Hi,
Looking at pledging xenodm a little bit more I was able to run it with
the diff below across X restarts, with stock configuration.
Please test it, if you have special configs better since most likely
this will break it but we need to know where and why and with that maybe
trim xenodm's bloat.
DisplayManager:
rpath: open(2) /etc/X11/xenodm/xenodm-config
cpath: unlink(2) d->authFile
proc: kill(2)
Session:
rpath: open(2) /etc/fbtab
wpath/cpath: open(2) d->authFile
fattr: chmod(2) d->authFile
dns: sysctl(2) for name resolution
proc: kill(2)
exec: execve(2) /etc/X11/xenodm/TakeConsole
id: setuid(2)
Index: dm.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/dm.c,v
retrieving revision 1.6
diff -u -p -u -r1.6 dm.c
--- dm.c 11 Jul 2018 16:57:04 -0000 1.6
+++ dm.c 31 Oct 2018 15:15:49 -0000
@@ -604,6 +604,10 @@ StartDisplay (struct display *d)
Debug ("pid: %d\n", pid);
d->pid = pid;
d->status = running;
+
+ if (pledge("stdio rpath cpath proc", NULL) == -1)
+ exit(OPENFAILED_DISPLAY);
+
break;
}
}
Index: session.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/session.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 session.c
--- session.c 11 Jul 2018 20:28:41 -0000 1.12
+++ session.c 31 Oct 2018 15:15:49 -0000
@@ -378,6 +378,10 @@ StartClient (
default:
Debug ("StartSession, fork succeeded %d\n", pid);
*pidp = pid;
+
+ if (pledge("stdio rpath wpath cpath fattr dns proc exec id", NULL) ==
-1)
+ exit(25);
+
return 1;
}
}
----- End forwarded message -----
