit(uid, groups, ngroups, &rule, target, cmd,
|
||||
- (const char **)argv + 1)) {
|
||||
+ rv = permit(uid, groups, ngroups, &rule, target, cmd,
|
||||
+ (const char **)argv + 1);
|
||||
+ if (rv != 0) {
|
||||
syslog(LOG_AUTHPRIV | LOG_NOTICE,
|
||||
"command not permitted for %s: %s", mypw->pw_name, cmdline);
|
||||
errc(1, EPERM, NULL);
|
||||
diff --git a/doas.h b/doas.h
|
||||
index a8aa41b..591816f 100644
|
||||
--- a/doas.h
|
||||
+++ b/doas.h
|
||||
@@ -36,7 +36,7 @@ struct passwd;
|
||||
char **prepenv(const struct rule *, const struct passwd *,
|
||||
const struct passwd *);
|
||||
|
||||
-#define PERMIT 1
|
||||
+#define PERMIT -1
|
||||
#define DENY 2
|
||||
|
||||
#define NOPASS 0x1
|
Loading…
Reference in a new issue