Of course when I mention in the second option to "unveil" / it's just to
call pledge with rpath, not actually calling unveil(2).
On 10:20 Thu 11 Jul , Ricardo Mestre wrote:
> Hi,
>
> switchd(8)'s main proc needs to open the following paths, and which can be
> unveiled:
>
> / -> read, it will open config files from anywhere in the system, and also
> needs to open /etc/services
>
> /dev -> read/write, in order to open /dev/tap* and /dev/switch*
>
> Just before the main loop the devices were already opened so we can drop wpath
> from pledge(2). We still need to keep rpath since the daemon may receive a
> SIGHUP and reload the config files again, along with /etc/services.
>
> Another option is to just remove the current pledge(2) placement and add the
> one I have below, this way there's no need to unveil /dev, just / .
>
> Comments? OK?
>
> Index: switchd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/switchd/switchd.c,v
> retrieving revision 1.16
> diff -u -p -u -r1.16 switchd.c
> --- switchd.c 10 Sep 2018 13:21:39 -0000 1.16
> +++ switchd.c 11 Jul 2019 09:08:07 -0000
> @@ -191,6 +191,10 @@ main(int argc, char *argv[])
>
> log_procinit("parent");
>
> + if (unveil("/", "r") == -1)
> + fatal("unveil");
> + if (unveil("/dev", "rw") == -1)
> + fatal("unveil");
> /*
> * pledge in the parent process:
> * stdio - for malloc and basic I/O including events.
> @@ -221,6 +225,9 @@ main(int argc, char *argv[])
>
> if (parent_configure(sc) == -1)
> fatalx("configuration failed");
> +
> + if (pledge("stdio rpath inet dns sendfd", NULL) == -1)
> + fatal("pledge");
>
> event_dispatch();
>
>
