Hi,
this restricts ospfd's parent process to only read it's config file (reload)
and unlink the control socket on exit. I added unveil after the setup of
the control socket is done since chmod is used in control_init.
OK?
Remi
Index: ospfd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v
retrieving revision 1.100
diff -u -p -r1.100 ospfd.c
--- ospfd.c 29 Aug 2018 08:43:17 -0000 1.100
+++ ospfd.c 26 Oct 2018 15:10:08 -0000
@@ -278,6 +278,13 @@ main(int argc, char *argv[])
fatalx("control socket setup failed");
main_imsg_compose_ospfe_fd(IMSG_CONTROLFD, 0, control_fd);
+ if (unveil(conffile, "r") == -1)
+ fatal("unveil");
+ if (unveil(ospfd_conf->csock, "c") == -1)
+ fatal("unveil");
+ if (unveil(NULL, NULL) == -1)
+ fatal("unveil");
+
if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE),
ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1)
fatalx("kr_init failed");
