Rafael Neves <raf...@diskless.io> wrote: > Hi tech@, > > The Patch 1 below tighten pledge(2) promises to stdio, after the > freopen(3) call,
I've commited this. > and replaces an exit(3) call to return, so the > stack protector could be used. I'm still not a huge fan of those. I don't recall ever seeing an overflow in such a circumstance. > I verify that after pledge stdio, there are only calls to: > getline(3), memcmp(3), regexec(3), printf(3), fwrite(3), fputs(3), > ferror(3), free(3), and err(3). All this functions do not need > the rpath promise. > > The Patch 2, includes Patch 1 and uses unveil(2) when the user supply > a file. A prior version of this patch used unveil("/dev/null", "r") > after the first pledge call, to forbid any filesystem access, except > the file supplied. But it seemed like a hack. Doing 1 unveil before 1 open, is pointless. Instead, drop all path pledges immediately afterwards. Which is what "stdio" is about.