On Thu, Apr 23, 2020 at 09:33:51AM +0200, Peter J. Philipp wrote:
> Hi,
>
> From the unveil manpage:
>
> The first call to unveil() removes visibility of the entire filesystem
> from all other filesystem-related system calls (such as open(2), chmod(2)
> and rename(2)), except for the specified path and permissions.
>
> Can the first call also be the last? I have a test program called
> unveiltest.c
> and it does the following:
>
> ----paste---->
> #include <sys/types.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <stdio.h>
> #include <stdlib.h>
>
> int
> main(void)
> {
> int fd;
>
> #ifdef UNVEIL_MOTD
> if (unveil("/etc/motd", "r") < 0)
> perror("unveil");
> #endif
> if (unveil(NULL, NULL) < 0)
> perror("unveil");
>
> for (;;) {
> if ((fd = open("/etc/motd", O_RDONLY, 0)) < 0)
> perror("open");
> else
> close(fd);
>
> sleep(1);
> }
> }
> <------
>
> When I run it without UNVEIL_MOTD, meaning my first (and last) unveil was
> NULL, NULL.. it doesn't deny /etc/motd reads.
>
> beta$ cc -g -o unveiltest unveiltest.c
> beta$ ./unveiltest
> ^C
>
> beta$ ps ax | grep unveiltest
> 21482 pg S+ 0:00.10 ./unveiltest
> 98206 ph R+/3 0:00.00 grep unveiltest
>
> And when I recompile with UNVEIL_MOTD same behaviour:
>
> beta$ cc -g -DUNVEIL_MOTD -o unveiltest unveiltest.c
> beta$ ./unveiltest
> ^C
>
> except there is a difference in the ps listing:
>
> beta$ ps ax | grep unveiltest
> 40907 pg S+U 0:00.01 ./unveiltest
> 40013 ph R+/2 0:00.00 grep unveiltest
>
> Am I interpreting unveil manpage wrong or is it written wrong? I did have
> a first call to unveil in the first example only it's NULL, NULL, me telling
> the system I don't want anything opened at all. Is there any way to do that?
>
> Or is that pledge()'s job?
>
> Another weird one I have is that I call unveil() to a path but chroot() later,
> then call unveil(NULL, NULL) and the ps flag doesn't indicate the U flag. Is
> because of the chroot() the unveil lost?
>
> Best regards,
> -peter
>
Hi,
Below the quoted part it says in the man page:
" After establishing a collection of path and permissions rules, future
calls to unveil() can be disabled by passing two NULL arguments.
Alternatively, pledge(2) may be used to remove the "unveil" promise."
So you could use the code:
if (unveil("/", "") == -1)
err(1, "unveil");
if (unveil(NULL, NULL) == -1)
err(1, "unveil");
For example see netcat, vmstat.
By the way, maybe it's intentional but perror does not exit the program. The
often used pattern is to use:
err(1, "unveil");
--
Kind regards,
Hiltjo
