On Wed, Oct 24, 2018 at 10:36:58AM +0100, Ricardo Mestre wrote:
> Hello,
>
> semarie@ already gave positive feedback for unveiling xserver, did
> anyone tested it yet and comment on it or OK?
Sorry I almost forgot I was running with this patch for some days
now.
ok matthieu@
>
> Index: privsep.c
> ===================================================================
> RCS file: /cvs/xenocara/xserver/os/privsep.c,v
> retrieving revision 1.29
> diff -u -p -u -r1.29 privsep.c
> --- privsep.c 6 Aug 2018 20:11:34 -0000 1.29
> +++ privsep.c 24 Oct 2018 09:35:01 -0000
> @@ -274,6 +274,10 @@ priv_init(uid_t uid, gid_t gid)
> setproctitle("[priv]");
> close(socks[1]);
>
> + for (dev = allowed_devices; dev->name != NULL; dev++) {
> + if (unveil(dev->name, "rw") == -1)
> + err(1, "unveil");
> + }
> if (pledge("stdio rpath wpath sendfd proc", NULL) == -1)
> err(1, "pledge");
>
--
Matthieu Herrb
