Patch to unveil vmctl.
Comments/OK?
+--+
Carlos
Index: main.c
===================================================================
RCS file: /home/los/cvs/src/usr.sbin/vmctl/main.c,v
retrieving revision 1.39
diff -u -p -r1.39 main.c
--- main.c 12 Jul 2018 14:53:37 -0000 1.39
+++ main.c 18 Aug 2018 23:22:39 -0000
@@ -160,7 +160,7 @@ parse(int argc, char *argv[])
if (!ctl->has_pledge) {
/* pledge(2) default if command doesn't have its own pledge */
- if (pledge("stdio rpath exec unix getpw", NULL) == -1)
+ if (pledge("stdio rpath exec unix getpw unveil", NULL) == -1)
err(1, "pledge");
}
if (ctl->main(&res, argc, argv) != 0)
@@ -185,6 +185,8 @@ vmmaction(struct parse_result *res)
unsigned int flags;
if (ctl_sock == -1) {
+ if (unveil(SOCKET_NAME, "r") == -1)
+ err(1, "unveil");
if ((ctl_sock = socket(AF_UNIX,
SOCK_STREAM|SOCK_CLOEXEC, 0)) == -1)
err(1, "socket");
@@ -477,6 +479,10 @@ ctl_create(struct parse_result *res, int
paths[0] = argv[1];
paths[1] = NULL;
+
+ if (unveil(paths[0], "rwc") == -1)
+ err(1, "unveil");
+
if (pledge("stdio rpath wpath cpath", NULL) == -1)
err(1, "pledge");
argc--;
@@ -759,6 +765,8 @@ __dead void
ctl_openconsole(const char *name)
{
closefrom(STDERR_FILENO + 1);
+ if (unveil(VMCTL_CU, "x") == -1)
+ err(1, "unveil");
execl(VMCTL_CU, VMCTL_CU, "-l", name, "-s", "115200", (char *)NULL);
err(1, "failed to open the console");
}
