The third's the charm? :) OK?
On 20:23 Fri 14 Jun , Ricardo Mestre wrote: > ping? > > On 12:33 Wed 22 May , Ricardo Mestre wrote: > > Hi, > > > > Like we did on other daemons that cannot be pledged due to forbidden ioctls > > the > > main process can be unveiled to restrict filesystem access. In this case we > > can > > restrict it to only read, although it must be the entire / since the daemon > > is > > able to include config files from anywhere. > > > > Additionally the ldpe process currently has cpath promise to unlink the > > socket, > > nevertheless the socket is actually unlinked from the main proc so this > > permission can be removed. As we discussed before leaving the socket behind > > doesn't do any harm that's why I didn't unveil it in the main proc. > > > > Comments? OK? > > > > Index: ldpd.c > > =================================================================== > > RCS file: /cvs/src/usr.sbin/ldpd/ldpd.c,v > > retrieving revision 1.64 > > diff -u -p -u -r1.64 ldpd.c > > --- ldpd.c 31 Mar 2019 03:36:18 -0000 1.64 > > +++ ldpd.c 22 May 2019 11:09:33 -0000 > > @@ -222,6 +222,11 @@ main(int argc, char *argv[]) > > pipe_parent2ldpe[1], debug, global.cmd_opts & LDPD_OPT_VERBOSE, > > sockname); > > > > + if (unveil("/", "r") == -1) > > + fatal("unveil"); > > + if (unveil(NULL, NULL) == -1) > > + fatal("unveil"); > > + > > event_init(); > > > > /* setup signal handler */ > > Index: ldpe.c > > =================================================================== > > RCS file: /cvs/src/usr.sbin/ldpd/ldpe.c,v > > retrieving revision 1.75 > > diff -u -p -u -r1.75 ldpe.c > > --- ldpe.c 23 Jan 2019 02:02:04 -0000 1.75 > > +++ ldpe.c 22 May 2019 11:09:33 -0000 > > @@ -107,7 +107,7 @@ ldpe(int debug, int verbose, char *sockn > > setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) > > fatal("can't drop privileges"); > > > > - if (pledge("stdio cpath inet mcast recvfd", NULL) == -1) > > + if (pledge("stdio inet mcast recvfd", NULL) == -1) > > fatal("pledge"); > > > > event_init();