On 22-12-29 08:58PM, Stefan Sperling wrote:
> On Thu, Dec 29, 2022 at 07:27:00PM +0100, Stefan Sperling wrote:
> > Remove filesystem access via bind(2) from gotd's auth process.
> > See the added comment for rationale, and keep in mind that
> > AF_UNIX bind(2) requires unveil "w".
> > 
> > ok?
> 
> Omar pointed out on IRC that we need to add an unveil rule
> before locking unveil.

yes, makes sense. ok

> diff 365cf0f34d08316d433e730a8663283029f729b3 fdc9c76e0b23708faf82df8e055ddf5895344150
> commit - 365cf0f34d08316d433e730a8663283029f729b3
> commit + fdc9c76e0b23708faf82df8e055ddf5895344150
> blob - 05f659daea632d0e305556351e4d6a5e97519fa0
> blob + b79d7d9818993976319266976df74331b6ba4d71
> --- gotd/gotd.c
> +++ gotd/gotd.c
> @@ -2371,6 +2371,16 @@ apply_unveil(void)
>  }
>  
>  static void
> +apply_unveil_none(void)
> +{
> +	if (unveil("/", "") == -1)
> +		fatal("unveil");
> +
> +	if (unveil(NULL, NULL) == -1)
> +		fatal("unveil");
> +}
> +
> +static void
>  apply_unveil(void)
>  {
>  	struct gotd_repo *repo;
> @@ -2582,9 +2592,17 @@ main(int argc, char **argv)
>  		break;
>  	case PROC_AUTH:
>  #ifndef PROFILE
> -		if (pledge("stdio getpw recvfd unix", NULL) == -1)
> +		if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
>  			err(1, "pledge");
>  #endif
> +		/*
> +		 * We need the "unix" pledge promise for getpeername(2) only.
> +		 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
> +		 * filesystem access via unveil(2). Access to password database
> +		 * files will still work since "getpw" bypasses unveil(2).
> +		 */
> +		apply_unveil_none();
> +
>  		auth_main(title, &gotd.repos, repo_path);
>  		/* NOTREACHED */
>  		break;
> 

-- 
Mark Jamsek <fnc.bsdbox.org>
GPG: F2FF 13DE 6A06 C471 CA80  E6E2 2930 DC66 86EE CF68