On Mon, Nov 05, 2018 at 12:30:08PM +0000, Ricardo Mestre wrote: > Hi, > > dhclient(8)'s privileged process cannot be pledged yet due to some route > related sysctl(2)'s, but it seems it only needs to access two files. One is > /etc/resolv.conf with write/create permissions and saved_argv[0] (usually > /sbin/dhclient) with execute since we may receive a SIGHUP and it will need to > re-exec itself. We could go further and keep /etc/resolv.conf veiled if we > superseed both domain-name and domain-name-servers in the config file, but it > seems a bit overkill, and with the simple diff below I didn't have any > problems. > > Comments? OK? Cluebat stick?
First I thougt the diff does not work: typhoon ..n/dhclient$ doas obj/dhclient -d iwm0 fatal in iwm0 [priv]: unveil: No such file or directory iwm0: DHCPREQUEST to 255.255.255.255 iwm0: unpriv_ibuf: ERR|HUP|NVAL It does not work because "obj" is a symlink here. When called without a symlink in the path it works as expected. The error message is a bit awkward. > > Index: dhclient.c > =================================================================== > RCS file: /cvs/src/sbin/dhclient/dhclient.c,v > retrieving revision 1.581 > diff -u -p -u -r1.581 dhclient.c > --- dhclient.c 4 Nov 2018 19:10:34 -0000 1.581 > +++ dhclient.c 5 Nov 2018 12:02:51 -0000 > @@ -2234,6 +2234,13 @@ fork_privchld(struct interface_info *ifi > if ((routefd = socket(AF_ROUTE, SOCK_RAW, 0)) == -1) > fatal("socket(AF_ROUTE, SOCK_RAW)"); > > + if (unveil("/etc/resolv.conf", "wc") == -1) > + fatal("unveil"); > + if (unveil(saved_argv[0], "x") == -1) > + fatal("unveil"); > + if (unveil(NULL, NULL) == -1) > + fatal("unveil"); > + > while (quit == 0) { > pfd[0].fd = priv_ibuf->fd; > pfd[0].events = POLLIN; >