[email protected]([email protected]) on 2021.06.15 14:12:22 +0000: > > Seems to be working as intended. You are letting someone run all binaries. > And I am not letting someone write to the filesystem. Yet, they can > bypass that easily. `unveil("/", "rx")` gives a false illusion of > security, which can even trip up OpenBSD maintainers (more below). > > > Or is it your expectation is that all binaries should crash when they > > cannot start ld.so or load libc? > "/" is mounted for reads, why would a program crash while loading > libc? You don't need write access to execute a program. > > > I'd say the problem is whoever wrote this code unrealistic 2-liner code > > example, oh wait, that is you. > (and) > > The expected uses of unveil and pledge aren't some weird fiction > > of "oh look I can use them wrong". > https://github.com/openbsd/src/commit/15e2c6823410e554b348cd3fb137566da656e866 > > > Also to be clear - I'm not throwing blame to the author of the commit > here, it's not their fault. This behaviour isn't documented, so unless > you have seen the exec() source, you wouldn't know about it.
If anything, that example shows that relayd needs to be redesigned to make good use of pledge() and unveil(). Because of the capability to reload the configuration (making it possible to change the patch to external check programms), with the current structure of relayd it is impossible to do this better. The way relayd runs external check scripts need to be changed such that a tighter unveil() becomes possible. Maybe you can come up with a patch?
