From b0c722ad08813fe8e0c0b2f5038d38c167e3587a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <tempel@uni-bremen.de>
Date: Sun, 3 Mar 2024 04:53:52 +0100
Subject: [PATCH] Backport patch for increased rowhammer resistance from
 OpenBSD

This commit backports an OpenBSD doas change which attempt to make
doas more resistant to rowhammer attacks. A similar change has been
committed to sudo last year.

See:

* https://github.com/openbsd/src/commit/38599afa1d1d1f14a897b01350e8ce94486e1788
* https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f
* https://doi.org/10.48550/arXiv.2309.02545
---
 doas.c | 16 ++++++++++------
 doas.h |  2 +-
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/doas.c b/doas.c
index ac3a42a..93f0836 100644
--- a/doas.c
+++ b/doas.c
@@ -148,8 +148,10 @@ permit(uid_t uid, gid_t *groups, int ngroups, const struct rule **lastr,
 			*lastr = rules[i];
 	}
 	if (!*lastr)
+		return -1;
+	if ((*lastr)->action == PERMIT)
 		return 0;
-	return (*lastr)->action == PERMIT;
+	return -1;
 }
 
 static void
@@ -184,6 +186,7 @@ checkconfig(const char *confpath, int argc, char **argv,
     uid_t uid, gid_t *groups, int ngroups, uid_t target)
 {
 	const struct rule *rule;
+	int rv;
 
 	if (setresuid(uid, uid, uid) != 0)
 		err(1, "setresuid");
@@ -191,9 +194,9 @@ checkconfig(const char *confpath, int argc, char **argv,
 	parseconfig(confpath, 0);
 	if (!argc)
 		exit(0);
-
-	if (permit(uid, groups, ngroups, &rule, target, argv[0],
-	    (const char **)argv + 1)) {
+	rv = permit(uid, groups, ngroups, &rule, target, argv[0],
+ 	    (const char **)argv + 1);
+	if (rv == 0) {
 		printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
 		exit(0);
 	} else {
@@ -342,8 +345,9 @@ main(int argc, char **argv)
 	}
 
 	cmd = argv[0];
-	if (!permit(uid, groups, ngroups, &rule, target, cmd,
-	    (const char **)argv + 1)) {
+	rv = permit(uid, groups, ngroups, &rule, target, cmd,
+	    (const char **)argv + 1);
+	if (rv != 0) {
 		syslog(LOG_AUTHPRIV | LOG_NOTICE,
 		    "command not permitted for %s: %s", mypw->pw_name, cmdline);
 		errc(1, EPERM, NULL);
diff --git a/doas.h b/doas.h
index a8aa41b..591816f 100644
--- a/doas.h
+++ b/doas.h
@@ -36,7 +36,7 @@ struct passwd;
 char **prepenv(const struct rule *, const struct passwd *,
     const struct passwd *);
 
-#define PERMIT	1
+#define PERMIT	-1
 #define DENY	2
 
 #define NOPASS		0x1