On Fri, Oct 26, 2018 at 10:19:01AM -0600, Theo de Raadt wrote:
> Remi Locherer <remi.loche...@relo.ch> wrote:
>
> > On Fri, Oct 26, 2018 at 06:01:40PM +0200, Florian Obser wrote:
> > > This breaks usage of the "include" keyword. Something that all the
> > > parse.y daemons support.
> > >
> >
> > Oh, of course!
> >
> > I guess this is similar to unveil files based on a list of command line
> > args.
>
> correct.
>
> Now that unveil is used in the tree, there are 3 types of programs
>
> 1) they use unveil
> 2) they use pledge, heading close towards "stdio" without a "*path"
> 3) they access arbitrary files based upon argv
>
> this is (3), except not argv, it nested inside the config file
>
> Well there are maybe 20 programs beyond that which aren't converted yet,
> but things are looking pretty good.
>
Since ospfd is not suppose to write or execute files we could make the
file system read only (with the exception of the control socket).
(Once we can add pledge to ospfd's parent proc this will probably not make
sense anymore.)
cvs diff: Diffing .
Index: ospfd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v
retrieving revision 1.100
diff -u -p -r1.100 ospfd.c
--- ospfd.c 29 Aug 2018 08:43:17 -0000 1.100
+++ ospfd.c 27 Oct 2018 07:28:58 -0000
@@ -278,6 +278,13 @@ main(int argc, char *argv[])
fatalx("control socket setup failed");
main_imsg_compose_ospfe_fd(IMSG_CONTROLFD, 0, control_fd);
+ if (unveil("/", "r") == -1)
+ fatal("unveil");
+ if (unveil(ospfd_conf->csock, "c") == -1)
+ fatal("unveil");
+ if (unveil(NULL, NULL) == -1)
+ fatal("unveil");
+
if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE),
ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1)
fatalx("kr_init failed");
