Re: add pledge and unveil to net/irssi

Wed, 12 Jun 2019 09:02:43 -0700 

On Tue, Jun 11, 2019 at 11:55:29AM -0600, Theo de Raadt wrote:
> Bryan Steele <bry...@gmail.com> wrote:
> 
> > In addition to what Stuart said, irssi is using libperl here for perl
> > scripts, which means the irssi unveil will be applied to them. There
> > are many uses for perl scripts, and many involve reading arbitrary files
> > and there's no way to know that upfront.
> 
> Keep in mind unveil is different from pledge.
> 
> With pledge, you get killed.  Unacceptably inconvenient to have that in
> a sustained runtime, when you suddenly trigger a new feature.
> 
> With unveil, a hidden file is EACCES or ENOENT therefore a deeply
> complicated feature may *subtly misbehave* if it continues operation
> in the absence of a control file or something.
> 
> I think making this a getopt flag is a disaster.
> 
> It was done with chrome *temporarily* during test phases, but sustained
> use of flags tied to low-level features is seriously user hostile. 
> 

The following patch makes the irssi unveiled version a new flavor, with
unveil/pledge optin. I think this is best option. This is optin AND the
package name is explicit, nobody should be surprised of irssi-unveil
blocking some plugins.


Index: Makefile
===================================================================
RCS file: /data/cvs/ports/net/irssi/Makefile,v
retrieving revision 1.79
diff -u -p -r1.79 Makefile
--- Makefile    18 Feb 2019 18:35:57 -0000      1.79
+++ Makefile    12 Jun 2019 09:50:59 -0000
@@ -5,6 +5,7 @@ COMMENT =       modular IRC client with many f
 V =            1.2.0
 DISTNAME =     irssi-$V
 PKGSPEC =      irssi-=$V
+REVISION =     0
 
 CATEGORIES =   net
 
@@ -15,12 +16,13 @@ MAINTAINER =        Klemens Nanni <kn@openbsd.o
 # GPLv2+
 PERMIT_PACKAGE_CDROM = Yes
 
+# use pledge()
 WANTLIB +=     c crypto curses gcrypt glib-2.0 gmodule-2.0 gpg-error \
                iconv intl m otr pcre perl pthread ssl
 
 MASTER_SITES = https://github.com/irssi/irssi/releases/download/${V}/
 
-FLAVORS =      socks
+FLAVORS =      socks unveil
 FLAVOR ?=
 
 LIB_DEPENDS =  devel/glib2>=2.28.0 \
@@ -44,6 +46,13 @@ CONFIGURE_ARGS +=    --with-socks
 LIB_DEPENDS +=         security/dante
 WANTLIB +=             socks
 .endif
+
+.if ${FLAVOR:Munveil}
+CFLAGS +=              -DHAVE_UNVEIL=y
+.endif
+
+# required for 100% tests to pass
+PORTHOME=              ${WRKDIST}
 
 MAKE_FLAGS =   scriptdir="${SYSCONFDIR}/irssi/scripts" \
                themedir="${SYSCONFDIR}/irssi/themes"
Index: patches/patch-src_core_net-nonblock_c
===================================================================
RCS file: patches/patch-src_core_net-nonblock_c
diff -N patches/patch-src_core_net-nonblock_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_core_net-nonblock_c       12 Jun 2019 09:59:56 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+Index: src/core/net-nonblock.c
+--- src/core/net-nonblock.c.orig
++++ src/core/net-nonblock.c
+@@ -60,6 +60,13 @@ int net_gethostbyname_nonblock(const char *addr, GIOCh
+                         "Using blocking resolving");
+       }
+ 
++#ifdef HAVE_UNVEIL
++    if(pledge_enabled()) {
++        if (pledge("dns inet stdio",NULL) == -1)
++        { printf("Error pledge non-block\n"); exit(1); }
++    }
++#endif
++
+       /* child */
+       srand(time(NULL));
+ 
Index: patches/patch-src_fe-common_core_fe-common-core_c
===================================================================
RCS file: patches/patch-src_fe-common_core_fe-common-core_c
diff -N patches/patch-src_fe-common_core_fe-common-core_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_fe-common_core_fe-common-core_c   12 Jun 2019 10:01:28 
-0000
@@ -0,0 +1,106 @@
+$OpenBSD$
+
+Index: src/fe-common/core/fe-common-core.c
+--- src/fe-common/core/fe-common-core.c.orig
++++ src/fe-common/core/fe-common-core.c
+@@ -51,6 +51,10 @@
+ 
+ #include <signal.h>
+ 
++#ifdef HAVE_UNVEIL
++#include <pwd.h>
++#endif
++
+ static char *autocon_server;
+ static char *autocon_password;
+ static int autocon_port;
+@@ -58,6 +62,10 @@ static int no_autoconnect;
+ static char *cmdline_nick;
+ static char *cmdline_hostname;
+ 
++#ifdef HAVE_UNVEIL
++static int no_unveil;
++#endif
++
+ void fe_core_log_init(void);
+ void fe_core_log_deinit(void);
+ 
+@@ -99,6 +107,58 @@ void window_commands_deinit(void);
+ 
+ static void sig_setup_changed(void);
+ 
++#ifdef HAVE_UNVEIL
++int pledge_enabled()
++{
++    return no_unveil ? 0 : 1;
++}
++
++void pledge_init()
++{
++    if(pledge_enabled()) {
++        struct passwd *pw;
++        int user_id = getuid();
++        char path[200];
++
++        pw = getpwuid(user_id);
++        if (pw == NULL)
++        { printf("can't get pw of current user\n"); exit(1); }
++        
++        if( unveil("/etc/ssl","r") == -1 )
++        { printf("error unveil /etc/ssl/\n"); exit(1); }
++
++        if( unveil("/etc/resolv.conf","r") == -1 )
++        { printf("error unveil /etc/resolv.conf\n"); exit(1); }
++
++        if( unveil("/dev/null","rw") == -1 )
++        { printf("error unveil dev/null\n"); exit(1); }
++
++        if( unveil("/usr/local/libdata/perl5/","r") == -1 )
++        { printf("error unveil /usr/local/libdata/perl5/\n"); exit(1); }
++
++        if( unveil("/usr/libdata/perl5/","r") == -1 )
++        { printf("error unveil /usr/libdata/perl5/\n"); exit(1); }
++
++        snprintf(path,sizeof(path), "%s/irclogs",pw->pw_dir);
++        if( unveil(path,"rwc") == -1 )
++        { printf("error unveil %s\n",path); exit(1); }
++
++        snprintf(path,sizeof(path), "%s/.irssi/",pw->pw_dir);
++        if( unveil(path,"rwc") == -1 )
++        { printf("error unveil %s\n",path); exit(1); }
++
++        snprintf(path,sizeof(path), "%s/.irssi/scripts",pw->pw_dir);
++        if( unveil(path,"r") == -1 )
++        { printf("error unveil %s\n",path); exit(1); }
++
++        if (pledge("dns inet tty flock stdio cpath wpath rpath prot_exec proc 
unveil getpw",NULL) == -1)
++        { printf("error pledge\n"); exit(1); }
++
++    }
++
++}
++#endif
++
+ static void sig_connected(SERVER_REC *server)
+ {
+       MODULE_DATA_SET(server, g_new0(MODULE_SERVER_REC, 1));
+@@ -133,6 +193,9 @@ void fe_common_core_register_options(void)
+               { "noconnect", '!', 0, G_OPTION_ARG_NONE, &no_autoconnect, 
"Disable autoconnecting", NULL },
+               { "nick", 'n', 0, G_OPTION_ARG_STRING, &cmdline_nick, "Specify 
nick to use", NULL },
+               { "hostname", 'h', 0, G_OPTION_ARG_STRING, &cmdline_hostname, 
"Specify host name to use", NULL },
++#ifdef HAVE_UNVEIL
++        { "disable-unveil", 'u', 0, G_OPTION_ARG_NONE, &no_unveil, "Disable 
unveil and pledge security features", NULL },
++#endif
+               { NULL }
+       };
+ 
+@@ -140,6 +203,9 @@ void fe_common_core_register_options(void)
+       autocon_password = NULL;
+       autocon_port = 0;
+       no_autoconnect = FALSE;
++#ifdef HAVE_UNVEIL
++    no_unveil = FALSE;
++#endif
+       cmdline_nick = NULL;
+       cmdline_hostname = NULL;
+       args_register(options);
Index: patches/patch-src_fe-text_irssi_c
===================================================================
RCS file: patches/patch-src_fe-text_irssi_c
diff -N patches/patch-src_fe-text_irssi_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_fe-text_irssi_c   11 Jun 2019 06:37:46 -0000
@@ -0,0 +1,28 @@
+$OpenBSD$
+
+Index: src/fe-text/irssi.c
+--- src/fe-text/irssi.c.orig
++++ src/fe-text/irssi.c
+@@ -210,6 +210,10 @@ static void textui_finish_init(void)
+               printformat(NULL, NULL, MSGLEVEL_CRAP|MSGLEVEL_NO_ACT, 
TXT_WELCOME_FIRSTTIME);
+       }
+ 
++    if(pledge_enabled()) {
++        printformat(NULL, NULL, MSGLEVEL_CRAP|MSGLEVEL_NO_ACT, 
TXT_UNVEIL_ENABLED);
++    }
++
+       /* see irc-servers-setup.c:init_userinfo */
+       if (user_settings_changed)
+               printformat(NULL, NULL, MSGLEVEL_CLIENTNOTICE, 
TXT_WELCOME_INIT_SETTINGS);
+@@ -333,7 +337,11 @@ int main(int argc, char **argv)
+       }
+ 
+       g_log_set_always_fatal(loglev);
++
++    pledge_init();
++
+       textui_finish_init();
++
+       main_loop = g_main_new(TRUE);
+ 
+       /* Does the same as g_main_run(main_loop), except we
Index: patches/patch-src_fe-text_module-formats_c
===================================================================
RCS file: patches/patch-src_fe-text_module-formats_c
diff -N patches/patch-src_fe-text_module-formats_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_fe-text_module-formats_c  12 Jun 2019 10:00:55 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Index: src/fe-text/module-formats.c
+--- src/fe-text/module-formats.c.orig
++++ src/fe-text/module-formats.c
+@@ -100,6 +100,12 @@ FORMAT_REC gui_text_formats[] =
+         "the available commands.%:"
+         "- - - - - - - - - - - - - - - - - - - - - - - - - - - -", 0 },
+       { "welcome_init_settings", "The following settings were initialized", 0 
},
++#ifdef HAVE_UNVEIL
++    { "unveil_enabled",
++      "Unveil security features is enabled, your logs and scripts must be 
under ~/.irssi/%:"
++      "Irssi and its plugins are denied access to others paths, this may 
break some plugins.%:"
++      "This can be disabled with the flag -u at runtime.", 0 },
++#endif
+ 
+       { NULL, NULL, 0 }
+ };
Index: patches/patch-src_fe-text_module-formats_h
===================================================================
RCS file: patches/patch-src_fe-text_module-formats_h
diff -N patches/patch-src_fe-text_module-formats_h
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_fe-text_module-formats_h  12 Jun 2019 09:59:52 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: src/fe-text/module-formats.h
+--- src/fe-text/module-formats.h.orig
++++ src/fe-text/module-formats.h
+@@ -59,6 +59,9 @@ enum {
+       TXT_IRSSI_BANNER,
+       TXT_WELCOME_FIRSTTIME,
+       TXT_WELCOME_INIT_SETTINGS,
++#ifdef HAVE_UNVEIL
++    TXT_UNVEIL_ENABLED,
++#endif
+ 
+       TXT_COUNT
+ };

Reply via email to