The third's the charm? :)
OK?
On 20:23 Fri 14 Jun , Ricardo Mestre wrote:
> ping?
>
> On 12:33 Wed 22 May , Ricardo Mestre wrote:
> > Hi,
> >
> > Like we did on other daemons that cannot be pledged due to forbidden ioctls
> > the
> > main process can be unveiled to restrict filesystem access. In this case we
> > can
> > restrict it to only read, although it must be the entire / since the daemon
> > is
> > able to include config files from anywhere.
> >
> > Additionally the ldpe process currently has cpath promise to unlink the
> > socket,
> > nevertheless the socket is actually unlinked from the main proc so this
> > permission can be removed. As we discussed before leaving the socket behind
> > doesn't do any harm that's why I didn't unveil it in the main proc.
> >
> > Comments? OK?
> >
> > Index: ldpd.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/ldpd/ldpd.c,v
> > retrieving revision 1.64
> > diff -u -p -u -r1.64 ldpd.c
> > --- ldpd.c 31 Mar 2019 03:36:18 -0000 1.64
> > +++ ldpd.c 22 May 2019 11:09:33 -0000
> > @@ -222,6 +222,11 @@ main(int argc, char *argv[])
> > pipe_parent2ldpe[1], debug, global.cmd_opts & LDPD_OPT_VERBOSE,
> > sockname);
> >
> > + if (unveil("/", "r") == -1)
> > + fatal("unveil");
> > + if (unveil(NULL, NULL) == -1)
> > + fatal("unveil");
> > +
> > event_init();
> >
> > /* setup signal handler */
> > Index: ldpe.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/ldpd/ldpe.c,v
> > retrieving revision 1.75
> > diff -u -p -u -r1.75 ldpe.c
> > --- ldpe.c 23 Jan 2019 02:02:04 -0000 1.75
> > +++ ldpe.c 22 May 2019 11:09:33 -0000
> > @@ -107,7 +107,7 @@ ldpe(int debug, int verbose, char *sockn
> > setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> > fatal("can't drop privileges");
> >
> > - if (pledge("stdio cpath inet mcast recvfd", NULL) == -1)
> > + if (pledge("stdio inet mcast recvfd", NULL) == -1)
> > fatal("pledge");
> >
> > event_init();
