Hi,
When spamd runs in greylist mode the parent process (which runs greywatcher())
we know that the only files that it will ever access are PATH_SPAMD_DB in rw,
alloweddomains_file in r and that it will need to exec PATH_PFCTL so we can
unveil them with those permissions.
All other necessary files, such as certificates if used and /dev/pf, were
already opened by this time so they don't need to be unveiled. /dev/fd/*
doesn't need to be unveiled since from spamd's perspective is only a parameter
for pfctl. Furthermore, the child process loop already runs without fs access.
Comments? OK?
Index: grey.c
===================================================================
RCS file: /cvs/src/libexec/spamd/grey.c,v
retrieving revision 1.65
diff -u -p -u -r1.65 grey.c
--- grey.c 18 Oct 2017 17:31:01 -0000 1.65
+++ grey.c 23 Oct 2018 08:39:38 -0000
@@ -1078,6 +1078,18 @@ greywatcher(void)
drop_privs();
+ if (unveil(PATH_SPAMD_DB, "rw") == -1) {
+ syslog_r(LOG_ERR, &sdata, "unveil failed (%m)");
+ exit(1);
+ }
+ if (unveil(alloweddomains_file, "r") == -1) {
+ syslog_r(LOG_ERR, &sdata, "unveil failed (%m)");
+ exit(1);
+ }
+ if (unveil(PATH_PFCTL, "x") == -1) {
+ syslog_r(LOG_ERR, &sdata, "unveil failed (%m)");
+ exit(1);
+ }
if (pledge("stdio rpath wpath inet flock proc exec", NULL) == -1) {
syslog_r(LOG_ERR, &sdata, "pledge failed (%m)");
exit(1);
