Re: usbhidaction(1) is unvel(2)ed too strictly to run programs.

2022-08-01 Thread Hector Velasco 
Hi Ricardo:

I tested the patch and it's working great. The solution seems obvious
now that I see it :).

suzaku@burningdawn:~ $ > doas rcctl stop usbhidaction
suzaku@burningdawn:~ $ > doas usbhidaction -v -c /etc/usbhidaction.conf -f 
/dev/uhid2
PARSE:1 Consumer:Volume_Increment, 1, 'sndioctl output.level=+0.05'
PARSE:2 Consumer:Volume_Decrement, 1, 'sndioctl output.level=-0.05'
PARSE:3 Consumer:Mute, 1, 'sndioctl output.mute=!'
PARSE:4 Consumer:Play/Pause, 1, 'mpc -q toggle'
PARSE:5 Consumer:Scan_Previous_Track, 1, 'mpc -q prev'
PARSE:6 Consumer:Scan_Next_Track, 1, 'mpc -q next'
PARSE:7 Consumer:Random_Play, 1, 'mpc -q random'
PARSE:8 Consumer:Stop, 1, 'mpc -q stop'
PARSE:9 Consumer:Fast_Forward, 1, 'mpc -q seek +10'
PARSE:10 Consumer:Rewind, 1, 'mpc -q seek -10'
report size 2
executing 'mpc -q toggle'
executing 'mpc -q prev'
executing 'mpc -q random'
executing 'mpc -q next'
executing 'mpc -q seek -10'
executing 'mpc -q seek +10'
executing 'mpc -q stop'
executing 'sndioctl output.level=+0.05'
output.level=0.392
executing 'sndioctl output.mute=!'
output.mute=0
executing 'sndioctl output.level=-0.05'
output.level=0.341
^C
suzaku@burningdawn:~ $ >

Thanks for the patch.

Regards.

HV


On Mon, Aug 01, 2022 at 12:11:48PM +0100, Ricardo Mestre wrote:
> ouch, how did I miss the call to execl(3) on docmd()? silly me!
> 
> OK?
> 
> Index: usbhidaction.c
> ===
> RCS file: /cvs/src/usr.bin/usbhidaction/usbhidaction.c,v
> retrieving revision 1.24
> diff -u -p -u -r1.24 usbhidaction.c
> --- usbhidaction.c15 Dec 2021 11:23:09 -  1.24
> +++ usbhidaction.c1 Aug 2022 11:08:31 -
> @@ -166,6 +166,8 @@ main(int argc, char **argv)
>  
>   if (unveil(conf, "r") == -1)
>   err(1, "unveil %s", conf);
> + if (unveil(_PATH_BSHELL, "x") == -1)
> + err(1, "unveil %s", _PATH_BSHELL);
>   if (unveil(NULL, NULL) == -1)
>   err(1, "unveil");
>  
> 
> 
> On 15:42 Sat 30 Jul , Theo de Raadt wrote:
> > I suspect it should unveil("/", "x")
> > 
> > It is better than not doing anything.
> >

usbhidaction(1) is unvel(2)ed too strictly to run programs.

2022-07-30 Thread Hector Velasco 
Hello Misc.

TL;DR: usbhidaction(1) is unveil(2)ed too strictly to run programs.

I'm running:
kern.version=OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022
r...@syspatch-71-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Complete dmesg at the bottom.

I use usbhidaction to make some global mappings for mpd. My
usbhidaction.conf looks something like this:

/etc/usbhidaction.conf:
Consumer:Volume_Increment   1   sndioctl output.level=+0.05
Consumer:Volume_Decrement   1   sndioctl output.level=-0.05
Consumer:Mute   1   sndioctl output.mute=!
Consumer:Play/Pause 1   mpc -q toggle
Consumer:Scan_Previous_Track1   mpc -q prev
Consumer:Scan_Next_Track1   mpc -q next
Consumer:Random_Play1   mpc -q random
Consumer:Stop   1   mpc -q stop
Consumer:Fast_Forward   1   mpc -q seek +10
Consumer:Rewind 1   mpc -q seek -10


The reason for using usbhidaction (as opposed to regular X binds) is
that i'm not always running X. My GPU freezes every now and then
(amdgpu), so most of the time I'm running X-less. I like those binds to
be consistent whether I'm running X or not, basically.

On 7.0, ucc(4) was introduced. This driver works for my usb thinkpad kb
but not with a home-made with custom firmware. Both work with
usbhidaction.

7.0, if I remember correctly, added unveil to usbhidaction, which does
its job flawlessly, as in completely blocking access to anything other
than its config file, but it also blocks access to any programs
configured in it, I think, defeating the point of usbhidaction.

The question is then: what's the best approach to solve this?

Completely removing usbhidaction's unveil call will decrease
security, so I'm sure this is not an option.

Unveiling each of the programs named in the config file. This will
work for initial setup, but if usbhidaction gets a SIGHUP it won't
be able to unveil new programs named in the config file. This in
turn forces a restart of the service, defeating the point of
reloading. However, it's still an improvement over it not working.

Fix my custom kb so it works with ucc. This I will do, as there's
obviously something wrong in how I report the keys, but I don't know
if there's a way to tell ucc what to do on keypresses. If I have mpd
and mpv running, which one should react to it? Can I map this out of
X as well?

Or, I'm using usbhidaction wrong and I should fix my setup. In which
case I'd like some pointers on how to do so.

For the time being, I disable ucc on boot and I patched the unveil calls
out of usbhidaction. It's working fine and I don't mind a few patches,
but I suspect there's a better way to deal with this.

Regards.

HV

--
OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

r...@syspatch-71-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8532971520 (8137MB)
avail mem = 8257073152 (7874MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xed530 (58 entries)
bios0: vendor American Megatrends Inc. version "F3" date 04/01/2015
bios0: Gigabyte Technology Co., Ltd. 990FXA-UD5 R5
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT
acpi0: wakeup devices SBAZ(S4) P0PC(S4) GEC_(S4) UHC1(S4) UHC2(S4) USB3(S4) 
UHC4(S4) USB5(S4) UHC6(S4) UHC7(S4) PE20(S4) GBE_(S4) PE21(S4) PE22(S4) 
PE23(S4) PC02(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 16 (boot processor)
cpu0: AMD FX(tm)-4170 Quad-Core Processor, 4219.97 MHz, 15-01-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,NODEID,TOPEXT,CPCTR,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 
16-way L2 cache
cpu0: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 32 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 17 (application processor)
cpu1: AMD FX(tm)-4170 Quad-Core Processor, 421.85 MHz, 15-01-02
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,NODEID,TOPEXT,CPCTR,ITSC
cpu1: 64KB 64b/line 2-way I-cache,