Hi, When spamd runs in greylist mode the parent process (which runs greywatcher()) we know that the only files that it will ever access are PATH_SPAMD_DB in rw, alloweddomains_file in r and that it will need to exec PATH_PFCTL so we can unveil them with those permissions.
All other necessary files, such as certificates if used and /dev/pf, were already opened by this time so they don't need to be unveiled. /dev/fd/* doesn't need to be unveiled since from spamd's perspective is only a parameter for pfctl. Furthermore, the child process loop already runs without fs access. Comments? OK? Index: grey.c =================================================================== RCS file: /cvs/src/libexec/spamd/grey.c,v retrieving revision 1.65 diff -u -p -u -r1.65 grey.c --- grey.c 18 Oct 2017 17:31:01 -0000 1.65 +++ grey.c 23 Oct 2018 08:39:38 -0000 @@ -1078,6 +1078,18 @@ greywatcher(void) drop_privs(); + if (unveil(PATH_SPAMD_DB, "rw") == -1) { + syslog_r(LOG_ERR, &sdata, "unveil failed (%m)"); + exit(1); + } + if (unveil(alloweddomains_file, "r") == -1) { + syslog_r(LOG_ERR, &sdata, "unveil failed (%m)"); + exit(1); + } + if (unveil(PATH_PFCTL, "x") == -1) { + syslog_r(LOG_ERR, &sdata, "unveil failed (%m)"); + exit(1); + } if (pledge("stdio rpath wpath inet flock proc exec", NULL) == -1) { syslog_r(LOG_ERR, &sdata, "pledge failed (%m)"); exit(1);