Re: apmd: use unveil(2)
On Wed, Jul 24, 2019 at 09:46:09PM +0200, Klemens Nanni wrote: > Pledge is not possible due to the ioctls, but as it hoists both the > control socket and apm device early at startup and only ever possibly > executes scripts under /etc/apm/, hiding the rest of the filesystem > becomes easy. > > Technically, only "x" is required to traverse the directory and run > scripts, but we carefully access(2) each script, and that requires the > read bit regardless of the permission bits being tested. > Runs fine in daily usage on my X230 with suspend and resume scripts. > > Feedback? OK? Found this diff still in my tree. Any takers? Index: apmd.c === RCS file: /cvs/src/usr.sbin/apmd/apmd.c,v retrieving revision 1.99 diff -u -p -r1.99 apmd.c --- apmd.c 28 Sep 2020 21:35:14 - 1.99 +++ apmd.c 4 Oct 2020 14:31:10 - @@ -490,6 +490,11 @@ main(int argc, char *argv[]) if (statonly) exit(0); + if (unveil(_PATH_APM_ETC_DIR, "rx") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + set_driver_messages(ctl_fd, APM_PRINT_OFF); kq = kqueue();
Re: apmd: use unveil(2)
Klemens Nanni wrote: > Pledge is not possible due to the ioctls, but as it hoists both the > control socket and apm device early at startup and only ever possibly > executes scripts under /etc/apm/, hiding the rest of the filesystem > becomes easy. > > Technically, only "x" is required to traverse the directory and run > scripts, but we carefully access(2) each script, and that requires the > read bit regardless of the permission bits being tested. > > Feedback? OK? > > Runs fine in daily usage on my X230 with suspend and resume scripts. > > Feedback? OK? But eventually the scripts are run with fork+execl. We have not yet decided on the semantics -- whether unveil selections stick around when execve() is called, or whether they are released (like pledge). If the tree starts changing to assume execve() reverts to open system, you are closing the door for us to choose the stricter policy choice.
apmd: use unveil(2)
Pledge is not possible due to the ioctls, but as it hoists both the control socket and apm device early at startup and only ever possibly executes scripts under /etc/apm/, hiding the rest of the filesystem becomes easy. Technically, only "x" is required to traverse the directory and run scripts, but we carefully access(2) each script, and that requires the read bit regardless of the permission bits being tested. Feedback? OK? Runs fine in daily usage on my X230 with suspend and resume scripts. Feedback? OK? Index: apmd.c === RCS file: /cvs/src/usr.sbin/apmd/apmd.c,v retrieving revision 1.86 diff -u -p -r1.86 apmd.c --- apmd.c 22 Jul 2019 08:06:52 - 1.86 +++ apmd.c 22 Jul 2019 08:07:17 - @@ -483,6 +483,11 @@ main(int argc, char *argv[]) if (statonly) exit(0); + if (unveil(_PATH_APM_ETC_DIR, "rx") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + set_driver_messages(ctl_fd, APM_PRINT_OFF); kq = kqueue();
