On Sat, Apr 20, 2019 at 07:10:21PM -0600, Theo de Raadt wrote:
> Rafael Neves <[email protected]> wrote:
>
> > Hi tech@,
> >
> > The Patch 1 below tighten pledge(2) promises to stdio, after the
> > freopen(3) call,
>
> I've commited this.
>
> > and replaces an exit(3) call to return, so the
> > stack protector could be used.
>
> I'm still not a huge fan of those. I don't recall ever seeing
> an overflow in such a circumstance.
>
I am no security expert, so I can't comment on this. Actually,
I saw the exit() instead of return while analysing the code path
after freopen() call. I remembered there were commits with that
kind of change, then I combined both. Anyway, it was not the
focus of the change.
> > I verify that after pledge stdio, there are only calls to:
> > getline(3), memcmp(3), regexec(3), printf(3), fwrite(3), fputs(3),
> > ferror(3), free(3), and err(3). All this functions do not need
> > the rpath promise.
> >
> > The Patch 2, includes Patch 1 and uses unveil(2) when the user supply
> > a file. A prior version of this patch used unveil("/dev/null", "r")
> > after the first pledge call, to forbid any filesystem access, except
> > the file supplied. But it seemed like a hack.
>
> Doing 1 unveil before 1 open, is pointless. Instead, drop all path
> pledges immediately afterwards. Which is what "stdio" is about.
Indeed, totally right! Thanks to draw attention to that.
Regards,
Rafael Neves
