OK florian@ On Mon, Oct 29, 2018 at 11:27:15PM +0100, Remi Locherer wrote: > Hi, > > ospf6d does not support reloading so its parent proc does not need > filesystem access with the exception of the control socket cleanup on > exit. Once we teach it how to reload the config it is easy to unveil "/" > readonly as I just did for ospfd. > > OK? > > Remi > > > cvs diff: Diffing . > Index: ospf6d.c > =================================================================== > RCS file: /cvs/src/usr.sbin/ospf6d/ospf6d.c,v > retrieving revision 1.39 > diff -u -p -r1.39 ospf6d.c > --- ospf6d.c 1 Sep 2018 19:21:10 -0000 1.39 > +++ ospf6d.c 29 Oct 2018 22:20:45 -0000 > @@ -274,6 +274,11 @@ main(int argc, char *argv[]) > fatalx("control socket setup failed"); > main_imsg_compose_ospfe_fd(IMSG_CONTROLFD, 0, control_fd); > > + if (unveil(ospfd_conf->csock, "c") == -1) > + fatal("unveil"); > + if (unveil(NULL, NULL) == -1) > + fatal("unveil"); > + > if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE), > ospfd_conf->rdomain) == -1) > fatalx("kr_init failed"); >
-- I'm not entirely sure you are real.