From: Omar Polo <op@omarpolo.com>
Subject: Re: gotd: unveil in PROFILE builds
To: Mikhail <mp39590@gmail.com>
Cc: gameoftrees@openbsd.org
Date: Tue, 02 May 2023 19:50:47 +0200

On 2023/05/01 21:43:19 +0300, Mikhail <mp39590@gmail.com> wrote:
> On Mon, May 01, 2023 at 09:25:50PM +0300, Mikhail wrote:
> > apply_unveil_none() hides whole file system and it makes getpwuid fail
> > in PROFILE builds
> 
> Not my day. Better patch to disable all unveils:

I'm not sure it's a good idea to disable unveil in gotd PROFILE
builds; we usually don't do that.

since the getpw pledge is only used in the auth process, what about
disabling unveil() only in that process and comment why we're doing
that?

(admittedly only build tested)

diff /home/op/w/got
commit - c000aa350eac5ac329beb278a513e5f978d2a463
path + /home/op/w/got
blob - 23fb7de78a4d49528a35ce6f683badab359d83bc
file + gotd/gotd.c
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -1856,14 +1856,18 @@ main(int argc, char **argv)
 #ifndef PROFILE
 		if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
 			err(1, "pledge");
-#endif
+
 		/*
 		 * We need the "unix" pledge promise for getpeername(2) only.
 		 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
 		 * filesystem access via unveil(2). Access to password database
 		 * files will still work since "getpw" bypasses unveil(2).
+		 *
+		 * Can't unveil in PROFILE because getpwuid(3) will
+		 * fail since we lack pledge in those builds.
 		 */
 		apply_unveil_none();
+#endif
 
 		auth_main(title, &gotd.repos, repo_path);
 		/* NOTREACHED */