From: Mikhail <mp39590@gmail.com>
Subject: Re: gotd: unveil in PROFILE builds
To: gameoftrees@openbsd.org
Date: Mon, 1 May 2023 21:43:19 +0300

On Mon, May 01, 2023 at 09:25:50PM +0300, Mikhail wrote:
> apply_unveil_none() hides whole file system and it makes getpwuid fail
> in PROFILE builds

Not my day. Better patch to disable all unveils:


diff /home/misha/work/got
commit - c000aa350eac5ac329beb278a513e5f978d2a463
path + /home/misha/work/got
blob - 23fb7de78a4d49528a35ce6f683badab359d83bc
file + gotd/gotd.c
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -1644,6 +1644,7 @@ static void
 	return NULL;
 }
 
+#ifndef PROFILE
 static void
 apply_unveil_repo_readonly(const char *repo_path)
 {
@@ -1686,6 +1687,7 @@ apply_unveil_selfexec(void)
 	if (unveil(NULL, NULL) == -1)
 		fatal("unveil");
 }
+#endif
 
 int
 main(int argc, char **argv)
@@ -1841,12 +1843,12 @@ main(int argc, char **argv)
 #ifndef PROFILE
 		if (pledge("stdio sendfd unix unveil", NULL) == -1)
 			err(1, "pledge");
-#endif
 		/*
 		 * Ensure that AF_UNIX bind(2) cannot be used with any other
 		 * sockets by revoking all filesystem access via unveil(2).
 		 */
 		apply_unveil_none();
+#endif
 
 		listen_main(title, fd, gotd.connection_limits,
 		    gotd.nconnection_limits);
@@ -1856,7 +1858,6 @@ main(int argc, char **argv)
 #ifndef PROFILE
 		if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
 			err(1, "pledge");
-#endif
 		/*
 		 * We need the "unix" pledge promise for getpeername(2) only.
 		 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
@@ -1864,6 +1865,7 @@ main(int argc, char **argv)
 		 * files will still work since "getpw" bypasses unveil(2).
 		 */
 		apply_unveil_none();
+#endif
 
 		auth_main(title, &gotd.repos, repo_path);
 		/* NOTREACHED */
@@ -1877,8 +1879,8 @@ main(int argc, char **argv)
 		if (pledge("stdio rpath wpath cpath recvfd sendfd fattr flock "
 		    "unveil", NULL) == -1)
 			err(1, "pledge");
-#endif
 		apply_unveil_repo_readwrite(repo_path);
+#endif
 		session_main(title, repo_path, pack_fds, temp_fds,
 		    &gotd.request_timeout);
 		/* NOTREACHED */
@@ -1887,8 +1889,8 @@ main(int argc, char **argv)
 #ifndef PROFILE
 		if (pledge("stdio rpath recvfd unveil", NULL) == -1)
 			err(1, "pledge");
-#endif
 		apply_unveil_repo_readonly(repo_path);
+#endif
 		repo_read_main(title, repo_path, pack_fds, temp_fds);
 		/* NOTREACHED */
 		exit(0);
@@ -1896,8 +1898,8 @@ main(int argc, char **argv)
 #ifndef PROFILE
 		if (pledge("stdio rpath recvfd unveil", NULL) == -1)
 			err(1, "pledge");
-#endif
 		apply_unveil_repo_readonly(repo_path);
+#endif
 		repo = gotd_find_repo_by_path(repo_path, &gotd);
 		if (repo == NULL)
 			fatalx("no repository for path %s", repo_path);
@@ -1914,7 +1916,9 @@ main(int argc, char **argv)
 	if (proc_id != PROC_GOTD)
 		fatal("invalid process id %d", proc_id);
 
+#ifndef PROFILE
 	apply_unveil_selfexec();
+#endif
 
 	signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
 	signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);