Re: unveil dhclient (privileged process)

Mon, 05 Nov 2018 23:41:53 -0800 

something like the below? I added a new define for /etc/resolv.conf since it's
now used on 2 different places and hardcoded the executable path to avoid
strange errors if running from a symlink directory as pointed out by remi@

Index: dhclient.c
===================================================================
RCS file: /cvs/src/sbin/dhclient/dhclient.c,v
retrieving revision 1.581
diff -u -p -u -r1.581 dhclient.c
--- dhclient.c  4 Nov 2018 19:10:34 -0000       1.581
+++ dhclient.c  6 Nov 2018 07:34:55 -0000
@@ -2234,6 +2234,13 @@ fork_privchld(struct interface_info *ifi
        if ((routefd = socket(AF_ROUTE, SOCK_RAW, 0)) == -1)
                fatal("socket(AF_ROUTE, SOCK_RAW)");
 
+       if (unveil(_PATH_RESOLV_CONF, "wc") == -1)
+               fatal("unveil");
+       if (unveil("/sbin/dhclient", "x") == -1)
+               fatal("unveil");
+       if (unveil(NULL, NULL) == -1)
+               fatal("unveil");
+
        while (quit == 0) {
                pfd[0].fd = priv_ibuf->fd;
                pfd[0].events = POLLIN;
Index: dhcpd.h
===================================================================
RCS file: /cvs/src/sbin/dhclient/dhcpd.h,v
retrieving revision 1.257
diff -u -p -u -r1.257 dhcpd.h
--- dhcpd.h     2 Nov 2018 16:15:55 -0000       1.257
+++ dhcpd.h     6 Nov 2018 07:34:55 -0000
@@ -153,6 +153,7 @@ struct interface_info {
 };
 
 #define        _PATH_DHCLIENT_CONF     "/etc/dhclient.conf"
+#define        _PATH_RESOLV_CONF       "/etc/resolv.conf"
 #define        _PATH_LEASE_DB          "/var/db/dhclient.leases"
 
 /* options.c */
Index: kroute.c
===================================================================
RCS file: /cvs/src/sbin/dhclient/kroute.c,v
retrieving revision 1.156
diff -u -p -u -r1.156 kroute.c
--- kroute.c    13 Jun 2018 01:37:54 -0000      1.156
+++ kroute.c    6 Nov 2018 07:34:55 -0000
@@ -594,7 +594,6 @@ write_resolv_conf(void)
 void
 priv_write_resolv_conf(char *contents)
 {
-       const char      *path = "/etc/resolv.conf";
        ssize_t          n;
        size_t           sz;
        int              fd;
@@ -602,21 +601,21 @@ priv_write_resolv_conf(char *contents)
        if (contents == NULL)
                return;
 
-       fd = open(path, O_WRONLY | O_CREAT | O_TRUNC,
+       fd = open(_PATH_RESOLV_CONF, O_WRONLY | O_CREAT | O_TRUNC,
            S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 
        if (fd == -1) {
-               log_warn("%s: open(%s)", log_procname, path);
+               log_warn("%s: open(%s)", log_procname, _PATH_RESOLV_CONF);
                return;
        }
 
        sz = strlen(contents);
        n = write(fd, contents, sz);
        if (n == -1)
-               log_warn("%s: write(%s)", log_procname, path);
+               log_warn("%s: write(%s)", log_procname, _PATH_RESOLV_CONF);
        else if ((size_t)n < sz)
                log_warnx("%s: write(%s): %zd of %zu bytes", log_procname,
-                   path, n, sz);
+                   _PATH_RESOLV_CONF, n, sz);
 
        close(fd);
 }

Reply via email to