On Tue, Jun 11, 2019 at 11:55:29AM -0600, Theo de Raadt wrote: > Bryan Steele <bry...@gmail.com> wrote: > > > In addition to what Stuart said, irssi is using libperl here for perl > > scripts, which means the irssi unveil will be applied to them. There > > are many uses for perl scripts, and many involve reading arbitrary files > > and there's no way to know that upfront. > > Keep in mind unveil is different from pledge. > > With pledge, you get killed. Unacceptably inconvenient to have that in > a sustained runtime, when you suddenly trigger a new feature. > > With unveil, a hidden file is EACCES or ENOENT therefore a deeply > complicated feature may *subtly misbehave* if it continues operation > in the absence of a control file or something. > > I think making this a getopt flag is a disaster. > > It was done with chrome *temporarily* during test phases, but sustained > use of flags tied to low-level features is seriously user hostile. >
The following patch makes the irssi unveiled version a new flavor, with unveil/pledge optin. I think this is best option. This is optin AND the package name is explicit, nobody should be surprised of irssi-unveil blocking some plugins. Index: Makefile =================================================================== RCS file: /data/cvs/ports/net/irssi/Makefile,v retrieving revision 1.79 diff -u -p -r1.79 Makefile --- Makefile 18 Feb 2019 18:35:57 -0000 1.79 +++ Makefile 12 Jun 2019 09:50:59 -0000 @@ -5,6 +5,7 @@ COMMENT = modular IRC client with many f V = 1.2.0 DISTNAME = irssi-$V PKGSPEC = irssi-=$V +REVISION = 0 CATEGORIES = net @@ -15,12 +16,13 @@ MAINTAINER = Klemens Nanni <kn@openbsd.o # GPLv2+ PERMIT_PACKAGE_CDROM = Yes +# use pledge() WANTLIB += c crypto curses gcrypt glib-2.0 gmodule-2.0 gpg-error \ iconv intl m otr pcre perl pthread ssl MASTER_SITES = https://github.com/irssi/irssi/releases/download/${V}/ -FLAVORS = socks +FLAVORS = socks unveil FLAVOR ?= LIB_DEPENDS = devel/glib2>=2.28.0 \ @@ -44,6 +46,13 @@ CONFIGURE_ARGS += --with-socks LIB_DEPENDS += security/dante WANTLIB += socks .endif + +.if ${FLAVOR:Munveil} +CFLAGS += -DHAVE_UNVEIL=y +.endif + +# required for 100% tests to pass +PORTHOME= ${WRKDIST} MAKE_FLAGS = scriptdir="${SYSCONFDIR}/irssi/scripts" \ themedir="${SYSCONFDIR}/irssi/themes" Index: patches/patch-src_core_net-nonblock_c =================================================================== RCS file: patches/patch-src_core_net-nonblock_c diff -N patches/patch-src_core_net-nonblock_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_core_net-nonblock_c 12 Jun 2019 09:59:56 -0000 @@ -0,0 +1,19 @@ +$OpenBSD$ + +Index: src/core/net-nonblock.c +--- src/core/net-nonblock.c.orig ++++ src/core/net-nonblock.c +@@ -60,6 +60,13 @@ int net_gethostbyname_nonblock(const char *addr, GIOCh + "Using blocking resolving"); + } + ++#ifdef HAVE_UNVEIL ++ if(pledge_enabled()) { ++ if (pledge("dns inet stdio",NULL) == -1) ++ { printf("Error pledge non-block\n"); exit(1); } ++ } ++#endif ++ + /* child */ + srand(time(NULL)); + Index: patches/patch-src_fe-common_core_fe-common-core_c =================================================================== RCS file: patches/patch-src_fe-common_core_fe-common-core_c diff -N patches/patch-src_fe-common_core_fe-common-core_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_fe-common_core_fe-common-core_c 12 Jun 2019 10:01:28 -0000 @@ -0,0 +1,106 @@ +$OpenBSD$ + +Index: src/fe-common/core/fe-common-core.c +--- src/fe-common/core/fe-common-core.c.orig ++++ src/fe-common/core/fe-common-core.c +@@ -51,6 +51,10 @@ + + #include <signal.h> + ++#ifdef HAVE_UNVEIL ++#include <pwd.h> ++#endif ++ + static char *autocon_server; + static char *autocon_password; + static int autocon_port; +@@ -58,6 +62,10 @@ static int no_autoconnect; + static char *cmdline_nick; + static char *cmdline_hostname; + ++#ifdef HAVE_UNVEIL ++static int no_unveil; ++#endif ++ + void fe_core_log_init(void); + void fe_core_log_deinit(void); + +@@ -99,6 +107,58 @@ void window_commands_deinit(void); + + static void sig_setup_changed(void); + ++#ifdef HAVE_UNVEIL ++int pledge_enabled() ++{ ++ return no_unveil ? 0 : 1; ++} ++ ++void pledge_init() ++{ ++ if(pledge_enabled()) { ++ struct passwd *pw; ++ int user_id = getuid(); ++ char path[200]; ++ ++ pw = getpwuid(user_id); ++ if (pw == NULL) ++ { printf("can't get pw of current user\n"); exit(1); } ++ ++ if( unveil("/etc/ssl","r") == -1 ) ++ { printf("error unveil /etc/ssl/\n"); exit(1); } ++ ++ if( unveil("/etc/resolv.conf","r") == -1 ) ++ { printf("error unveil /etc/resolv.conf\n"); exit(1); } ++ ++ if( unveil("/dev/null","rw") == -1 ) ++ { printf("error unveil dev/null\n"); exit(1); } ++ ++ if( unveil("/usr/local/libdata/perl5/","r") == -1 ) ++ { printf("error unveil /usr/local/libdata/perl5/\n"); exit(1); } ++ ++ if( unveil("/usr/libdata/perl5/","r") == -1 ) ++ { printf("error unveil /usr/libdata/perl5/\n"); exit(1); } ++ ++ snprintf(path,sizeof(path), "%s/irclogs",pw->pw_dir); ++ if( unveil(path,"rwc") == -1 ) ++ { printf("error unveil %s\n",path); exit(1); } ++ ++ snprintf(path,sizeof(path), "%s/.irssi/",pw->pw_dir); ++ if( unveil(path,"rwc") == -1 ) ++ { printf("error unveil %s\n",path); exit(1); } ++ ++ snprintf(path,sizeof(path), "%s/.irssi/scripts",pw->pw_dir); ++ if( unveil(path,"r") == -1 ) ++ { printf("error unveil %s\n",path); exit(1); } ++ ++ if (pledge("dns inet tty flock stdio cpath wpath rpath prot_exec proc unveil getpw",NULL) == -1) ++ { printf("error pledge\n"); exit(1); } ++ ++ } ++ ++} ++#endif ++ + static void sig_connected(SERVER_REC *server) + { + MODULE_DATA_SET(server, g_new0(MODULE_SERVER_REC, 1)); +@@ -133,6 +193,9 @@ void fe_common_core_register_options(void) + { "noconnect", '!', 0, G_OPTION_ARG_NONE, &no_autoconnect, "Disable autoconnecting", NULL }, + { "nick", 'n', 0, G_OPTION_ARG_STRING, &cmdline_nick, "Specify nick to use", NULL }, + { "hostname", 'h', 0, G_OPTION_ARG_STRING, &cmdline_hostname, "Specify host name to use", NULL }, ++#ifdef HAVE_UNVEIL ++ { "disable-unveil", 'u', 0, G_OPTION_ARG_NONE, &no_unveil, "Disable unveil and pledge security features", NULL }, ++#endif + { NULL } + }; + +@@ -140,6 +203,9 @@ void fe_common_core_register_options(void) + autocon_password = NULL; + autocon_port = 0; + no_autoconnect = FALSE; ++#ifdef HAVE_UNVEIL ++ no_unveil = FALSE; ++#endif + cmdline_nick = NULL; + cmdline_hostname = NULL; + args_register(options); Index: patches/patch-src_fe-text_irssi_c =================================================================== RCS file: patches/patch-src_fe-text_irssi_c diff -N patches/patch-src_fe-text_irssi_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_fe-text_irssi_c 11 Jun 2019 06:37:46 -0000 @@ -0,0 +1,28 @@ +$OpenBSD$ + +Index: src/fe-text/irssi.c +--- src/fe-text/irssi.c.orig ++++ src/fe-text/irssi.c +@@ -210,6 +210,10 @@ static void textui_finish_init(void) + printformat(NULL, NULL, MSGLEVEL_CRAP|MSGLEVEL_NO_ACT, TXT_WELCOME_FIRSTTIME); + } + ++ if(pledge_enabled()) { ++ printformat(NULL, NULL, MSGLEVEL_CRAP|MSGLEVEL_NO_ACT, TXT_UNVEIL_ENABLED); ++ } ++ + /* see irc-servers-setup.c:init_userinfo */ + if (user_settings_changed) + printformat(NULL, NULL, MSGLEVEL_CLIENTNOTICE, TXT_WELCOME_INIT_SETTINGS); +@@ -333,7 +337,11 @@ int main(int argc, char **argv) + } + + g_log_set_always_fatal(loglev); ++ ++ pledge_init(); ++ + textui_finish_init(); ++ + main_loop = g_main_new(TRUE); + + /* Does the same as g_main_run(main_loop), except we Index: patches/patch-src_fe-text_module-formats_c =================================================================== RCS file: patches/patch-src_fe-text_module-formats_c diff -N patches/patch-src_fe-text_module-formats_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_fe-text_module-formats_c 12 Jun 2019 10:00:55 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ + +Index: src/fe-text/module-formats.c +--- src/fe-text/module-formats.c.orig ++++ src/fe-text/module-formats.c +@@ -100,6 +100,12 @@ FORMAT_REC gui_text_formats[] = + "the available commands.%:" + "- - - - - - - - - - - - - - - - - - - - - - - - - - - -", 0 }, + { "welcome_init_settings", "The following settings were initialized", 0 }, ++#ifdef HAVE_UNVEIL ++ { "unveil_enabled", ++ "Unveil security features is enabled, your logs and scripts must be under ~/.irssi/%:" ++ "Irssi and its plugins are denied access to others paths, this may break some plugins.%:" ++ "This can be disabled with the flag -u at runtime.", 0 }, ++#endif + + { NULL, NULL, 0 } + }; Index: patches/patch-src_fe-text_module-formats_h =================================================================== RCS file: patches/patch-src_fe-text_module-formats_h diff -N patches/patch-src_fe-text_module-formats_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_fe-text_module-formats_h 12 Jun 2019 09:59:52 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ + +Index: src/fe-text/module-formats.h +--- src/fe-text/module-formats.h.orig ++++ src/fe-text/module-formats.h +@@ -59,6 +59,9 @@ enum { + TXT_IRSSI_BANNER, + TXT_WELCOME_FIRSTTIME, + TXT_WELCOME_INIT_SETTINGS, ++#ifdef HAVE_UNVEIL ++ TXT_UNVEIL_ENABLED, ++#endif + + TXT_COUNT + };