Rafael Neves <raf...@diskless.io> wrote:
> Hi tech@,
>
> The Patch 1 below tighten pledge(2) promises to stdio, after the
> freopen(3) call,
I've commited this.
> and replaces an exit(3) call to return, so the
> stack protector could be used.
I'm still not a huge fan of those. I don't recall ever seeing
an overflow in such a circumstance.
> I verify that after pledge stdio, there are only calls to:
> getline(3), memcmp(3), regexec(3), printf(3), fwrite(3), fputs(3),
> ferror(3), free(3), and err(3). All this functions do not need
> the rpath promise.
>
> The Patch 2, includes Patch 1 and uses unveil(2) when the user supply
> a file. A prior version of this patch used unveil("/dev/null", "r")
> after the first pledge call, to forbid any filesystem access, except
> the file supplied. But it seemed like a hack.
Doing 1 unveil before 1 open, is pointless. Instead, drop all path
pledges immediately afterwards. Which is what "stdio" is about.
