OK florian@
On Mon, Oct 29, 2018 at 11:27:15PM +0100, Remi Locherer wrote:
> Hi,
>
> ospf6d does not support reloading so its parent proc does not need
> filesystem access with the exception of the control socket cleanup on
> exit. Once we teach it how to reload the config it is easy to unveil "/"
> readonly as I just did for ospfd.
>
> OK?
>
> Remi
>
>
> cvs diff: Diffing .
> Index: ospf6d.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ospf6d/ospf6d.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 ospf6d.c
> --- ospf6d.c 1 Sep 2018 19:21:10 -0000 1.39
> +++ ospf6d.c 29 Oct 2018 22:20:45 -0000
> @@ -274,6 +274,11 @@ main(int argc, char *argv[])
> fatalx("control socket setup failed");
> main_imsg_compose_ospfe_fd(IMSG_CONTROLFD, 0, control_fd);
>
> + if (unveil(ospfd_conf->csock, "c") == -1)
> + fatal("unveil");
> + if (unveil(NULL, NULL) == -1)
> + fatal("unveil");
> +
> if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE),
> ospfd_conf->rdomain) == -1)
> fatalx("kr_init failed");
>
--
I'm not entirely sure you are real.
