Re: diff: pledge snmpd

[Sebastian Benoit]

ok with 2 comments below

Rob Pierce(r...@2keys.ca) on 2017.08.11 16:35:21 -0400:
> The following diff pledges two of three processes in snmpd: the parent snmpd
> process and the trap handler. We cannot currently pledge snmpe as snmp 
> requests
> asking for privileged kernel info are disallowed by pledge.
> 
> I have included a commented pledge block in snmpe.c below (which will not be
> committed) which I believe would be possible if we moved the code that
> violates pledge to another unpledged process. If we think that is worth while
> I could pursue it further.
> 
> In the mean time I am looking for comments and/or ok's for the snmpd.c and
> traphandler.c diffs below.
> 
> This passes the newly committed snmpd regression tests.
> 
> Regards,
> 
> Rob

try to sort the pledge arguments in this order:

  stdio rpath wpath cpath fattr flock inet unix dns route mcast dns id getpw \
proc recvfd sendfd exec tty

 
> Index: snmpd.c
> ===
> RCS file: /cvs/src/usr.sbin/snmpd/snmpd.c,v
> retrieving revision 1.36
> diff -u -p -r1.36 snmpd.c
> --- snmpd.c   4 Apr 2017 02:37:15 -   1.36
> +++ snmpd.c   11 Aug 2017 20:10:50 -
> @@ -255,6 +255,9 @@ main(int argc, char *argv[])
>  
>   proc_connect(ps);
>  
> + if (pledge("stdio rpath cpath sendfd dns proc exec id", NULL) == -1)
> + fatal("pledge");
> +
>   event_dispatch();
>  
>   log_debug("%d parent exiting", getpid());
> Index: snmpe.c
> ===
> RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
> retrieving revision 1.48
> diff -u -p -r1.48 snmpe.c
> --- snmpe.c   27 Jul 2017 14:04:16 -  1.48
> +++ snmpe.c   11 Aug 2017 20:10:50 -
> @@ -105,6 +105,10 @@ snmpe_init(struct privsep *ps, struct pr
>   snmpe_recvmsg, env);
>   event_add(&so->s_ev, NULL);
>   }
> +/*
> + if (pledge("stdio recvfd inet vminfo route", NULL) == -1)
> + fatal("pledge");
> + */

add a XXX not enabled because foobarbaz

>  }
>  
>  void
> Index: traphandler.c
> ===
> RCS file: /cvs/src/usr.sbin/snmpd/traphandler.c,v
> retrieving revision 1.8
> diff -u -p -r1.8 traphandler.c
> --- traphandler.c 9 Jan 2017 14:49:22 -   1.8
> +++ traphandler.c 11 Aug 2017 20:10:50 -
> @@ -96,6 +96,9 @@ traphandler_init(struct privsep *ps, str
>   struct snmpd*env = ps->ps_env;
>   struct listen_sock  *so;
>  
> + if (pledge("stdio recvfd proc exec id", NULL) == -1)
> + fatal("pledge");
> +
>   if (!env->sc_traphandler)
>   return;
>  
> 

diff: pledge snmpd

[Rob Pierce]

The following diff pledges two of three processes in snmpd: the parent snmpd
process and the trap handler. We cannot currently pledge snmpe as snmp requests
asking for privileged kernel info are disallowed by pledge.

I have included a commented pledge block in snmpe.c below (which will not be
committed) which I believe would be possible if we moved the code that
violates pledge to another unpledged process. If we think that is worth while
I could pursue it further.

In the mean time I am looking for comments and/or ok's for the snmpd.c and
traphandler.c diffs below.

This passes the newly committed snmpd regression tests.

Regards,

Rob

Index: snmpd.c
===
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.c,v
retrieving revision 1.36
diff -u -p -r1.36 snmpd.c
--- snmpd.c 4 Apr 2017 02:37:15 -   1.36
+++ snmpd.c 11 Aug 2017 20:10:50 -
@@ -255,6 +255,9 @@ main(int argc, char *argv[])
 
proc_connect(ps);
 
+   if (pledge("stdio rpath cpath sendfd dns proc exec id", NULL) == -1)
+   fatal("pledge");
+
event_dispatch();
 
log_debug("%d parent exiting", getpid());
Index: snmpe.c
===
RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
retrieving revision 1.48
diff -u -p -r1.48 snmpe.c
--- snmpe.c 27 Jul 2017 14:04:16 -  1.48
+++ snmpe.c 11 Aug 2017 20:10:50 -
@@ -105,6 +105,10 @@ snmpe_init(struct privsep *ps, struct pr
snmpe_recvmsg, env);
event_add(&so->s_ev, NULL);
}
+/*
+   if (pledge("stdio recvfd inet vminfo route", NULL) == -1)
+   fatal("pledge");
+ */
 }
 
 void
Index: traphandler.c
===
RCS file: /cvs/src/usr.sbin/snmpd/traphandler.c,v
retrieving revision 1.8
diff -u -p -r1.8 traphandler.c
--- traphandler.c   9 Jan 2017 14:49:22 -   1.8
+++ traphandler.c   11 Aug 2017 20:10:50 -
@@ -96,6 +96,9 @@ traphandler_init(struct privsep *ps, str
struct snmpd*env = ps->ps_env;
struct listen_sock  *so;
 
+   if (pledge("stdio recvfd proc exec id", NULL) == -1)
+   fatal("pledge");
+
if (!env->sc_traphandler)
return;