From: Stefan Sperling <stsp@stsp.name>
Subject: Re: fix gotwebd unveil settings
To: Omar Polo <op@omarpolo.com>
Cc: gameoftrees@openbsd.org
Date: Tue, 14 Nov 2023 09:08:35 +0100

On Tue, Nov 14, 2023 at 08:50:46AM +0100, Omar Polo wrote:
> On 2023/11/13 21:42:37 +0100, Stefan Sperling <stsp@stsp.name> wrote:
> > gotwebd has no reason to write or create new files anywhere in the
> > web server's chroot dir. The only directory where it needs to create
> > or write to files is /var/www/tmp.
>                        ^^^^^^^^
> 		       wrong, just /tmp/

Indeed. I forgot that we moved temp file creation outside the
chroot when gotd came around.

> > ok?
> 
> OK op@ with the unveil(GOT_TMPDIR_STR) removed (and maybe even
> unveil(GOTWEBD_CONF) since it's already parsed and we don't do
> reloading)

Thanks! It does run with /tmp removed. Even better.

I will keep the config file for now. Hopefully we'll add reload
functionality some day.

diff /home/stsp/src/got
commit - b1c090542f4ecaf993fc81468338839febcb8e37
path + /home/stsp/src/got
blob - 341d3774c799acfb106876120fa0e5ae0b9131c0
file + gotwebd/sockets.c
--- gotwebd/sockets.c
+++ gotwebd/sockets.c
@@ -53,6 +53,7 @@
 #include "got_opentemp.h"
 #include "got_reference.h"
 #include "got_repository.h"
+#include "got_privsep.h"
 
 #include "proc.h"
 #include "gotwebd.h"
@@ -112,8 +113,8 @@ sockets_run(struct privsep *ps, struct privsep_proc *p
 	signal_add(&ps->ps_evsigchld, NULL);
 
 #ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd",
-	    NULL) == -1)
+	if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd "
+	    "unveil", NULL) == -1)
 		fatal("pledge");
 #endif
 }
@@ -246,6 +247,8 @@ static void
 sockets_launch(void)
 {
 	struct socket *sock;
+	struct server *srv;
+	const struct got_error *error;
 
 	TAILQ_FOREACH(sock, &gotwebd_env->sockets, entry) {
 		log_debug("%s: configuring socket %d (%d)", __func__,
@@ -262,6 +265,18 @@ sockets_launch(void)
 		log_debug("%s: running socket listener %d", __func__,
 		    sock->conf.id);
 	}
+
+	TAILQ_FOREACH(srv, &gotwebd_env->servers, entry) {
+		if (unveil(srv->repos_path, "r") == -1)
+			fatal("unveil %s", srv->repos_path);
+	}
+
+	error = got_privsep_unveil_exec_helpers();
+	if (error)
+		fatal("%s", error->msg);
+
+	if (unveil(NULL, NULL) != 0)
+		fatal("unveil");
 }
 
 static void