Hi,
One missing piece when I added pledge(2) to dhcpd(8) was in the code path when
it's invoked with either -A/-C/-L, which at the time I left alone due to some
forbidden ioctls by pledge(2).
Now we have unveil(2) and this path can be further restricted by using it
instead of chroot(2) since this "sandbox" (not sure why people call sandbox to
about everything these days) can be escaped with *at(2) calls.
Since no filesystem access is needed here then we can disable its access by
calling unveil("/", "") unveil(NULL, NULL).
Comments? OK?
Index: pfutils.c
===================================================================
RCS file: /cvs/src/usr.sbin/dhcpd/pfutils.c,v
retrieving revision 1.20
diff -u -p -u -r1.20 pfutils.c
--- pfutils.c 28 Jun 2019 13:32:47 -0000 1.20
+++ pfutils.c 6 Aug 2019 13:28:11 -0000
@@ -54,14 +54,16 @@ pftable_handler()
if ((fd = open(_PATH_DEV_PF, O_RDWR|O_NOFOLLOW, 0660)) == -1)
fatal("can't open pf device");
- if (chroot(_PATH_VAREMPTY) == -1)
- fatal("chroot %s", _PATH_VAREMPTY);
- if (chdir("/") == -1)
- fatal("chdir(\"/\")");
+
if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
fatal("can't drop privileges");
+
+ if (unveil("/", "") == -1)
+ fatal("unveil");
+ if (unveil(NULL, NULL) == -1)
+ fatal("unveil");
setproctitle("pf table handler");
l = sizeof(struct pf_cmd);
