sysutils/openbsdisks2: unveil to prevent execution

Wed, 08 Nov 2023 03:04:28 -0800 

This service seems like a common dependency for desktop environments
and runs as root speaking D-Bus without any activesecurity mechanisms.

ioctl(2) for cd(4) and sysctl(2) hw.disknames usage currently prevents
using pledge(2).

Use unveil("/", "rwc") for starters to strip x bits as, by design, this
daemon is not executing anything (it spawns a thread, though).

Perhaps "c" could be dropped as well, but I haven't looked that far into
its Qt and D-Bus tentacles to check whether it does indeed never tries
to create any files.

This works for me under Xfce.
Feedback? Objection? OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/sysutils/openbsdisks2/Makefile,v
diff -u -p -r1.8 Makefile
--- Makefile    27 Sep 2023 17:16:32 -0000      1.8
+++ Makefile    8 Nov 2023 10:27:38 -0000
@@ -2,6 +2,7 @@ COMMENT =       UDisks2 service implementation
 
 V =            0.3.1
 DISTNAME =     openbsdisks2-${V}
+REVISION =     0
 
 CATEGORIES =   sysutils
 
@@ -15,6 +16,7 @@ PERMIT_PACKAGE =      Yes
 # C++
 COMPILER =     base-clang ports-gcc
 
+# uses unveil()
 WANTLIB += ${COMPILER_LIBCXX} Qt5Core Qt5DBus c m util
 
 SITES =        
https://github.com/sizeofvoid/openbsdisks2/releases/download/v${V}/
Index: patches/patch-src_main_cpp
===================================================================
RCS file: patches/patch-src_main_cpp
diff -N patches/patch-src_main_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_main_cpp  8 Nov 2023 10:56:01 -0000
@@ -0,0 +1,28 @@
+Uncovered sysctl(2) and ioctl(2) prevents pledge(2) usage.
+unveil(2) all files read-write-create to prevent execution.
+Index: src/main.cpp
+--- src/main.cpp.orig
++++ src/main.cpp
+@@ -34,8 +34,10 @@
+ #include "manageradaptor.h"
+ #include "objectmanager.h"
+ 
++#include <err.h>
+ #include <iostream>
+ #include <syslog.h>
++#include <unistd.h>
+ 
+ #include <QSet>
+ 
+@@ -84,6 +86,11 @@ static void msg_handler(QtMsgType type, const QMessage
+ 
+ int main(int argc, char** argv)
+ {
++    if (unveil("/", "rwc") == -1)
++        err(1, "unveil /");
++    if (unveil(NULL, NULL) == -1)
++        err(1, "unveil NULL");
++
+     qInstallMessageHandler(msg_handler);
+ 
+     qRegisterMetaType<Configuration>();

Reply via email to