CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2018/08/07 12:36:49
Modified files:
usr.sbin/syslogd: privsep.c
Log message:
Unveil fits nicely into the syslogd privsep model. Unveiled files
include config file "r", utmp "r", /dev "rw", /bin/sh "x" for running
piped commands, and the syslogd binary "x" itself for HUP re-exec upon
config loads with changes. Also unveiled in the privsep process are
the specific log files being written to.
If a config file reload changes no files, the existing privsep process
keeps running with unveil's to the relevant files (therefore it can
cope with newsyslogd taking files away). If a new config file is loaded
which changes the output files, the privsep process is restarted with
fork+exec, and installs new unveils as needed. The safety we gain from
unveil is that we've pigeonholed the privsep file-writer to exactly the
files required.
Help from bluhm for some edge cases.
