Of course when I mention in the second option to "unveil" / it's just to call pledge with rpath, not actually calling unveil(2).
On 10:20 Thu 11 Jul , Ricardo Mestre wrote: > Hi, > > switchd(8)'s main proc needs to open the following paths, and which can be > unveiled: > > / -> read, it will open config files from anywhere in the system, and also > needs to open /etc/services > > /dev -> read/write, in order to open /dev/tap* and /dev/switch* > > Just before the main loop the devices were already opened so we can drop wpath > from pledge(2). We still need to keep rpath since the daemon may receive a > SIGHUP and reload the config files again, along with /etc/services. > > Another option is to just remove the current pledge(2) placement and add the > one I have below, this way there's no need to unveil /dev, just / . > > Comments? OK? > > Index: switchd.c > =================================================================== > RCS file: /cvs/src/usr.sbin/switchd/switchd.c,v > retrieving revision 1.16 > diff -u -p -u -r1.16 switchd.c > --- switchd.c 10 Sep 2018 13:21:39 -0000 1.16 > +++ switchd.c 11 Jul 2019 09:08:07 -0000 > @@ -191,6 +191,10 @@ main(int argc, char *argv[]) > > log_procinit("parent"); > > + if (unveil("/", "r") == -1) > + fatal("unveil"); > + if (unveil("/dev", "rw") == -1) > + fatal("unveil"); > /* > * pledge in the parent process: > * stdio - for malloc and basic I/O including events. > @@ -221,6 +225,9 @@ main(int argc, char *argv[]) > > if (parent_configure(sc) == -1) > fatalx("configuration failed"); > + > + if (pledge("stdio rpath inet dns sendfd", NULL) == -1) > + fatal("pledge"); > > event_dispatch(); > >