Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

use _PATH_ names for unveil if possible

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8),
the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.

To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")

Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".

The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.

With feedback/testing from florian@, deraadt@

ok florian@ deraadt@

pflogd(8): don't try to rename(2) broken/invalid pflog files, instead,
suspend logging until the log file has been moved out of the way, and
we have received either SIGHUP or SIGALRM.

ok florian@ deraadt@

Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the
privileged parent.

Based on feedback from deraadt@ and bluhm@ (worked on syslogd).

ok deraadt@

pflogd(8) currently spams the console on shutdown if syslogd(8) wins the
race to die, so just stop logging pflogd exits.

This logging probably comes from the fact that pflogd was largely based
on syslogd.

Removes the annoying "pflogd[23954]: Exiting" messages pointed out by
deraadt@

Also cleanup some missed SIGCHLD handling code that is no longer needed.

"LGTM" mikeb@

fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep
parent and use 'legit' fdpassing primitives to send the bpf fd to the
unprivileged child process.

Also reduces the pledge(2) promises in the unpriv child to just
"stdio recvfd"

with help from deraadt, pcap feedback from canacar

ok deraadt@

Make not yet implemented pledges more visible in grep output.
input benno, deraadt, tedu
also standardize on #if 0 since it makes tedu's editor vomit.
OK benno, pirofti on a previous version

Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at
least not as is

Reported by tim@, OK deraadt@ to backout the pledge for now

pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable
it also for pflogd(8)'s priv proc.

OK deraadt@

Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.

pflogd will need pledge(proc), still disabled because of bfd
ok deraadt@

Interface status printing (at exit and USR1) was broken for a while.
Remove it completely to simplify the code.
even better deraadt@

pflogd contained the same "privsep error" as tcpdump -- assuming that
it can ioctl()'s against a bpf device node. Privsep that operation
via a message to the parent process. Unfortunately "rpath wpath cpath"
is still needed due to SIGHUP handling, but I have asked canacar the
expert to look into this.

Someone went to the trouble of vertically aligning a set of parameters but
missed one. This diff is only a spacing change.

Create temporary file with mkstemp and unlink if rename operation fails.

ok deraadt@, henning@

errx() provides its own newline, so remove it from the string here

ok henning@

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

Remove some unneeded externs. OK canacar@

convert permanent privilege revocation to use setresuid/setresgid;
ok henning@

If the log file is invalid/incompatible, try to rename the bad log file
and continue with a new name instead of suspending.
ok mcbride@

also pass SIGINT/QUIT to child, from mpech@. ok avsm@

no \n in errx(3)
From: Andrey Matveev <andrushock@korovino.net>

sigh, really fix the error message this time, thanks Moritz Jodeit

reorder error message and send_fd in order to display the correct
errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>

dont close an invalid fd, canacar@ ok

Check return code of chdir() after chroot(); noted by Joris Vink, slight mod
from avsm@.
ok avsm@ hshoexer@ henning@

cleanup signal handling; close descriptors.
ok avsm@ millert@ canacar@

Create log files if they do not already exist, but do not follow
symlinks. ok markus@

Synchronize with syslogd privsep: When reading a new command fails,
terminate the loop instead of exiting directly, suggested by avsm@
Also get rid of trailing comma in enum, makes lint(1) happier, from
Andrey Matveev andrushock at korovino dot net

spacing

use setgroups too; canacar ok

caution with kill

privilege seperated pflogd

_pflogd user and group must be created for proper operation.

ok frantzen@ henning@ mcbride@ deraadt@

use _PATH_ names for unveil if possible

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8),
the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.

To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")

Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".

The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.

With feedback/testing from florian@, deraadt@

ok florian@ deraadt@

pflogd(8): don't try to rename(2) broken/invalid pflog files, instead,
suspend logging until the log file has been moved out of the way, and
we have received either SIGHUP or SIGALRM.

ok florian@ deraadt@

Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the
privileged parent.

Based on feedback from deraadt@ and bluhm@ (worked on syslogd).

ok deraadt@

pflogd(8) currently spams the console on shutdown if syslogd(8) wins the
race to die, so just stop logging pflogd exits.

This logging probably comes from the fact that pflogd was largely based
on syslogd.

Removes the annoying "pflogd[23954]: Exiting" messages pointed out by
deraadt@

Also cleanup some missed SIGCHLD handling code that is no longer needed.

"LGTM" mikeb@

fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep
parent and use 'legit' fdpassing primitives to send the bpf fd to the
unprivileged child process.

Also reduces the pledge(2) promises in the unpriv child to just
"stdio recvfd"

with help from deraadt, pcap feedback from canacar

ok deraadt@

Make not yet implemented pledges more visible in grep output.
input benno, deraadt, tedu
also standardize on #if 0 since it makes tedu's editor vomit.
OK benno, pirofti on a previous version

Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at
least not as is

Reported by tim@, OK deraadt@ to backout the pledge for now

pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable
it also for pflogd(8)'s priv proc.

OK deraadt@

Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.

pflogd will need pledge(proc), still disabled because of bfd
ok deraadt@

Interface status printing (at exit and USR1) was broken for a while.
Remove it completely to simplify the code.
even better deraadt@

pflogd contained the same "privsep error" as tcpdump -- assuming that
it can ioctl()'s against a bpf device node. Privsep that operation
via a message to the parent process. Unfortunately "rpath wpath cpath"
is still needed due to SIGHUP handling, but I have asked canacar the
expert to look into this.

Someone went to the trouble of vertically aligning a set of parameters but
missed one. This diff is only a spacing change.

Create temporary file with mkstemp and unlink if rename operation fails.

ok deraadt@, henning@

errx() provides its own newline, so remove it from the string here

ok henning@

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

Remove some unneeded externs. OK canacar@

convert permanent privilege revocation to use setresuid/setresgid;
ok henning@

If the log file is invalid/incompatible, try to rename the bad log file
and continue with a new name instead of suspending.
ok mcbride@

also pass SIGINT/QUIT to child, from mpech@. ok avsm@

no \n in errx(3)
From: Andrey Matveev <andrushock@korovino.net>

sigh, really fix the error message this time, thanks Moritz Jodeit

reorder error message and send_fd in order to display the correct
errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>

dont close an invalid fd, canacar@ ok

Check return code of chdir() after chroot(); noted by Joris Vink, slight mod
from avsm@.
ok avsm@ hshoexer@ henning@

cleanup signal handling; close descriptors.
ok avsm@ millert@ canacar@

Create log files if they do not already exist, but do not follow
symlinks. ok markus@

Synchronize with syslogd privsep: When reading a new command fails,
terminate the loop instead of exiting directly, suggested by avsm@
Also get rid of trailing comma in enum, makes lint(1) happier, from
Andrey Matveev andrushock at korovino dot net

spacing

use setgroups too; canacar ok

caution with kill

privilege seperated pflogd

_pflogd user and group must be created for proper operation.

ok frantzen@ henning@ mcbride@ deraadt@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8),
the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.

To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")

Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".

The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.

With feedback/testing from florian@, deraadt@

ok florian@ deraadt@

pflogd(8): don't try to rename(2) broken/invalid pflog files, instead,
suspend logging until the log file has been moved out of the way, and
we have received either SIGHUP or SIGALRM.

ok florian@ deraadt@

Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the
privileged parent.

Based on feedback from deraadt@ and bluhm@ (worked on syslogd).

ok deraadt@

pflogd(8) currently spams the console on shutdown if syslogd(8) wins the
race to die, so just stop logging pflogd exits.

This logging probably comes from the fact that pflogd was largely based
on syslogd.

Removes the annoying "pflogd[23954]: Exiting" messages pointed out by
deraadt@

Also cleanup some missed SIGCHLD handling code that is no longer needed.

"LGTM" mikeb@

fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep
parent and use 'legit' fdpassing primitives to send the bpf fd to the
unprivileged child process.

Also reduces the pledge(2) promises in the unpriv child to just
"stdio recvfd"

with help from deraadt, pcap feedback from canacar

ok deraadt@

Make not yet implemented pledges more visible in grep output.
input benno, deraadt, tedu
also standardize on #if 0 since it makes tedu's editor vomit.
OK benno, pirofti on a previous version

Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at
least not as is

Reported by tim@, OK deraadt@ to backout the pledge for now

pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable
it also for pflogd(8)'s priv proc.

OK deraadt@

Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.

pflogd will need pledge(proc), still disabled because of bfd
ok deraadt@

Interface status printing (at exit and USR1) was broken for a while.
Remove it completely to simplify the code.
even better deraadt@

pflogd contained the same "privsep error" as tcpdump -- assuming that
it can ioctl()'s against a bpf device node. Privsep that operation
via a message to the parent process. Unfortunately "rpath wpath cpath"
is still needed due to SIGHUP handling, but I have asked canacar the
expert to look into this.

Someone went to the trouble of vertically aligning a set of parameters but
missed one. This diff is only a spacing change.

Create temporary file with mkstemp and unlink if rename operation fails.

ok deraadt@, henning@

errx() provides its own newline, so remove it from the string here

ok henning@

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

Remove some unneeded externs. OK canacar@

convert permanent privilege revocation to use setresuid/setresgid;
ok henning@

If the log file is invalid/incompatible, try to rename the bad log file
and continue with a new name instead of suspending.
ok mcbride@

also pass SIGINT/QUIT to child, from mpech@. ok avsm@

no \n in errx(3)
From: Andrey Matveev <andrushock@korovino.net>

sigh, really fix the error message this time, thanks Moritz Jodeit

reorder error message and send_fd in order to display the correct
errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>

dont close an invalid fd, canacar@ ok

Check return code of chdir() after chroot(); noted by Joris Vink, slight mod
from avsm@.
ok avsm@ hshoexer@ henning@

cleanup signal handling; close descriptors.
ok avsm@ millert@ canacar@

Create log files if they do not already exist, but do not follow
symlinks. ok markus@

Synchronize with syslogd privsep: When reading a new command fails,
terminate the loop instead of exiting directly, suggested by avsm@
Also get rid of trailing comma in enum, makes lint(1) happier, from
Andrey Matveev andrushock at korovino dot net

spacing

use setgroups too; canacar ok

caution with kill

privilege seperated pflogd

_pflogd user and group must be created for proper operation.

ok frantzen@ henning@ mcbride@ deraadt@

Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8),
the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.

To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")

Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".

The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.

With feedback/testing from florian@, deraadt@

ok florian@ deraadt@

pflogd(8): don't try to rename(2) broken/invalid pflog files, instead,
suspend logging until the log file has been moved out of the way, and
we have received either SIGHUP or SIGALRM.

ok florian@ deraadt@

Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the
privileged parent.

Based on feedback from deraadt@ and bluhm@ (worked on syslogd).

ok deraadt@

pflogd(8) currently spams the console on shutdown if syslogd(8) wins the
race to die, so just stop logging pflogd exits.

This logging probably comes from the fact that pflogd was largely based
on syslogd.

Removes the annoying "pflogd[23954]: Exiting" messages pointed out by
deraadt@

Also cleanup some missed SIGCHLD handling code that is no longer needed.

"LGTM" mikeb@

fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep
parent and use 'legit' fdpassing primitives to send the bpf fd to the
unprivileged child process.

Also reduces the pledge(2) promises in the unpriv child to just
"stdio recvfd"

with help from deraadt, pcap feedback from canacar

ok deraadt@

Make not yet implemented pledges more visible in grep output.
input benno, deraadt, tedu
also standardize on #if 0 since it makes tedu's editor vomit.
OK benno, pirofti on a previous version

Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at
least not as is

Reported by tim@, OK deraadt@ to backout the pledge for now

pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable
it also for pflogd(8)'s priv proc.

OK deraadt@

Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.

pflogd will need pledge(proc), still disabled because of bfd
ok deraadt@

Interface status printing (at exit and USR1) was broken for a while.
Remove it completely to simplify the code.
even better deraadt@

pflogd contained the same "privsep error" as tcpdump -- assuming that
it can ioctl()'s against a bpf device node. Privsep that operation
via a message to the parent process. Unfortunately "rpath wpath cpath"
is still needed due to SIGHUP handling, but I have asked canacar the
expert to look into this.

Someone went to the trouble of vertically aligning a set of parameters but
missed one. This diff is only a spacing change.

Create temporary file with mkstemp and unlink if rename operation fails.

ok deraadt@, henning@

errx() provides its own newline, so remove it from the string here

ok henning@

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

Remove some unneeded externs. OK canacar@

convert permanent privilege revocation to use setresuid/setresgid;
ok henning@

If the log file is invalid/incompatible, try to rename the bad log file
and continue with a new name instead of suspending.
ok mcbride@

also pass SIGINT/QUIT to child, from mpech@. ok avsm@

no \n in errx(3)
From: Andrey Matveev <andrushock@korovino.net>

sigh, really fix the error message this time, thanks Moritz Jodeit

reorder error message and send_fd in order to display the correct
errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>

dont close an invalid fd, canacar@ ok

Check return code of chdir() after chroot(); noted by Joris Vink, slight mod
from avsm@.
ok avsm@ hshoexer@ henning@

cleanup signal handling; close descriptors.
ok avsm@ millert@ canacar@

Create log files if they do not already exist, but do not follow
symlinks. ok markus@

Synchronize with syslogd privsep: When reading a new command fails,
terminate the loop instead of exiting directly, suggested by avsm@
Also get rid of trailing comma in enum, makes lint(1) happier, from
Andrey Matveev andrushock at korovino dot net

spacing

use setgroups too; canacar ok

caution with kill

privilege seperated pflogd

_pflogd user and group must be created for proper operation.

ok frantzen@ henning@ mcbride@ deraadt@

Rework pflogd(8)'s fork+exec model; re-exec the unpriv child, not the
privileged parent.

Based on feedback from deraadt@ and bluhm@ (worked on syslogd).

ok deraadt@

pflogd(8) currently spams the console on shutdown if syslogd(8) wins the
race to die, so just stop logging pflogd exits.

This logging probably comes from the fact that pflogd was largely based
on syslogd.

Removes the annoying "pflogd[23954]: Exiting" messages pointed out by
deraadt@

Also cleanup some missed SIGCHLD handling code that is no longer needed.

"LGTM" mikeb@

fork+exec model for pflogd(8); move pcap init to the re-exec'd privsep
parent and use 'legit' fdpassing primitives to send the bpf fd to the
unprivileged child process.

Also reduces the pledge(2) promises in the unpriv child to just
"stdio recvfd"

with help from deraadt, pcap feedback from canacar

ok deraadt@

Make not yet implemented pledges more visible in grep output.
input benno, deraadt, tedu
also standardize on #if 0 since it makes tedu's editor vomit.
OK benno, pirofti on a previous version

Revert back previous, pledge cannot be enabled on the privsep'd proc yet, at
least not as is

Reported by tim@, OK deraadt@ to backout the pledge for now

pledge(2) bpf has been in use for some time now on tcpdump(8), this will enable
it also for pflogd(8)'s priv proc.

OK deraadt@

Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.

pflogd will need pledge(proc), still disabled because of bfd
ok deraadt@

Interface status printing (at exit and USR1) was broken for a while.
Remove it completely to simplify the code.
even better deraadt@

pflogd contained the same "privsep error" as tcpdump -- assuming that
it can ioctl()'s against a bpf device node. Privsep that operation
via a message to the parent process. Unfortunately "rpath wpath cpath"
is still needed due to SIGHUP handling, but I have asked canacar the
expert to look into this.

Someone went to the trouble of vertically aligning a set of parameters but
missed one. This diff is only a spacing change.

Create temporary file with mkstemp and unlink if rename operation fails.

ok deraadt@, henning@

errx() provides its own newline, so remove it from the string here

ok henning@

spelling fixes, from Brad Tilley; we will not fix src/sbin/dump/dump.h
as neither arrayified not arrayfied exist -- sanctioned dictionaries
like Merriam-Webster ones suggest a few alternatives (e.g., arrayed),
however these made up words are easy to understand and we are not
certain that current ones are not ok.

ok jmc@

Remove some unneeded externs. OK canacar@

convert permanent privilege revocation to use setresuid/setresgid;
ok henning@

If the log file is invalid/incompatible, try to rename the bad log file
and continue with a new name instead of suspending.
ok mcbride@

also pass SIGINT/QUIT to child, from mpech@. ok avsm@

no \n in errx(3)
From: Andrey Matveev <andrushock@korovino.net>

sigh, really fix the error message this time, thanks Moritz Jodeit

reorder error message and send_fd in order to display the correct
errno in error message; pointed out by Moritz Jodeit <moritz at jodeit.org>

dont close an invalid fd, canacar@ ok

Check return code of chdir() after chroot(); noted by Joris Vink, slight mod
from avsm@.
ok avsm@ hshoexer@ henning@

cleanup signal handling; close descriptors.
ok avsm@ millert@ canacar@

Create log files if they do not already exist, but do not follow
symlinks. ok markus@

Synchronize with syslogd privsep: When reading a new command fails,
terminate the loop instead of exiting directly, suggested by avsm@
Also get rid of trailing comma in enum, makes lint(1) happier, from
Andrey Matveev andrushock at korovino dot net

spacing

use setgroups too; canacar ok

caution with kill

privilege seperated pflogd

_pflogd user and group must be created for proper operation.

ok frantzen@ henning@ mcbride@ deraadt@