Hi,
xserver's priv proc is responsible for opening devices in O_RDWR mode and send
their fds over to the parent proc. Knowing this then we already have a list of
all possible devices that might be opened in the future and we can unveil(2)
them by traversing allowed_devices and yes it's a long list, but we won't hit
the limit defined by UNVEIL_MAX_VNODES (currently set to 128). But yes, this
change might be disputable due to a limitation of vnodes available.
Additionally, by this point we already fork(2)ed so we can drop "proc" promise
from pledge(2) and I didn't run into any troubles with both these changes.
Comments on either unveil or pledge? OK?
Index: privsep.c
===================================================================
RCS file: /cvs/xenocara/xserver/os/privsep.c,v
retrieving revision 1.29
diff -u -p -u -r1.29 privsep.c
--- privsep.c 6 Aug 2018 20:11:34 -0000 1.29
+++ privsep.c 16 Oct 2018 10:51:10 -0000
@@ -274,7 +274,11 @@ priv_init(uid_t uid, gid_t gid)
setproctitle("[priv]");
close(socks[1]);
- if (pledge("stdio rpath wpath sendfd proc", NULL) == -1)
+ for (dev = allowed_devices; dev->name != NULL; dev++) {
+ if (unveil(dev->name, "rw") == -1)
+ err(1, "unveil");
+ }
+ if (pledge("stdio rpath wpath sendfd", NULL) == -1)
err(1, "pledge");
while (1) {
