- From:
- Stefan Sperling <stsp@stsp.name>
- Subject:
- gotd listen process needs apply_unveil_none()
- To:
- gameoftrees@openbsd.org
- Date:
- Wed, 4 Jan 2023 21:57:26 +0100
Download raw body.
Thread
gotd listen process needs apply_unveil_none()
Download raw body.
gotd listen process needs apply_unveil_none()
It occurred to me that the gotd listen process is able to create
new unix sockets via bind(2) because it does not use unveil(2)
to block its view of the filesystem.
I have verified that a socket can indeed be bound successfully after
pledge("stdio unix"), and that bind(2) fails with ENOENT when the code
in apply_unveil_none() is run between pledge("stdio unix") and bind(2).
ok?
diff 7843333165edf3bdaa739cd96c701e1b7d53aa81 d1827c669107e7273a53e5b4de4e91b624569d83
commit - 7843333165edf3bdaa739cd96c701e1b7d53aa81
commit + d1827c669107e7273a53e5b4de4e91b624569d83
blob - e50353765bff681f33ccb4684dc31c73acce7967
blob + ebce2cfaa618ecbd64466a003b70fe6044a4fafe
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2544,9 +2544,15 @@ main(int argc, char **argv)
break;
case PROC_LISTEN:
#ifndef PROFILE
- if (pledge("stdio sendfd unix", NULL) == -1)
+ if (pledge("stdio sendfd unix unveil", NULL) == -1)
err(1, "pledge");
#endif
+ /*
+ * Ensure that AF_UNIX bind(2) cannot be used with any other
+ * sockets by revoking all filesystem access via unveil(2).
+ */
+ apply_unveil_none();
+
listen_main(title, fd, gotd.connection_limits,
gotd.nconnection_limits);
/* NOTREACHED */
gotd listen process needs apply_unveil_none()