ping and traceroute are setuid programs, so increased access-reduction
features are worthwhile.
they can both lock their filesystem visibility to "readonly" very early on.
the attack model being prevented against is very obscure. it imagines a
bug in something between start-of-program and call-to-pledge (which
entirely removes filesystem access). implying a getaddrinfo related
bug. meanwhile, there is privdrop as another protection.
these still feel like improvements.
Index: usr.sbin/traceroute/traceroute.c
===================================================================
RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.161
diff -u -p -u -r1.161 traceroute.c
--- usr.sbin/traceroute/traceroute.c 28 Jun 2019 13:32:51 -0000 1.161
+++ usr.sbin/traceroute/traceroute.c 27 Aug 2019 17:56:56 -0000
@@ -327,6 +327,12 @@ main(int argc, char *argv[])
uid_t ouid, uid;
gid_t gid;
+ /* Cannot pledge due to special setsockopt()s below */
+ if (unveil("/", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+
if ((conf = calloc(1, sizeof(*conf))) == NULL)
err(1,NULL);
Index: sbin/ping/ping.c
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.237
diff -u -p -u -r1.237 ping.c
--- sbin/ping/ping.c 20 Jul 2019 00:49:54 -0000 1.237
+++ sbin/ping/ping.c 27 Aug 2019 17:56:17 -0000
@@ -264,6 +264,12 @@ main(int argc, char *argv[])
u_int rtableid = 0;
extern char *__progname;
+ /* Cannot pledge due to special setsockopt()s below */
+ if (unveil("/", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+
if (strcmp("ping6", __progname) == 0) {
v6flag = 1;
maxpayload = MAXPAYLOAD6;
