Looks right.
Ricardo Mestre <[email protected]> wrote: > snmpd(8)'s main process needs to open the config file and /dev/pf both with > read permissions, but once it reaches pledge(2) just before the main loop both > were already opened. Since snmpd(8) doesn't have a way to load or reload the > config file, not even through SIGHUP, then rpath promise is not needed. > > The snmpe process cannot yet be pledged, but it doesn't need fs access so we > can disable the access through unveil("/", ""); unveil(NULL, NULL); > > The traphandler is already pledged to not access the fs at all. > > With both modifications the regress tests still pass. Comments? OK? > > Index: snmpd.c > =================================================================== > RCS file: /cvs/src/usr.sbin/snmpd/snmpd.c,v > retrieving revision 1.39 > diff -u -p -u -r1.39 snmpd.c > --- snmpd.c 5 Aug 2018 09:33:13 -0000 1.39 > +++ snmpd.c 30 Oct 2018 14:03:38 -0000 > @@ -255,7 +255,7 @@ main(int argc, char *argv[]) > > proc_connect(ps); > > - if (pledge("stdio rpath dns sendfd proc exec id", NULL) == -1) > + if (pledge("stdio dns sendfd proc exec id", NULL) == -1) > fatal("pledge"); > > event_dispatch(); > Index: snmpe.c > =================================================================== > RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v > retrieving revision 1.54 > diff -u -p -u -r1.54 snmpe.c > --- snmpe.c 31 Jul 2018 11:01:29 -0000 1.54 > +++ snmpe.c 30 Oct 2018 14:03:38 -0000 > @@ -120,6 +120,10 @@ snmpe_init(struct privsep *ps, struct pr > event_add(&so->s_ev, NULL); > } > > + if (unveil("/", "") == -1) > + fatal("unveil"); > + if (unveil(NULL, NULL) == -1) > + fatal("unveil"); > #if 0 > /* > * XXX Refactoring required to move illegal ioctls and sysctls.
