This mail includes a large diff of userland which demonstrates how
unveil() will be used in base.
Additionally, some of you have probably noticed that there is an unveil
diff brewing for chrome in ports; others probably heard that unveil was
specifically designed to "also satisfy chrome's requirements". Since
chrome already does pretty good privsep and is designed for filesystem
containment on other platforms, we considered it's requirements in the
design of the mechanism.
First off, you need this kernel diff to enable unveil():
Index: sys/kern/vfs_syscalls.c
===================================================================
RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.295
diff -u -p -u -r1.295 vfs_syscalls.c
--- sys/kern/vfs_syscalls.c 22 Jul 2018 06:31:17 -0000 1.295
+++ sys/kern/vfs_syscalls.c 25 Jul 2018 17:28:09 -0000
@@ -913,9 +913,6 @@ sys_unveil(struct proc *p, void *v, regi
if (pathlen < 2)
return EINVAL;
- /* XXX unveil is disabled but returns sucess for now */
- return 0;
-
if (pathlen == 2 && pathname[0] == '/')
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | SAVENAME,
UIO_SYSSPACE, pathname, p);
And here is the userland diff, applying to about 37 programs. There will
be weaknesses and errors in here. This is not perfect yet.
I hope we can bring that list to 50 before activating unveil(). A
snapshot release may precede that also, so that we can identify fallout
easier. In anycase, there are a few known bugs in kernel side of unveil
which need fixing beforehands (nothing serious).
Enjoy.
Index: bin/ps/ps.c
===================================================================
RCS file: /cvs/src/bin/ps/ps.c,v
retrieving revision 1.71
diff -u -p -u -r1.71 ps.c
--- bin/ps/ps.c 23 Sep 2016 06:28:08 -0000 1.71
+++ bin/ps/ps.c 12 Jul 2018 16:18:13 -0000
@@ -276,6 +276,19 @@ main(int argc, char *argv[])
if (kd == NULL)
errx(1, "%s", errbuf);
+ if (unveil(_PATH_DEVDB, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/dev", "r") == -1)
+ err(1, "unveil");
+ if (swapf)
+ if (unveil(swapf, "r") == -1)
+ err(1, "unveil");
+ if (nlistf)
+ if (unveil(nlistf, "r") == -1)
+ err(1, "unveil");
+ if (memf)
+ if (unveil(memf, "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath getpw ps", NULL) == -1)
err(1, "pledge");
Index: include/login_cap.h
===================================================================
RCS file: /cvs/src/include/login_cap.h,v
retrieving revision 1.15
diff -u -p -u -r1.15 login_cap.h
--- include/login_cap.h 21 Nov 2014 05:13:44 -0000 1.15
+++ include/login_cap.h 12 Jul 2018 16:18:13 -0000
@@ -42,6 +42,7 @@
#define LOGIN_DEFSERVICE "login"
#define LOGIN_DEFUMASK 022
#define _PATH_LOGIN_CONF "/etc/login.conf"
+#define _PATH_AUTHPROGDIR "/usr/libexec/auth"
#define _PATH_AUTHPROG "/usr/libexec/auth/login_"
#define LOGIN_SETGROUP 0x0001 /* Set group */
Index: libexec/comsat/comsat.c
===================================================================
RCS file: /cvs/src/libexec/comsat/comsat.c,v
retrieving revision 1.48
diff -u -p -u -r1.48 comsat.c
--- libexec/comsat/comsat.c 3 Apr 2017 17:23:39 -0000 1.48
+++ libexec/comsat/comsat.c 12 Jul 2018 16:18:13 -0000
@@ -91,6 +91,12 @@ main(int argc, char *argv[])
exit(1);
}
+ if (unveil(_PATH_MAILDIR, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/tmp", "w") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath proc tty", NULL) == -1)
err(1, "pledge");
Index: libexec/fingerd/fingerd.c
===================================================================
RCS file: /cvs/src/libexec/fingerd/fingerd.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 fingerd.c
--- libexec/fingerd/fingerd.c 13 Nov 2015 01:26:33 -0000 1.39
+++ libexec/fingerd/fingerd.c 12 Jul 2018 16:18:13 -0000
@@ -68,7 +68,7 @@ main(int argc, char *argv[])
char **ap, *av[ENTRIES + 1], line[8192], *lp, *hname;
char hostbuf[HOST_NAME_MAX+1];
- if (pledge("stdio inet dns proc exec", NULL) == -1)
+ if (pledge("stdio unveil inet dns proc exec", NULL) == -1)
err(1, "pledge");
prog = _PATH_FINGER;
@@ -110,6 +110,9 @@ main(int argc, char *argv[])
default:
usage();
}
+
+ if (unveil(_PATH_FINGER, "x") == -1)
+ err(1, "unveil");
if (logging) {
struct sockaddr_storage ss;
Index: libexec/getty/main.c
===================================================================
RCS file: /cvs/src/libexec/getty/main.c,v
retrieving revision 1.48
diff -u -p -u -r1.48 main.c
--- libexec/getty/main.c 29 May 2017 04:40:35 -0000 1.48
+++ libexec/getty/main.c 12 Jul 2018 16:18:13 -0000
@@ -169,6 +169,19 @@ main(int argc, char *argv[])
ioctl(0, FIOASYNC, &off); /* turn off async mode */
+ if (unveil("/usr/bin/login", "x") == -1) {
+ syslog(LOG_ERR, "%s: %m", tname);
+ exit(1);
+ }
+ if (unveil(_PATH_GETTYTAB, "r") == -1) {
+ syslog(LOG_ERR, "%s: %m", tname);
+ exit(1);
+ }
+ if (unveil("/dev", "rw") == -1) {
+ syslog(LOG_ERR, "%s: %m", tname);
+ exit(1);
+ }
+
/*
* The following is a work around for vhangup interactions
* which cause great problems getting window systems started.
Index: libexec/lockspool/lockspool.c
===================================================================
RCS file: /cvs/src/libexec/lockspool/lockspool.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 lockspool.c
--- libexec/lockspool/lockspool.c 24 Nov 2015 00:19:29 -0000 1.18
+++ libexec/lockspool/lockspool.c 12 Jul 2018 16:18:13 -0000
@@ -32,6 +32,7 @@
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
+#include <paths.h>
#include <stdlib.h>
#include <poll.h>
#include <err.h>
@@ -52,6 +53,8 @@ main(int argc, char *argv[])
char *from, c;
int holdfd;
+ if (unveil(_PATH_MAILDIR, "rwc") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath getpw cpath fattr", NULL) == -1)
err(1, "pledge");
Index: libexec/spamd/grey.c
===================================================================
RCS file: /cvs/src/libexec/spamd/grey.c,v
retrieving revision 1.65
diff -u -p -u -r1.65 grey.c
--- libexec/spamd/grey.c 18 Oct 2017 17:31:01 -0000 1.65
+++ libexec/spamd/grey.c 12 Jul 2018 16:18:13 -0000
@@ -1078,11 +1078,21 @@ greywatcher(void)
drop_privs();
+ if (unveil(PATH_SPAMD_DB, "rw") == -1) {
+ syslog_r(LOG_ERR, &sdata, "unveil failed for %s (%m)",
+ PATH_SPAMD_DB);
+ exit(1);
+ }
+ if (unveil(PATH_PFCTL, "x") == -1) {
+ syslog_r(LOG_ERR, &sdata, "unveil failed for %s (%m)",
+ PATH_PFCTL);
+ exit(1);
+ }
if (pledge("stdio rpath wpath inet flock proc exec", NULL) == -1) {
syslog_r(LOG_ERR, &sdata, "pledge failed (%m)");
exit(1);
}
-
+
startup = time(NULL);
db_pid = fork();
switch (db_pid) {
Index: libexec/spamd-setup/spamd-setup.c
===================================================================
RCS file: /cvs/src/libexec/spamd-setup/spamd-setup.c,v
retrieving revision 1.50
diff -u -p -u -r1.50 spamd-setup.c
--- libexec/spamd-setup/spamd-setup.c 7 Jul 2017 00:10:15 -0000 1.50
+++ libexec/spamd-setup/spamd-setup.c 12 Jul 2018 16:18:13 -0000
@@ -851,13 +851,24 @@ main(int argc, char *argv[])
spamd_uid = pw->pw_uid;
spamd_gid = pw->pw_gid;
- if (pledge("stdio rpath inet proc exec id", NULL) == -1)
+ if (pledge("stdio unveil rpath inet proc exec id", NULL) == -1)
err(1, "pledge");
if (daemonize)
daemon(0, 0);
else if (chdir("/") != 0)
err(1, "chdir(\"/\")");
+
+ if (unveil(PATH_FTP, "x") == -1)
+ err(1, "unveil");
+ if (unveil(PATH_PFCTL, "x") == -1)
+ err(1, "unveil");
+ if (unveil(PATH_SPAMD_CONF, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_SERVICES, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath inet proc exec id", NULL) == -1)
+ err(1, "pledge");
if ((ent = getservbyname("spamd-cfg", "tcp")) == NULL)
errx(1, "cannot find service \"spamd-cfg\" in /etc/services");
Index: sbin/fsck/fsck.c
===================================================================
RCS file: /cvs/src/sbin/fsck/fsck.c,v
retrieving revision 1.38
diff -u -p -u -r1.38 fsck.c
--- sbin/fsck/fsck.c 23 Nov 2015 19:19:29 -0000 1.38
+++ sbin/fsck/fsck.c 25 Jul 2018 17:34:19 -0000
@@ -39,6 +39,7 @@
#include <sys/mount.h>
#include <sys/queue.h>
#include <sys/resource.h>
+#include <sys/stat.h>
#include <sys/wait.h>
#include <err.h>
@@ -106,6 +107,14 @@ main(int argc, char *argv[])
} else
warn("Can't get resource limit for data size");
+ checkroot();
+
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_FSTAB, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/sbin", "x") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath disklabel proc exec", NULL) == -1)
err(1, "pledge");
Index: sbin/fsck/fsutil.c
===================================================================
RCS file: /cvs/src/sbin/fsck/fsutil.c,v
retrieving revision 1.22
diff -u -p -u -r1.22 fsutil.c
--- sbin/fsck/fsutil.c 27 Sep 2015 05:25:00 -0000 1.22
+++ sbin/fsck/fsutil.c 12 Jul 2018 16:18:13 -0000
@@ -53,6 +53,17 @@ extern char *__progname;
static void vmsg(int, const char *, va_list);
+struct stat stslash;
+
+void
+checkroot(void)
+{
+ if (stat("/", &stslash) < 0) {
+ xperror("/");
+ printf("Can't stat root\n");
+ }
+}
+
void
setcdevname(const char *cd, const char *ocd, int pr)
{
@@ -182,17 +193,12 @@ rawname(char *name)
char *
blockcheck(char *origname)
{
- struct stat stslash, stblock, stchar;
+ struct stat stblock, stchar;
char *newname, *raw;
struct fstab *fsp;
int retried = 0;
hot = 0;
- if (stat("/", &stslash) < 0) {
- xperror("/");
- printf("Can't stat root\n");
- return (origname);
- }
newname = origname;
retry:
if (stat(newname, &stblock) < 0)
Index: sbin/fsck/fsutil.h
===================================================================
RCS file: /cvs/src/sbin/fsck/fsutil.h,v
retrieving revision 1.7
diff -u -p -u -r1.7 fsutil.h
--- sbin/fsck/fsutil.h 8 Oct 2014 16:27:53 -0000 1.7
+++ sbin/fsck/fsutil.h 12 Jul 2018 16:18:13 -0000
@@ -41,6 +41,7 @@ void panic(const char *, ...)
__attribute__((__noreturn__,__format__(__printf__,1,2)));
char *rawname(char *);
char *unrawname(char *);
+void checkroot(void);
char *blockcheck(char *);
const char *cdevname(void);
void setcdevname(const char *, const char *, int);
Index: sbin/fsck_ext2fs/main.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ext2fs/main.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 main.c
--- sbin/fsck_ext2fs/main.c 16 Mar 2016 15:41:10 -0000 1.27
+++ sbin/fsck_ext2fs/main.c 12 Jul 2018 16:18:13 -0000
@@ -65,6 +65,8 @@ main(int argc, char *argv[])
int ch;
int ret = 0;
+ checkroot();
+
sync();
skipclean = 1;
while ((ch = getopt(argc, argv, "b:dfm:npy")) != -1) {
Index: sbin/fsck_ext2fs/setup.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ext2fs/setup.c,v
retrieving revision 1.31
diff -u -p -u -r1.31 setup.c
--- sbin/fsck_ext2fs/setup.c 26 Aug 2017 06:32:06 -0000 1.31
+++ sbin/fsck_ext2fs/setup.c 12 Jul 2018 16:18:13 -0000
@@ -73,6 +73,9 @@ setup(char *dev)
int doskipclean;
u_int64_t maxfilesize;
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+
havesb = 0;
fswritefd = -1;
doskipclean = skipclean;
Index: sbin/fsck_ffs/main.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ffs/main.c,v
retrieving revision 1.51
diff -u -p -u -r1.51 main.c
--- sbin/fsck_ffs/main.c 5 Jan 2018 09:33:47 -0000 1.51
+++ sbin/fsck_ffs/main.c 12 Jul 2018 16:18:13 -0000
@@ -67,6 +67,8 @@ main(int argc, char *argv[])
int ch;
int ret = 0;
+ checkroot();
+
sync();
skipclean = 1;
while ((ch = getopt(argc, argv, "dfpnNyYb:c:m:")) != -1) {
Index: sbin/fsck_ffs/setup.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v
retrieving revision 1.64
diff -u -p -u -r1.64 setup.c
--- sbin/fsck_ffs/setup.c 5 Jan 2018 09:33:47 -0000 1.64
+++ sbin/fsck_ffs/setup.c 12 Jul 2018 16:18:13 -0000
@@ -90,6 +90,9 @@ setup(char *dev, int isfsdb)
u_int64_t maxfilesize;
char *realdev;
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+
havesb = 0;
fswritefd = fsreadfd = -1;
doskipclean = skipclean;
Index: sbin/fsck_msdos/check.c
===================================================================
RCS file: /cvs/src/sbin/fsck_msdos/check.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 check.c
--- sbin/fsck_msdos/check.c 14 Oct 2015 16:58:55 -0000 1.18
+++ sbin/fsck_msdos/check.c 12 Jul 2018 16:18:13 -0000
@@ -54,6 +54,9 @@ checkfilesys(const char *fname)
int i;
int mod = 0;
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+
rdonly = alwaysno;
dosfs = opendev(fname, rdonly ? O_RDONLY : O_RDWR, 0, &realdev);
Index: sbin/fsck_msdos/main.c
===================================================================
RCS file: /cvs/src/sbin/fsck_msdos/main.c,v
retrieving revision 1.23
diff -u -p -u -r1.23 main.c
--- sbin/fsck_msdos/main.c 28 May 2016 18:00:42 -0000 1.23
+++ sbin/fsck_msdos/main.c 12 Jul 2018 16:18:13 -0000
@@ -57,6 +57,8 @@ main(int argc, char *argv[])
{
int ch;
+ checkroot();
+
while ((ch = getopt(argc, argv, "pynf")) != -1) {
switch (ch) {
case 'f':
Index: sbin/quotacheck/quotacheck.c
===================================================================
RCS file: /cvs/src/sbin/quotacheck/quotacheck.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 quotacheck.c
--- sbin/quotacheck/quotacheck.c 10 Dec 2015 17:27:00 -0000 1.39
+++ sbin/quotacheck/quotacheck.c 12 Jul 2018 16:18:13 -0000
@@ -139,6 +139,8 @@ main(int argc, char *argv[])
const char *errstr;
char *name;
+ checkroot();
+
errs = maxrun = 0;
while ((ch = getopt(argc, argv, "adguvl:")) != -1) {
switch(ch) {
Index: sbin/savecore/savecore.c
===================================================================
RCS file: /cvs/src/sbin/savecore/savecore.c,v
retrieving revision 1.57
diff -u -p -u -r1.57 savecore.c
--- sbin/savecore/savecore.c 1 Sep 2016 14:12:07 -0000 1.57
+++ sbin/savecore/savecore.c 12 Jul 2018 16:18:13 -0000
@@ -171,6 +171,10 @@ main(int argc, char *argv[])
(void)time(&now);
kmem_setup();
+ if (unveil(dirn, "rwc") == -1) {
+ syslog(LOG_ERR, "unveil: %m");
+ exit(1);
+ }
if (pledge("stdio rpath wpath cpath", NULL) == -1) {
syslog(LOG_ERR, "pledge: %m");
exit(1);
Index: sbin/scan_ffs/scan_ffs.c
===================================================================
RCS file: /cvs/src/sbin/scan_ffs/scan_ffs.c,v
retrieving revision 1.22
diff -u -p -u -r1.22 scan_ffs.c
--- sbin/scan_ffs/scan_ffs.c 26 Apr 2018 15:55:14 -0000 1.22
+++ sbin/scan_ffs/scan_ffs.c 12 Jul 2018 16:18:13 -0000
@@ -139,7 +139,7 @@ main(int argc, char *argv[])
daddr_t beg = 0, end = -1;
const char *errstr;
- if (pledge("stdio rpath disklabel", NULL) == -1)
+ if (pledge("stdio unveil rpath disklabel", NULL) == -1)
err(1, "pledge");
while ((ch = getopt(argc, argv, "lsvb:e:")) != -1)
Index: sbin/shutdown/shutdown.c
===================================================================
RCS file: /cvs/src/sbin/shutdown/shutdown.c,v
retrieving revision 1.51
diff -u -p -u -r1.51 shutdown.c
--- sbin/shutdown/shutdown.c 7 Apr 2018 19:08:13 -0000 1.51
+++ sbin/shutdown/shutdown.c 26 Jul 2018 16:03:51 -0000
@@ -113,7 +113,17 @@ main(int argc, char *argv[])
int arglen, ch, len, readstdin = 0;
pid_t forkpid;
- if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) ==
-1)
+ if (unveil(_PATH_CONSOLE, "rw") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_RC, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_WALL, "x") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_FASTBOOT, "wc") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_NOLOGIN, "wc") == -1)
+ err(1, "unveil");
+ if (pledge("stdio unveil rpath wpath cpath getpw tty id proc exec",
NULL) == -1)
err(1, "pledge");
#ifndef DEBUG
@@ -167,6 +177,20 @@ main(int argc, char *argv[])
warnx("incompatible switches -p and -r.");
usage();
}
+
+ if (dohalt || dopower) {
+ if (unveil(_PATH_HALT, "x") == -1)
+ err(1, "unveil");
+ } else if (doreboot) {
+ if (unveil(_PATH_REBOOT, "x") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil(_PATH_BSHELL, "x") == -1)
+ err(1, "unveil");
+ }
+ if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) ==
-1)
+ err(1, "pledge");
+
getoffset(*argv++);
if (*argv) {
Index: usr.bin/calendar/calendar.c
===================================================================
RCS file: /cvs/src/usr.bin/calendar/calendar.c,v
retrieving revision 1.35
diff -u -p -u -r1.35 calendar.c
--- usr.bin/calendar/calendar.c 7 Dec 2015 18:46:35 -0000 1.35
+++ usr.bin/calendar/calendar.c 12 Jul 2018 16:18:13 -0000
@@ -40,6 +40,7 @@
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
+#include <syslog.h>
#include <string.h>
#include <limits.h>
#include <time.h>
@@ -66,12 +67,14 @@ struct specialev spev[NUMEV];
void childsig(int);
+void dothemall(void);
+
int
main(int argc, char *argv[])
{
int ch;
const char *errstr;
- char *caldir;
+ char *caldir = getenv("CALENDAR_DIR");
(void)setlocale(LC_ALL, "");
@@ -123,11 +126,25 @@ main(int argc, char *argv[])
if (argc)
usage();
+ if (unveil(_PATH_CPP, "x") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_SENDMAIL, "x") == -1)
+ err(1, "unveil");
+
+ if (unveil(calendarFile, "r") == -1)
+ err(1, "unveil");
+ if (unveil(calendarFile, "r") == -1)
+ err(1, "unveil");
+
if (doall) {
if (pledge("stdio rpath tmppath fattr getpw id proc exec", NULL)
== -1)
err(1, "pledge");
} else {
+ if (caldir) {
+ if (unveil(caldir, "x") == -1)
+ err(1, "unveil");
+ }
if (pledge("stdio rpath proc exec", NULL) == -1)
err(1, "pledge");
}
@@ -145,116 +162,8 @@ main(int argc, char *argv[])
settime(&f_time);
if (doall) {
- pid_t kid, deadkid;
- int kidstat, kidreaped, runningkids;
- int acstat;
- struct stat sbuf;
- time_t t;
- unsigned int sleeptime;
-
- signal(SIGCHLD, childsig);
- runningkids = 0;
- t = time(NULL);
- while ((pw = getpwent()) != NULL) {
- acstat = 0;
- /* Avoid unnecessary forks. The calendar file is only
- * opened as the user later; if it can't be opened,
- * it's no big deal. Also, get to correct directory.
- * Note that in an NFS environment root may get EACCES
- * on a chdir(), in which case we have to fork. As
long as
- * we can chdir() we can stat(), unless the user is
- * modifying permissions while this is running.
- */
- if (chdir(pw->pw_dir)) {
- if (errno == EACCES)
- acstat = 1;
- else
- continue;
- }
- if (stat(calendarFile, &sbuf) != 0) {
- if (chdir(calendarHome)) {
- if (errno == EACCES)
- acstat = 1;
- else
- continue;
- }
- if (stat(calendarNoMail, &sbuf) == 0 ||
- stat(calendarFile, &sbuf) != 0)
- continue;
- }
- sleeptime = USERTIMEOUT;
- switch ((kid = fork())) {
- case -1: /* error */
- warn("fork");
- continue;
- case 0: /* child */
- (void)setpgid(getpid(), getpid());
- (void)setlocale(LC_ALL, "");
- if (setusercontext(NULL, pw, pw->pw_uid,
- LOGIN_SETALL ^ LOGIN_SETLOGIN))
- err(1, "unable to set user context (uid
%u)",
- pw->pw_uid);
- if (acstat) {
- if (chdir(pw->pw_dir) ||
- stat(calendarFile, &sbuf) != 0 ||
- chdir(calendarHome) ||
- stat(calendarNoMail, &sbuf) == 0 ||
- stat(calendarFile, &sbuf) != 0)
- exit(0);
- }
- cal();
- exit(0);
- }
- /* parent: wait a reasonable time, then kill child if
- * necessary.
- */
- runningkids++;
- kidreaped = 0;
- do {
- sleeptime = sleep(sleeptime);
- /* Note that there is the possibility, if the
sleep
- * stops early due to some other signal, of the
child
- * terminating and not getting detected during
the next
- * sleep. In that unlikely worst case, we just
sleep
- * too long for that user.
- */
- for (;;) {
- deadkid = waitpid(-1, &kidstat,
WNOHANG);
- if (deadkid <= 0)
- break;
- runningkids--;
- if (deadkid == kid) {
- kidreaped = 1;
- sleeptime = 0;
- }
- }
- } while (sleeptime);
-
- if (!kidreaped) {
- /* It doesn't _really_ matter if the kill
fails, e.g.
- * if there's only a zombie now.
- */
- if (getpgid(kid) != getpgrp())
- (void)killpg(getpgid(kid), SIGTERM);
- else
- (void)kill(kid, SIGTERM);
- warnx("uid %u did not finish in time",
pw->pw_uid);
- }
- if (time(NULL) - t >= SECSPERDAY)
- errx(2, "'calendar -a' took more than a day; "
- "stopped at uid %u",
- pw->pw_uid);
- }
- for (;;) {
- deadkid = waitpid(-1, &kidstat, WNOHANG);
- if (deadkid <= 0)
- break;
- runningkids--;
- }
- if (runningkids)
- warnx("%d child processes still running when "
- "'calendar -a' finished", runningkids);
- } else if ((caldir = getenv("CALENDAR_DIR")) != NULL) {
+ dothemall();
+ } else if (caldir != NULL) {
if(!chdir(caldir))
cal();
} else
@@ -278,3 +187,75 @@ void
childsig(int signo)
{
}
+
+void
+dothemall(void)
+{
+ pid_t kid, kid2;
+ struct stat sbuf;
+ int acstat;
+
+ signal(SIGCHLD, SIG_IGN);
+
+ while (1) {
+ switch ((kid = fork())) {
+ case -1: /* error */
+ warn("fork");
+ continue;
+ case 0: /* child */
+ while ((pw = getpwent()) != NULL) {
+ acstat = 0;
+
+ if (chdir(pw->pw_dir)) {
+ if (errno == EACCES)
+ acstat = 1;
+ else
+ continue;
+ }
+ if (stat(calendarFile, &sbuf) != 0) {
+ if (chdir(calendarHome)) {
+ if (errno == EACCES)
+ acstat = 1;
+ else
+ continue;
+ }
+ if (stat(calendarNoMail, &sbuf) == 0 ||
+ stat(calendarFile, &sbuf) != 0)
+ continue;
+ }
+
+ switch ((kid2 = fork())) {
+ case -1: /* error */
+ warn("fork");
+ continue;
+ case 0: /* child */
+ syslog(LOG_CRIT, "trying %s",
pw->pw_name);
+ (void)setpgid(getpid(), getpid());
+ (void)setlocale(LC_ALL, "");
+ if (setusercontext(NULL, pw, pw->pw_uid,
+ LOGIN_SETALL ^ LOGIN_SETLOGIN))
+ err(1, "cannot set user context
(uid %u)",
+ pw->pw_uid);
+ if (acstat) {
+ if (chdir(pw->pw_dir) ||
+ stat(calendarFile, &sbuf)
!= 0 ||
+ chdir(calendarHome) ||
+ stat(calendarNoMail, &sbuf)
== 0 ||
+ stat(calendarFile, &sbuf)
!= 0)
+ exit(0);
+ }
+ cal();
+ exit(0);
+ default:
+ wait(NULL);
+ break;
+ }
+ }
+ syslog(LOG_CRIT, "done users");
+ exit(0);
+ default:
+ wait(NULL);
+ return;
+ }
+ }
+}
\ No newline at end of file
Index: usr.bin/doas/doas.c
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.72
diff -u -p -u -r1.72 doas.c
--- usr.bin/doas/doas.c 27 May 2017 09:51:07 -0000 1.72
+++ usr.bin/doas/doas.c 12 Jul 2018 16:18:13 -0000
@@ -239,6 +239,30 @@ good:
}
}
+void
+pledgecommands(const char *ipath, const char *cmd)
+{
+ char *path;
+ char buf[PATH_MAX];
+ char *p, *cp;
+
+ path = strdup(ipath);
+ if (!path)
+ err(1, "copying path");
+
+ for (p = path; p && *p;) {
+ cp = strsep(&p, ":");
+ if (cp) {
+ int r = snprintf(buf, sizeof buf, "%s/%s", cp, cmd);
+ if (r == -1 || r >= sizeof buf)
+ errx(1, "snprintf");
+ if (unveil(buf, "x") == -1)
+ err(1, "unveil");
+ }
+ }
+ free(path);
+}
+
int
main(int argc, char **argv)
{
@@ -364,6 +388,7 @@ main(int argc, char **argv)
authuser(myname, login_style, rule->options & PERSIST);
}
+ pledgecommands(safepath, cmd);
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
Index: usr.bin/encrypt/encrypt.c
===================================================================
RCS file: /cvs/src/usr.bin/encrypt/encrypt.c,v
retrieving revision 1.47
diff -u -p -u -r1.47 encrypt.c
--- usr.bin/encrypt/encrypt.c 24 May 2017 09:19:55 -0000 1.47
+++ usr.bin/encrypt/encrypt.c 12 Jul 2018 16:18:13 -0000
@@ -95,7 +95,9 @@ main(int argc, char **argv)
char *extra = NULL; /* Store login class or number of rounds */
const char *errstr;
- if (pledge("stdio rpath wpath tty", NULL) == -1)
+ if (unveil(_PATH_LOGIN_CONF, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath tty", NULL) == -1)
err(1, "pledge");
while ((opt = getopt(argc, argv, "pb:c:")) != -1) {
Index: usr.bin/from/from.c
===================================================================
RCS file: /cvs/src/usr.bin/from/from.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 from.c
--- usr.bin/from/from.c 31 May 2017 19:41:30 -0000 1.25
+++ usr.bin/from/from.c 12 Jul 2018 16:18:13 -0000
@@ -74,10 +74,16 @@ main(int argc, char *argv[])
}
argv += optind;
- if (pledge("stdio rpath getpw", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw", NULL) == -1)
err(1, "pledge");
file = mail_spool(file, *argv);
+
+ if (unveil(file, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
+
if ((fp = fopen(file, "r")) == NULL) {
if (!fflag && errno == ENOENT)
exit(EXIT_SUCCESS);
Index: usr.bin/ftp/main.c
===================================================================
RCS file: /cvs/src/usr.bin/ftp/main.c,v
retrieving revision 1.120
diff -u -p -u -r1.120 main.c
--- usr.bin/ftp/main.c 10 Feb 2018 06:25:16 -0000 1.120
+++ usr.bin/ftp/main.c 12 Jul 2018 16:18:13 -0000
@@ -273,6 +273,7 @@ main(volatile int argc, char *argv[])
}
ttyout = stdout;
+// espie: fw_update, ^T not working. due to no TERM= while in rc script?
if (isatty(fileno(ttyout)) && !dumb_terminal && foregroundproc())
progress = 1; /* progress bar on if tty is usable */
Index: usr.bin/nc/netcat.c
===================================================================
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.191
diff -u -p -u -r1.191 netcat.c
--- usr.bin/nc/netcat.c 27 Apr 2018 15:17:53 -0000 1.191
+++ usr.bin/nc/netcat.c 26 Jul 2018 14:59:43 -0000
@@ -364,6 +364,30 @@ main(int argc, char *argv[])
} else
usage(1);
+ if (usetls) {
+ if (Cflag) {
+ if (unveil(Cflag, "r") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil("/etc/ssl/cert.pem", "r") == -1)
+ err(1, "unveil");
+ }
+ if (Rflag && unveil(Rflag, "r") == -1)
+ err(1, "unveil");
+ if (Kflag && unveil(Kflag, "r") == -1)
+ err(1, "unveil");
+ if (oflag && unveil(oflag, "r") == -1)
+ err(1, "unveil");
+ } else {
+ if (family == AF_UNIX) {
+ if (unveil(host, "rwc") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil("/", "") == -1)
+ err(1, "unveil");
+ }
+ }
+
if (family == AF_UNIX) {
if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
err(1, "pledge");
Index: usr.bin/su/su.c
===================================================================
RCS file: /cvs/src/usr.bin/su/su.c,v
retrieving revision 1.70
diff -u -p -u -r1.70 su.c
--- usr.bin/su/su.c 30 Oct 2015 19:45:03 -0000 1.70
+++ usr.bin/su/su.c 12 Jul 2018 16:18:13 -0000
@@ -73,7 +73,7 @@ main(int argc, char **argv)
uid_t ruid;
u_int flags;
- if (pledge("stdio rpath getpw proc exec id", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw proc exec id", NULL) == -1)
err(1, "pledge");
while ((ch = getopt(argc, argv, "a:c:fKLlms:-")) != -1)
@@ -160,6 +160,11 @@ main(int argc, char **argv)
}
}
+ if (unveil(_PATH_LOGIN_CONF, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
+ err(1, "unveil");
+
for (;;) {
/* get target user, default to root unless in -L mode */
if (*argv) {
@@ -215,7 +220,7 @@ main(int argc, char **argv)
fprintf(stderr, "Login incorrect\n");
}
- if (pledge("stdio rpath getpw exec id", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw exec id", NULL) == -1)
err(1, "pledge");
if (!altshell) {
@@ -233,6 +238,11 @@ main(int argc, char **argv)
}
}
+ if (unveil(shell, "x") == -1)
+ err(1, "unveil");
+ if (unveil(pwd->pw_dir, "r") == -1)
+ err(1, "unveil");
+
if ((p = strrchr(shell, '/')))
avshell = p+1;
else
@@ -260,6 +270,8 @@ main(int argc, char **argv)
if (login_getcapbool(lc, "requirehome", 0)) {
auth_err(as, 1, "%s", pwd->pw_dir);
} else {
+ if (unveil("/", "r") == -1)
+ err(1, "unveil");
printf("No home directory %s!\n",
pwd->pw_dir);
printf("Logging in with home =
\"/\".\n");
if (chdir("/") < 0)
@@ -285,6 +297,8 @@ main(int argc, char **argv)
if (setenv("SHELL", shell, 1) == -1)
auth_err(as, 1, "unable to set environment");
}
+ if (pledge("stdio rpath getpw exec id", NULL) == -1)
+ err(1, "pledge");
np = *argv ? argv : argv - 1;
if (iscsh == YES) {
Index: usr.bin/top/top.c
===================================================================
RCS file: /cvs/src/usr.bin/top/top.c,v
retrieving revision 1.89
diff -u -p -u -r1.89 top.c
--- usr.bin/top/top.c 15 Mar 2017 04:24:14 -0000 1.89
+++ usr.bin/top/top.c 12 Jul 2018 16:18:13 -0000
@@ -412,6 +412,8 @@ main(int argc, char *argv[])
sigprocmask(SIG_BLOCK, &mask, &oldmask);
if (interactive)
init_screen();
+ if (pledge("stdio getpw tty proc ps vminfo", NULL) == -1)
+ err(1, "pledge");
(void) signal(SIGINT, leave);
siginterrupt(SIGINT, 1);
(void) signal(SIGQUIT, leave);
Index: usr.bin/wall/wall.c
===================================================================
RCS file: /cvs/src/usr.bin/wall/wall.c,v
retrieving revision 1.32
diff -u -p -u -r1.32 wall.c
--- usr.bin/wall/wall.c 1 Aug 2016 20:30:25 -0000 1.32
+++ usr.bin/wall/wall.c 12 Jul 2018 16:18:13 -0000
@@ -115,6 +115,10 @@ main(int argc, char **argv)
makemsg(*argv);
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/dev", "w") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath getpw proc", NULL) == -1)
err(1, "pledge");
Index: usr.bin/who/who.c
===================================================================
RCS file: /cvs/src/usr.bin/who/who.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 who.c
--- usr.bin/who/who.c 21 Oct 2015 16:06:57 -0000 1.27
+++ usr.bin/who/who.c 12 Jul 2018 16:18:13 -0000
@@ -74,7 +74,7 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
- if (pledge("stdio rpath getpw", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw", NULL) == -1)
err(1, "pledge");
if ((mytty = ttyname(0))) {
@@ -122,8 +122,12 @@ main(int argc, char *argv[])
if (show_labels)
output_labels();
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
switch (argc) {
case 0: /* who */
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
ufp = file(_PATH_UTMP);
if (only_current_term) {
@@ -150,6 +154,10 @@ main(int argc, char *argv[])
}
break;
case 1: /* who utmp_file */
+ if (unveil(*argv, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
ufp = file(*argv);
if (only_current_term) {
@@ -175,6 +183,8 @@ main(int argc, char *argv[])
}
break;
case 2: /* who am i */
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
ufp = file(_PATH_UTMP);
who_am_i(ufp);
break;
Index: usr.sbin/acme-client/fileproc.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/fileproc.c,v
retrieving revision 1.14
diff -u -p -u -r1.14 fileproc.c
--- usr.sbin/acme-client/fileproc.c 24 Jan 2017 13:32:55 -0000 1.14
+++ usr.sbin/acme-client/fileproc.c 12 Jul 2018 16:18:13 -0000
@@ -15,6 +15,8 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <sys/stat.h>
+
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@@ -27,37 +29,52 @@
#include "extern.h"
static int
-serialise(const char *tmp, const char *real,
- const char *v, size_t vsz, const char *v2, size_t v2sz)
+serialise(const char *real, const char *v, size_t vsz, const char *v2, size_t
v2sz)
{
- int fd;
+ int fd;
+ char *tmp;
/*
* Write into backup location, overwriting.
- * Then atomically (?) do the rename.
+ * Then atomically do the rename.
*/
- fd = open(tmp, O_WRONLY|O_CREAT|O_TRUNC, 0444);
- if (fd == -1) {
- warn("%s", tmp);
+ if (asprintf(&tmp, "%s.XXXXXXXXXX", real) == -1) {
+ warn("asprintf");
return 0;
- } else if ((ssize_t)vsz != write(fd, v, vsz)) {
- warnx("%s", tmp);
+ }
+ if ((fd = mkstemp(tmp)) == -1) {
+ warn("mkstemp");
+ goto out;
+ }
+ if (fchmod(fd, 0444) == -1) {
+ warn("fchmod");
+ goto out;
+ }
+ if ((ssize_t)vsz != write(fd, v, vsz)) {
+ warnx("write");
close(fd);
- return 0;
- } else if (v2 != NULL && write(fd, v2, v2sz) != (ssize_t)v2sz) {
- warnx("%s", tmp);
+ goto out;
+ }
+ if (v2 != NULL && write(fd, v2, v2sz) != (ssize_t)v2sz) {
+ warnx("write");
close(fd);
- return 0;
- } else if (close(fd) == -1) {
- warn("%s", tmp);
- return 0;
- } else if (rename(tmp, real) == -1) {
+ goto out;
+ }
+ if (close(fd) == -1) {
+ warn("close");
+ goto out;
+ }
+ if (rename(tmp, real) == -1) {
warn("%s", real);
- return 0;
+ (void) unlink(tmp);
+ goto out;
}
return 1;
+out:
+ free(tmp);
+ return 0;
}
int
@@ -65,15 +82,15 @@ fileproc(int certsock, const char *certd
*chainfile, const char *fullchainfile)
{
char *csr = NULL, *ch = NULL;
- char *certfile_bak = NULL, *chainfile_bak = NULL;
- char *fullchainfile_bak = NULL;
size_t chsz, csz;
int rc = 0;
long lval;
enum fileop op;
- /* File-system and sandbox jailing. */
-
+ if (unveil(certdir, "rwc") == -1) {
+ warn("unveil");
+ goto out;
+ }
if (chroot(certdir) == -1) {
warn("chroot");
goto out;
@@ -85,9 +102,9 @@ fileproc(int certsock, const char *certd
/*
* rpath and cpath for rename, wpath and cpath for
- * writing to the temporary.
+ * writing to the temporary. fattr for fchmod.
*/
- if (pledge("stdio cpath wpath rpath", NULL) == -1) {
+ if (pledge("stdio cpath wpath rpath fattr", NULL) == -1) {
warn("pledge");
goto out;
}
@@ -148,32 +165,12 @@ fileproc(int certsock, const char *certd
* Start by downloading the chain PEM as a buffer.
* This is not NUL-terminated, but we're just going to guess
* that it's well-formed and not actually touch the data.
- * Once downloaded, dump it into CHAIN_BAK.
*/
-
- if (certfile)
- if (asprintf(&certfile_bak, "%s~", certfile) == -1) {
- warn("asprintf");
- goto out;
- }
-
- if (chainfile)
- if (asprintf(&chainfile_bak, "%s~", chainfile) == -1) {
- warn("asprintf");
- goto out;
- }
-
- if (fullchainfile)
- if (asprintf(&fullchainfile_bak, "%s~", fullchainfile) == -1) {
- warn("asprintf");
- goto out;
- }
-
if ((ch = readbuf(certsock, COMM_CHAIN, &chsz)) == NULL)
goto out;
if (chainfile) {
- if (!serialise(chainfile_bak, chainfile, ch, chsz, NULL, 0))
+ if (!serialise(chainfile, ch, chsz, NULL, 0))
goto out;
dodbg("%s/%s: created", certdir, chainfile);
@@ -190,7 +187,7 @@ fileproc(int certsock, const char *certd
goto out;
if (certfile) {
- if (!serialise(certfile_bak, certfile, csr, csz, NULL, 0))
+ if (!serialise(certfile, csr, csz, NULL, 0))
goto out;
dodbg("%s/%s: created", certdir, certfile);
@@ -203,7 +200,7 @@ fileproc(int certsock, const char *certd
* on-file certificates were changed.
*/
if (fullchainfile) {
- if (!serialise(fullchainfile_bak, fullchainfile, csr, csz, ch,
+ if (!serialise(fullchainfile, csr, csz, ch,
chsz))
goto out;
@@ -215,8 +212,5 @@ out:
close(certsock);
free(csr);
free(ch);
- free(certfile_bak);
- free(chainfile_bak);
- free(fullchainfile_bak);
return rc;
}
Index: usr.sbin/acme-client/http.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/http.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 http.c
--- usr.sbin/acme-client/http.c 6 Feb 2018 04:19:56 -0000 1.21
+++ usr.sbin/acme-client/http.c 12 Jul 2018 16:18:13 -0000
@@ -35,8 +35,6 @@
#include "http.h"
#include "extern.h"
-#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
-
/*
* A buffer for transferring HTTP/S data.
*/
Index: usr.sbin/acme-client/http.h
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/http.h,v
retrieving revision 1.5
diff -u -p -u -r1.5 http.h
--- usr.sbin/acme-client/http.h 25 Jan 2017 13:52:53 -0000 1.5
+++ usr.sbin/acme-client/http.h 12 Jul 2018 16:18:13 -0000
@@ -61,6 +61,7 @@ struct httpget {
size_t bodypartsz; /* size of bodypart */
};
+#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
int http_init(void);
/* Convenience functions. */
Index: usr.sbin/acme-client/netproc.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/netproc.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 netproc.c
--- usr.sbin/acme-client/netproc.c 14 Mar 2018 12:28:25 -0000 1.16
+++ usr.sbin/acme-client/netproc.c 12 Jul 2018 16:18:13 -0000
@@ -612,6 +612,11 @@ netproc(int kfd, int afd, int Cfd, int c
memset(&paths, 0, sizeof(struct capaths));
memset(&c, 0, sizeof(struct conn));
+ if (unveil(DEFAULT_CA_FILE, "r") == -1) {
+ warn("unveil");
+ goto out;
+ }
+
if (pledge("stdio inet rpath", NULL) == -1) {
warn("pledge");
goto out;
Index: usr.sbin/acpidump/acpidump.c
===================================================================
RCS file: /cvs/src/usr.sbin/acpidump/acpidump.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 acpidump.c
--- usr.sbin/acpidump/acpidump.c 30 Jun 2018 19:45:41 -0000 1.19
+++ usr.sbin/acpidump/acpidump.c 12 Jul 2018 16:18:13 -0000
@@ -40,6 +40,7 @@
#include <string.h>
#include <unistd.h>
#include <limits.h>
+#include <paths.h>
#define vm_page_size sysconf(_SC_PAGESIZE)
@@ -601,6 +602,18 @@ asl_dump_from_devmem(void)
acpi_user_init();
+ if (unveil(aml_dumpfile, "wc") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_MEM, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_KMEM, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_KVMDB, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_KSYMS, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/bsd", "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath cpath", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/bgpctl/bgpctl.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.c,v
retrieving revision 1.209
diff -u -p -u -r1.209 bgpctl.c
--- usr.sbin/bgpctl/bgpctl.c 22 Jul 2018 17:07:53 -0000 1.209
+++ usr.sbin/bgpctl/bgpctl.c 25 Jul 2018 17:04:18 -0000
@@ -124,7 +124,7 @@ main(int argc, char *argv[])
char *sockname;
enum imsg_type type;
- if (pledge("stdio rpath wpath cpath unix inet dns", NULL) == -1)
+ if (pledge("stdio unveil rpath wpath cpath unix inet dns", NULL) == -1)
err(1, "pledge");
r = getrtable();
@@ -192,7 +192,9 @@ main(int argc, char *argv[])
break;
}
- if (pledge("stdio rpath wpath unix", NULL) == -1)
+ if (unveil(sockname, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio unix", NULL) == -1)
err(1, "pledge");
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
Index: usr.sbin/dev_mkdb/dev_mkdb.c
===================================================================
RCS file: /cvs/src/usr.sbin/dev_mkdb/dev_mkdb.c,v
retrieving revision 1.15
diff -u -p -u -r1.15 dev_mkdb.c
--- usr.sbin/dev_mkdb/dev_mkdb.c 16 Oct 2015 13:37:44 -0000 1.15
+++ usr.sbin/dev_mkdb/dev_mkdb.c 12 Jul 2018 16:18:13 -0000
@@ -61,6 +61,15 @@ main(int argc, char *argv[])
u_char buf[MAXNAMLEN + 1];
char dbtmp[PATH_MAX], dbname[PATH_MAX];
+ (void)snprintf(dbtmp, sizeof(dbtmp), "%sdev.tmp", _PATH_VARRUN);
+ (void)snprintf(dbname, sizeof(dbtmp), "%sdev.db", _PATH_VARRUN);
+
+ if (unveil("/dev", "r") == -1)
+ err(1, "unveil");
+ if (unveil(dbtmp, "rwc") == -1)
+ err(1, "unveil");
+ if (unveil(dbname, "wc") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath cpath flock", NULL) == -1)
err(1, "pledge");
@@ -81,8 +90,6 @@ main(int argc, char *argv[])
dirp = opendir(".");
- (void)snprintf(dbtmp, sizeof(dbtmp), "%sdev.tmp", _PATH_VARRUN);
- (void)snprintf(dbname, sizeof(dbtmp), "%sdev.db", _PATH_VARRUN);
bzero(&info, sizeof(info));
info.bsize = 8192;
db = dbopen(dbtmp, O_CREAT|O_EXLOCK|O_RDWR|O_TRUNC,
@@ -101,6 +108,9 @@ main(int argc, char *argv[])
key.size = sizeof(bkey);
data.data = buf;
while ((dp = readdir(dirp))) {
+ if (strcmp(dp->d_name, "..") == 0)
+ continue;
+
if (lstat(dp->d_name, &sb)) {
warn("%s", dp->d_name);
continue;
Index: usr.sbin/makefs/makefs.c
===================================================================
RCS file: /cvs/src/usr.sbin/makefs/makefs.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 makefs.c
--- usr.sbin/makefs/makefs.c 17 Dec 2016 16:12:15 -0000 1.19
+++ usr.sbin/makefs/makefs.c 12 Jul 2018 16:18:13 -0000
@@ -198,6 +198,10 @@ main(int argc, char *argv[])
if (argc != 2)
usage();
+ if (unveil(argv[0], "rwc") == -1)
+ err(1, "unveil");
+ if (unveil(argv[1], "rw") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath cpath", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/ntpd/ntpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
retrieving revision 1.113
diff -u -p -u -r1.113 ntpd.c
--- usr.sbin/ntpd/ntpd.c 9 Jan 2017 14:49:22 -0000 1.113
+++ usr.sbin/ntpd/ntpd.c 12 Jul 2018 16:18:13 -0000
@@ -244,6 +244,8 @@ main(int argc, char *argv[])
* Constraint processes are forked with certificates in memory,
* then privdrop into chroot before speaking to the outside world.
*/
+ if (unveil("/etc/ssl/cert.pem", "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath inet settime proc exec id", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/portmap/portmap.c
===================================================================
RCS file: /cvs/src/usr.sbin/portmap/portmap.c,v
retrieving revision 1.48
diff -u -p -u -r1.48 portmap.c
--- usr.sbin/portmap/portmap.c 14 Oct 2015 13:32:44 -0000 1.48
+++ usr.sbin/portmap/portmap.c 12 Jul 2018 16:18:13 -0000
@@ -609,7 +609,7 @@ callit(struct svc_req *rqstp, SVCXPRT *x
return;
}
- if (pledge("stdio rpath inet", NULL) == -1)
+ if (pledge("stdio inet", NULL) == -1)
err(1, "pledge");
port = pml->pml_map.pm_port;
Index: usr.sbin/pstat/pstat.c
===================================================================
RCS file: /cvs/src/usr.sbin/pstat/pstat.c,v
retrieving revision 1.117
diff -u -p -u -r1.117 pstat.c
--- usr.sbin/pstat/pstat.c 18 Jun 2018 09:15:05 -0000 1.117
+++ usr.sbin/pstat/pstat.c 12 Jul 2018 16:18:13 -0000
@@ -229,6 +229,8 @@ main(int argc, char *argv[])
ttymodeprep();
}
+ if (unveil(_PATH_DEVDB, "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath vminfo", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/rarpd/rarpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/rarpd/rarpd.c,v
retrieving revision 1.74
diff -u -p -u -r1.74 rarpd.c
--- usr.sbin/rarpd/rarpd.c 1 Jun 2018 07:36:13 -0000 1.74
+++ usr.sbin/rarpd/rarpd.c 12 Jul 2018 16:18:13 -0000
@@ -95,6 +95,10 @@ int fflag = 0; /* don't fork */
int lflag = 0; /* log all replies */
int tflag = 0; /* tftpboot check */
+#ifndef TFTP_DIR
+#define TFTP_DIR "/tftpboot"
+#endif
+
int
main(int argc, char *argv[])
{
@@ -334,6 +338,8 @@ rarp_loop(void)
arptab_init();
+ if (unveil(TFTP_DIR, "r") == -1)
+ error("unveil");
if (pledge("stdio rpath dns", NULL) == -1)
error("pledge");
@@ -387,10 +393,6 @@ rarp_loop(void)
}
free(pfd);
}
-
-#ifndef TFTP_DIR
-#define TFTP_DIR "/tftpboot"
-#endif
/*
* True if this server can boot the host whose IP address is 'addr'.
Index: usr.sbin/spamdb/spamdb.c
===================================================================
RCS file: /cvs/src/usr.sbin/spamdb/spamdb.c,v
retrieving revision 1.34
diff -u -p -u -r1.34 spamdb.c
--- usr.sbin/spamdb/spamdb.c 29 Oct 2017 19:11:34 -0000 1.34
+++ usr.sbin/spamdb/spamdb.c 26 Jul 2018 15:13:18 -0000
@@ -360,6 +360,9 @@ main(int argc, char **argv)
if (action == 0 && type != WHITE)
usage();
+ if (unveil(PATH_SPAMD_DB, "rw") == -1)
+ err(1, "unveil");
+
memset(&hashinfo, 0, sizeof(hashinfo));
db = dbopen(PATH_SPAMD_DB, O_EXLOCK | (action ? O_RDWR : O_RDONLY),
0600, DB_HASH, &hashinfo);
Index: usr.sbin/syslogd/privsep.c
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/privsep.c,v
retrieving revision 1.68
diff -u -p -u -r1.68 privsep.c
--- usr.sbin/syslogd/privsep.c 26 Apr 2018 13:40:09 -0000 1.68
+++ usr.sbin/syslogd/privsep.c 12 Jul 2018 16:18:13 -0000
@@ -184,7 +184,17 @@ priv_exec(char *conf, int numeric, int c
if (pw == NULL)
errx(1, "unknown user _syslogd");
- if (pledge("stdio rpath wpath cpath dns sendfd id proc exec",
+ if (unveil(conf, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+ if (unveil("/bin/sh", "x") == -1)
+ err(1, "unveil");
+// if (unveil("/var", "rw") == -1)
+// err(1, "unveil");
+ if (pledge("stdio unveil rpath wpath cpath dns sendfd id proc exec",
NULL) == -1)
err(1, "pledge priv");
@@ -312,6 +322,9 @@ priv_exec(char *conf, int numeric, int c
break;
case PRIV_DONE_CONFIG_PARSE:
+ if (pledge("stdio rpath wpath cpath dns sendfd id proc
exec",
+ NULL) == -1)
+ err(1, "pledge done config");
log_debug("[priv]: msg PRIV_DONE_CONFIG_PARSE "
"received");
increase_state(STATE_RUNNING);
@@ -554,6 +567,8 @@ check_log_name(char *lognam, size_t logs
err(1, "check_log_name() malloc");
strlcpy(lg->path, lognam, PATH_MAX);
TAILQ_INSERT_TAIL(&lognames, lg, next);
+ if (unveil(lognam, "w") == -1)
+ errx(1, "unveil");
break;
case STATE_RUNNING:
TAILQ_FOREACH(lg, &lognames, next)
Index: usr.sbin/vmctl/main.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmctl/main.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 main.c
--- usr.sbin/vmctl/main.c 12 Jul 2018 14:53:37 -0000 1.39
+++ usr.sbin/vmctl/main.c 25 Jul 2018 17:04:20 -0000
@@ -45,7 +45,15 @@ static int tty_autoconnect = 0;
__dead void usage(void);
__dead void ctl_usage(struct ctl_command *);
+int vmmaction(struct parse_result *);
int vmm_action(struct parse_result *);
+int parse_ifs(struct parse_result *, char *, int);
+int parse_network(struct parse_result *, char *);
+int parse_size(struct parse_result *, char *, long long);
+int parse_disk(struct parse_result *, char *);
+int parse_vmid(struct parse_result *, char *, int);
+void parse_free(struct parse_result *);
+int parse(int, char *[]);
int ctl_console(struct parse_result *, int, char *[]);
int ctl_create(struct parse_result *, int, char *[]);
@@ -158,9 +166,14 @@ parse(int argc, char *argv[])
res.action = ctl->action;
res.ctl = ctl;
+ if (unveil(SOCKET_NAME, "r") == -1)
+ err(1, "unveil");
+
if (!ctl->has_pledge) {
/* pledge(2) default if command doesn't have its own pledge */
- if (pledge("stdio rpath exec unix getpw", NULL) == -1)
+ if (unveil(VMCTL_CU, "x") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath exec unix getpw paths", NULL) == -1)
err(1, "pledge");
}
if (ctl->main(&res, argc, argv) != 0)
@@ -477,6 +490,10 @@ ctl_create(struct parse_result *res, int
paths[0] = argv[1];
paths[1] = NULL;
+
+ if (unveil(paths[0], "rwc") == -1)
+ err(1, "unveil");
+
if (pledge("stdio rpath wpath cpath", NULL) == -1)
err(1, "pledge");
argc--;
