Re: vmctl: add unveil

Wed, 22 Aug 2018 07:33:26 -0700 

This is not actually using unveil for security.  Only for some
subset of safety.

Why?  Well, the unveil is not locked in.  Another unveil is
possible.  Even unveil("/", "rwxc") to deactive the unveil.
There is a pledge which locks the unveil in some code paths,
but not in all code paths.

So this doesn't fall into "strong security".  But it is still a
seatbelt, that a misbehaviour of this strange complicated program
accessing an unintended file will be blocked in some cases.

Really there is no domain of priviledge here, so unveil is more
about seatbelts...

Reyk Floeter <r...@openbsd.org> wrote:
> On Tue, Aug 21, 2018 at 09:51:52PM -0700, Carlos Cardenas wrote:
> > Patch to unveil vmctl.
> > 
> > Comments/OK?
> > 
> 
> OK reyk
> 
> btw. paths[0] is an artifact from the old pledge paths argument.
> semarie@ removed it in -r1.13 of main.c but we both overlooked that
> paths[2] is not needed anymore and could just be turned into a
> non-array path variable.
> 
> Reyk
> 
> > +--+
> > Carlos
> 
> > Index: main.c
> > ===================================================================
> > RCS file: /home/los/cvs/src/usr.sbin/vmctl/main.c,v
> > retrieving revision 1.39
> > diff -u -p -r1.39 main.c
> > --- main.c  12 Jul 2018 14:53:37 -0000      1.39
> > +++ main.c  18 Aug 2018 23:22:39 -0000
> > @@ -160,7 +160,7 @@ parse(int argc, char *argv[])
> >  
> >     if (!ctl->has_pledge) {
> >             /* pledge(2) default if command doesn't have its own pledge */
> > -           if (pledge("stdio rpath exec unix getpw", NULL) == -1)
> > +           if (pledge("stdio rpath exec unix getpw unveil", NULL) == -1)
> >                     err(1, "pledge");
> >     }
> >     if (ctl->main(&res, argc, argv) != 0)
> > @@ -185,6 +185,8 @@ vmmaction(struct parse_result *res)
> >     unsigned int             flags;
> >  
> >     if (ctl_sock == -1) {
> > +           if (unveil(SOCKET_NAME, "r") == -1)
> > +                   err(1, "unveil");
> >             if ((ctl_sock = socket(AF_UNIX,
> >                 SOCK_STREAM|SOCK_CLOEXEC, 0)) == -1)
> >                     err(1, "socket");
> > @@ -477,6 +479,10 @@ ctl_create(struct parse_result *res, int
> >  
> >     paths[0] = argv[1];
> >     paths[1] = NULL;
> > +
> > +   if (unveil(paths[0], "rwc") == -1)
> > +           err(1, "unveil");
> > +
> >     if (pledge("stdio rpath wpath cpath", NULL) == -1)
> >             err(1, "pledge");
> >     argc--;
> > @@ -759,6 +765,8 @@ __dead void
> >  ctl_openconsole(const char *name)
> >  {
> >     closefrom(STDERR_FILENO + 1);
> > +   if (unveil(VMCTL_CU, "x") == -1)
> > +           err(1, "unveil");
> >     execl(VMCTL_CU, VMCTL_CU, "-l", name, "-s", "115200", (char *)NULL);
> >     err(1, "failed to open the console");
> >  }
> 
> 
> -- 
>

Reply via email to