From: Stefan Sperling <stsp@stsp.name>
Subject: gotd listen process needs apply_unveil_none()
To: gameoftrees@openbsd.org
Date: Wed, 4 Jan 2023 21:57:26 +0100

It occurred to me that the gotd listen process is able to create
new unix sockets via bind(2) because it does not use unveil(2)
to block its view of the filesystem.

I have verified that a socket can indeed be bound successfully after
pledge("stdio unix"), and that bind(2) fails with ENOENT when the code
in apply_unveil_none() is run between pledge("stdio unix") and bind(2).

ok?

diff 7843333165edf3bdaa739cd96c701e1b7d53aa81 d1827c669107e7273a53e5b4de4e91b624569d83
commit - 7843333165edf3bdaa739cd96c701e1b7d53aa81
commit + d1827c669107e7273a53e5b4de4e91b624569d83
blob - e50353765bff681f33ccb4684dc31c73acce7967
blob + ebce2cfaa618ecbd64466a003b70fe6044a4fafe
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2544,9 +2544,15 @@ main(int argc, char **argv)
 		break;
 	case PROC_LISTEN:
 #ifndef PROFILE
-		if (pledge("stdio sendfd unix", NULL) == -1)
+		if (pledge("stdio sendfd unix unveil", NULL) == -1)
 			err(1, "pledge");
 #endif
+		/*
+		 * Ensure that AF_UNIX bind(2) cannot be used with any other
+		 * sockets by revoking all filesystem access via unveil(2).
+		 */
+		apply_unveil_none();
+
 		listen_main(title, fd, gotd.connection_limits,
 		    gotd.nconnection_limits);
 		/* NOTREACHED */