On Fri, May 13, 2016 at 10:52:34PM +0200, Theo Buehler wrote:
> opendev(3) should not be called by pledged processes, so the pledge of
> dumpfs(8) needs to be redone:
I agree.
> opendev is called in a loop over argv.
>
> As dumpfs spews a whole lot of potentially untrusted data to stdout,
> fork, read the data in the child and pipe it to the pledged parent
> that writes it to stdout. pledge the child before dumping the last fs.
> Thus the common case of dumping a single fs runs almost entirely
> under pledge.
I dunno if the approch makes sense: basically you create one process
(unpledged and with full privilegies - except for last argument) that
will call opendev(3) and dumpfs(), and the pledged process will be used
to write(2) data to stdout...
the part that needs attention is the process which call dumpfs()
function. it is this one that require pledge(2). not the one that do
write(2).
I think there are two possibilities:
- remove the capability to pass multiple fs (I dunno if it is used -
if it is, this "possibility" isn't suitable - but the man page
doesn't document this possibility).
this way, call opendev(3) unpledged, and after call pledge(2). No
need for multiples processes.
- keep main process unpledged, fork(2) for each fs inside the loop,
and call pledge(2) after opendev(3). so the child (which call the
sensitive dumpfs() function) will be pledged, and the parent
(unpledged) will only do write(2).
so in *all cases*, the process that proceed untrusted data is
pledged. not only if you pass one argument.
--
Sebastien Marie
