there are a lot of files in /dev ... can you make this tighter?
Alexandre Ratchov <[email protected]> wrote: > A trivial diff for the sndiod "device helper" process. All this > process does is to open the device and pass it to the main process. So > it can be restricted to /dev. > > The other sndiod process has neither of rpath, wpath, cpath, or exec, > so it doesn't need unveil, right? > > Index: sndiod.c > =================================================================== > RCS file: /cvs/src/usr.bin/sndiod/sndiod.c,v > retrieving revision 1.33 > diff -u -p -r1.33 sndiod.c > --- sndiod.c 26 Jun 2018 07:12:35 -0000 1.33 > +++ sndiod.c 30 Jul 2018 09:18:32 -0000 > @@ -378,6 +378,8 @@ start_helper(int background) > setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) > err(1, "cannot drop privileges"); > } > + if (unveil("/dev", "rw") < 0) > + err(1, "unveil"); > if (pledge("stdio sendfd rpath wpath", NULL) < 0) > err(1, "pledge"); > while (file_poll()) > >
