On Wed, Jul 18, 2018 at 12:59:12PM +0100, Ricardo Mestre wrote:
> Hi,
>
> Are there any brave souls out there with unveil(2) enabled already?
>
> If yes please test this diff for spamlogd(8) which seems to only need rw
> access to the file PATH_SPAMD_DB and nothing else.
>
> Not asking for OKs yet, but if the code pattern is correct can I start looking
> at other programs?
mostly about the code pattern.
first, I didn't know all arcane of unveil, so I could be wrong at some
point. hearing from beck@ would help too :)
- pledge and unveil
I think, if possible, you should configure unveil(2) before calling
pledge(2). This way, you don't have to let the "unveil" promise
allowed.
- locking unveil
You should call unveil(NULL, NULL) when all your unveil(2) stuff is
done: this way, you would lock further unveil addition. But with
pledge(2) call after, any unveil(2) call would abort the program
anyway (with no "unveil" promise).
>
> Index: spamlogd.c
> ===================================================================
> RCS file: /cvs/src/libexec/spamlogd/spamlogd.c,v
> retrieving revision 1.27
> diff -u -p -u -r1.27 spamlogd.c
> --- spamlogd.c 16 Mar 2016 14:47:04 -0000 1.27
> +++ spamlogd.c 18 Jul 2018 11:46:59 -0000
> @@ -376,12 +376,15 @@ main(int argc, char **argv)
> }
>
> if (syncsend) {
> - if (pledge("stdio rpath wpath inet flock", NULL) == -1)
> + if (pledge("stdio rpath wpath inet flock unveil", NULL) == -1)
> err(1, "pledge");
> } else {
> - if (pledge("stdio rpath wpath flock", NULL) == -1)
> + if (pledge("stdio rpath wpath flock unveil", NULL) == -1)
> err(1, "pledge");
> }
> +
> + if (unveil(PATH_SPAMD_DB, "rw") == -1)
> + err(1, "unveil");
>
> pcap_loop(hpcap, -1, phandler, NULL);
>
>
Thanks.
--
Sebastien Marie
