From: Stefan Sperling <stsp@stsp.name>
Subject: gotd auth unveil
To: gameoftrees@openbsd.org
Date: Thu, 29 Dec 2022 19:27:00 +0100

Remove filesystem access via bind(2) from gotd's auth process.
See the added comment for rationale, and keep in mind that
AF_UNIX bind(2) requires unveil "w".

ok?
 
diff 365cf0f34d08316d433e730a8663283029f729b3 e5a2e986b1e0218e92b07c306c988228361d287a
commit - 365cf0f34d08316d433e730a8663283029f729b3
commit + e5a2e986b1e0218e92b07c306c988228361d287a
blob - 05f659daea632d0e305556351e4d6a5e97519fa0
blob + df8e6d3dd6fc2d0d820022d725c5ad99e5c3d54b
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2582,9 +2582,18 @@ main(int argc, char **argv)
 		break;
 	case PROC_AUTH:
 #ifndef PROFILE
-		if (pledge("stdio getpw recvfd unix", NULL) == -1)
+		if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
 			err(1, "pledge");
 #endif
+		/*
+		 * We need the "unix" pledge promise for getpeername(2) only.
+		 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
+		 * filesystem access via unveil(2). Access to password database
+		 * files will still work since "getpw" bypasses unveil(2).
+		 */
+		if (unveil(NULL, NULL) == -1)
+			fatal("unveil");
+
 		auth_main(title, &gotd.repos, repo_path);
 		/* NOTREACHED */
 		break;