unveil(2) is now enabled in -current.
For those who want to play along at home, here are some diffs which use
this in a variety of programs. Not all these diffs are correct or
complete yet. This is a learning experience. Based upon what we learn,
we may still change unveil(2) semantics slightly (similar to how pledge
semantics were reached).
These diffs are in snapshots.
Index: bin/ps/ps.c
===================================================================
RCS file: /cvs/src/bin/ps/ps.c,v
retrieving revision 1.71
diff -u -p -u -r1.71 ps.c
--- bin/ps/ps.c 23 Sep 2016 06:28:08 -0000 1.71
+++ bin/ps/ps.c 12 Jul 2018 16:18:13 -0000
@@ -276,6 +276,19 @@ main(int argc, char *argv[])
if (kd == NULL)
errx(1, "%s", errbuf);
+ if (unveil(_PATH_DEVDB, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/dev", "r") == -1)
+ err(1, "unveil");
+ if (swapf)
+ if (unveil(swapf, "r") == -1)
+ err(1, "unveil");
+ if (nlistf)
+ if (unveil(nlistf, "r") == -1)
+ err(1, "unveil");
+ if (memf)
+ if (unveil(memf, "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath getpw ps", NULL) == -1)
err(1, "pledge");
Index: libexec/comsat/comsat.c
===================================================================
RCS file: /cvs/src/libexec/comsat/comsat.c,v
retrieving revision 1.48
diff -u -p -u -r1.48 comsat.c
--- libexec/comsat/comsat.c 3 Apr 2017 17:23:39 -0000 1.48
+++ libexec/comsat/comsat.c 12 Jul 2018 16:18:13 -0000
@@ -91,6 +91,12 @@ main(int argc, char *argv[])
exit(1);
}
+ if (unveil(_PATH_MAILDIR, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/tmp", "w") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath proc tty", NULL) == -1)
err(1, "pledge");
Index: libexec/fingerd/fingerd.c
===================================================================
RCS file: /cvs/src/libexec/fingerd/fingerd.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 fingerd.c
--- libexec/fingerd/fingerd.c 13 Nov 2015 01:26:33 -0000 1.39
+++ libexec/fingerd/fingerd.c 26 Jul 2018 16:22:32 -0000
@@ -68,7 +68,7 @@ main(int argc, char *argv[])
char **ap, *av[ENTRIES + 1], line[8192], *lp, *hname;
char hostbuf[HOST_NAME_MAX+1];
- if (pledge("stdio inet dns proc exec", NULL) == -1)
+ if (pledge("stdio unveil inet dns proc exec", NULL) == -1)
err(1, "pledge");
prog = _PATH_FINGER;
@@ -110,6 +110,9 @@ main(int argc, char *argv[])
default:
usage();
}
+
+ if (unveil(_PATH_FINGER, "x") == -1)
+ err(1, "unveil");
if (logging) {
struct sockaddr_storage ss;
Index: libexec/getty/main.c
===================================================================
RCS file: /cvs/src/libexec/getty/main.c,v
retrieving revision 1.48
diff -u -p -u -r1.48 main.c
--- libexec/getty/main.c 29 May 2017 04:40:35 -0000 1.48
+++ libexec/getty/main.c 12 Jul 2018 16:18:13 -0000
@@ -169,6 +169,19 @@ main(int argc, char *argv[])
ioctl(0, FIOASYNC, &off); /* turn off async mode */
+ if (unveil("/usr/bin/login", "x") == -1) {
+ syslog(LOG_ERR, "%s: %m", tname);
+ exit(1);
+ }
+ if (unveil(_PATH_GETTYTAB, "r") == -1) {
+ syslog(LOG_ERR, "%s: %m", tname);
+ exit(1);
+ }
+ if (unveil("/dev", "rw") == -1) {
+ syslog(LOG_ERR, "%s: %m", tname);
+ exit(1);
+ }
+
/*
* The following is a work around for vhangup interactions
* which cause great problems getting window systems started.
Index: libexec/lockspool/lockspool.c
===================================================================
RCS file: /cvs/src/libexec/lockspool/lockspool.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 lockspool.c
--- libexec/lockspool/lockspool.c 24 Nov 2015 00:19:29 -0000 1.18
+++ libexec/lockspool/lockspool.c 12 Jul 2018 16:18:13 -0000
@@ -32,6 +32,7 @@
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
+#include <paths.h>
#include <stdlib.h>
#include <poll.h>
#include <err.h>
@@ -52,6 +53,8 @@ main(int argc, char *argv[])
char *from, c;
int holdfd;
+ if (unveil(_PATH_MAILDIR, "rwc") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath getpw cpath fattr", NULL) == -1)
err(1, "pledge");
Index: libexec/spamd/grey.c
===================================================================
RCS file: /cvs/src/libexec/spamd/grey.c,v
retrieving revision 1.65
diff -u -p -u -r1.65 grey.c
--- libexec/spamd/grey.c 18 Oct 2017 17:31:01 -0000 1.65
+++ libexec/spamd/grey.c 12 Jul 2018 16:18:13 -0000
@@ -1078,11 +1078,21 @@ greywatcher(void)
drop_privs();
+ if (unveil(PATH_SPAMD_DB, "rw") == -1) {
+ syslog_r(LOG_ERR, &sdata, "unveil failed for %s (%m)",
+ PATH_SPAMD_DB);
+ exit(1);
+ }
+ if (unveil(PATH_PFCTL, "x") == -1) {
+ syslog_r(LOG_ERR, &sdata, "unveil failed for %s (%m)",
+ PATH_PFCTL);
+ exit(1);
+ }
if (pledge("stdio rpath wpath inet flock proc exec", NULL) == -1) {
syslog_r(LOG_ERR, &sdata, "pledge failed (%m)");
exit(1);
}
-
+
startup = time(NULL);
db_pid = fork();
switch (db_pid) {
Index: libexec/spamlogd/spamlogd.c
===================================================================
RCS file: /cvs/src/libexec/spamlogd/spamlogd.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 spamlogd.c
--- libexec/spamlogd/spamlogd.c 16 Mar 2016 14:47:04 -0000 1.27
+++ libexec/spamlogd/spamlogd.c 28 Jul 2018 12:58:08 -0000
@@ -375,6 +375,9 @@ main(int argc, char **argv)
openlog_r("spamlogd", LOG_PID | LOG_NDELAY, LOG_DAEMON, &sdata);
}
+ if (unveil(PATH_SPAMD_DB, "rw") == -1)
+ err(1, "unveil");
+
if (syncsend) {
if (pledge("stdio rpath wpath inet flock", NULL) == -1)
err(1, "pledge");
Index: sbin/fsck/fsck.c
===================================================================
RCS file: /cvs/src/sbin/fsck/fsck.c,v
retrieving revision 1.38
diff -u -p -u -r1.38 fsck.c
--- sbin/fsck/fsck.c 23 Nov 2015 19:19:29 -0000 1.38
+++ sbin/fsck/fsck.c 25 Jul 2018 17:34:19 -0000
@@ -39,6 +39,7 @@
#include <sys/mount.h>
#include <sys/queue.h>
#include <sys/resource.h>
+#include <sys/stat.h>
#include <sys/wait.h>
#include <err.h>
@@ -106,6 +107,14 @@ main(int argc, char *argv[])
} else
warn("Can't get resource limit for data size");
+ checkroot();
+
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_FSTAB, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/sbin", "x") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath disklabel proc exec", NULL) == -1)
err(1, "pledge");
Index: sbin/fsck/fsutil.c
===================================================================
RCS file: /cvs/src/sbin/fsck/fsutil.c,v
retrieving revision 1.22
diff -u -p -u -r1.22 fsutil.c
--- sbin/fsck/fsutil.c 27 Sep 2015 05:25:00 -0000 1.22
+++ sbin/fsck/fsutil.c 12 Jul 2018 16:18:13 -0000
@@ -53,6 +53,17 @@ extern char *__progname;
static void vmsg(int, const char *, va_list);
+struct stat stslash;
+
+void
+checkroot(void)
+{
+ if (stat("/", &stslash) < 0) {
+ xperror("/");
+ printf("Can't stat root\n");
+ }
+}
+
void
setcdevname(const char *cd, const char *ocd, int pr)
{
@@ -182,17 +193,12 @@ rawname(char *name)
char *
blockcheck(char *origname)
{
- struct stat stslash, stblock, stchar;
+ struct stat stblock, stchar;
char *newname, *raw;
struct fstab *fsp;
int retried = 0;
hot = 0;
- if (stat("/", &stslash) < 0) {
- xperror("/");
- printf("Can't stat root\n");
- return (origname);
- }
newname = origname;
retry:
if (stat(newname, &stblock) < 0)
Index: sbin/fsck/fsutil.h
===================================================================
RCS file: /cvs/src/sbin/fsck/fsutil.h,v
retrieving revision 1.7
diff -u -p -u -r1.7 fsutil.h
--- sbin/fsck/fsutil.h 8 Oct 2014 16:27:53 -0000 1.7
+++ sbin/fsck/fsutil.h 12 Jul 2018 16:18:13 -0000
@@ -41,6 +41,7 @@ void panic(const char *, ...)
__attribute__((__noreturn__,__format__(__printf__,1,2)));
char *rawname(char *);
char *unrawname(char *);
+void checkroot(void);
char *blockcheck(char *);
const char *cdevname(void);
void setcdevname(const char *, const char *, int);
Index: sbin/fsck_ext2fs/main.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ext2fs/main.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 main.c
--- sbin/fsck_ext2fs/main.c 16 Mar 2016 15:41:10 -0000 1.27
+++ sbin/fsck_ext2fs/main.c 12 Jul 2018 16:18:13 -0000
@@ -65,6 +65,8 @@ main(int argc, char *argv[])
int ch;
int ret = 0;
+ checkroot();
+
sync();
skipclean = 1;
while ((ch = getopt(argc, argv, "b:dfm:npy")) != -1) {
Index: sbin/fsck_ext2fs/setup.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ext2fs/setup.c,v
retrieving revision 1.31
diff -u -p -u -r1.31 setup.c
--- sbin/fsck_ext2fs/setup.c 26 Aug 2017 06:32:06 -0000 1.31
+++ sbin/fsck_ext2fs/setup.c 12 Jul 2018 16:18:13 -0000
@@ -73,6 +73,9 @@ setup(char *dev)
int doskipclean;
u_int64_t maxfilesize;
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+
havesb = 0;
fswritefd = -1;
doskipclean = skipclean;
Index: sbin/fsck_ffs/main.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ffs/main.c,v
retrieving revision 1.51
diff -u -p -u -r1.51 main.c
--- sbin/fsck_ffs/main.c 5 Jan 2018 09:33:47 -0000 1.51
+++ sbin/fsck_ffs/main.c 12 Jul 2018 16:18:13 -0000
@@ -67,6 +67,8 @@ main(int argc, char *argv[])
int ch;
int ret = 0;
+ checkroot();
+
sync();
skipclean = 1;
while ((ch = getopt(argc, argv, "dfpnNyYb:c:m:")) != -1) {
Index: sbin/fsck_ffs/setup.c
===================================================================
RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v
retrieving revision 1.64
diff -u -p -u -r1.64 setup.c
--- sbin/fsck_ffs/setup.c 5 Jan 2018 09:33:47 -0000 1.64
+++ sbin/fsck_ffs/setup.c 12 Jul 2018 16:18:13 -0000
@@ -90,6 +90,9 @@ setup(char *dev, int isfsdb)
u_int64_t maxfilesize;
char *realdev;
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+
havesb = 0;
fswritefd = fsreadfd = -1;
doskipclean = skipclean;
Index: sbin/fsck_msdos/check.c
===================================================================
RCS file: /cvs/src/sbin/fsck_msdos/check.c,v
retrieving revision 1.18
diff -u -p -u -r1.18 check.c
--- sbin/fsck_msdos/check.c 14 Oct 2015 16:58:55 -0000 1.18
+++ sbin/fsck_msdos/check.c 12 Jul 2018 16:18:13 -0000
@@ -54,6 +54,9 @@ checkfilesys(const char *fname)
int i;
int mod = 0;
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+
rdonly = alwaysno;
dosfs = opendev(fname, rdonly ? O_RDONLY : O_RDWR, 0, &realdev);
Index: sbin/fsck_msdos/main.c
===================================================================
RCS file: /cvs/src/sbin/fsck_msdos/main.c,v
retrieving revision 1.23
diff -u -p -u -r1.23 main.c
--- sbin/fsck_msdos/main.c 28 May 2016 18:00:42 -0000 1.23
+++ sbin/fsck_msdos/main.c 12 Jul 2018 16:18:13 -0000
@@ -57,6 +57,8 @@ main(int argc, char *argv[])
{
int ch;
+ checkroot();
+
while ((ch = getopt(argc, argv, "pynf")) != -1) {
switch (ch) {
case 'f':
Index: sbin/quotacheck/quotacheck.c
===================================================================
RCS file: /cvs/src/sbin/quotacheck/quotacheck.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 quotacheck.c
--- sbin/quotacheck/quotacheck.c 10 Dec 2015 17:27:00 -0000 1.39
+++ sbin/quotacheck/quotacheck.c 12 Jul 2018 16:18:13 -0000
@@ -139,6 +139,8 @@ main(int argc, char *argv[])
const char *errstr;
char *name;
+ checkroot();
+
errs = maxrun = 0;
while ((ch = getopt(argc, argv, "adguvl:")) != -1) {
switch(ch) {
Index: sbin/savecore/savecore.c
===================================================================
RCS file: /cvs/src/sbin/savecore/savecore.c,v
retrieving revision 1.57
diff -u -p -u -r1.57 savecore.c
--- sbin/savecore/savecore.c 1 Sep 2016 14:12:07 -0000 1.57
+++ sbin/savecore/savecore.c 12 Jul 2018 16:18:13 -0000
@@ -171,6 +171,10 @@ main(int argc, char *argv[])
(void)time(&now);
kmem_setup();
+ if (unveil(dirn, "rwc") == -1) {
+ syslog(LOG_ERR, "unveil: %m");
+ exit(1);
+ }
if (pledge("stdio rpath wpath cpath", NULL) == -1) {
syslog(LOG_ERR, "pledge: %m");
exit(1);
Index: sbin/shutdown/shutdown.c
===================================================================
RCS file: /cvs/src/sbin/shutdown/shutdown.c,v
retrieving revision 1.51
diff -u -p -u -r1.51 shutdown.c
--- sbin/shutdown/shutdown.c 7 Apr 2018 19:08:13 -0000 1.51
+++ sbin/shutdown/shutdown.c 26 Jul 2018 16:03:51 -0000
@@ -113,7 +113,17 @@ main(int argc, char *argv[])
int arglen, ch, len, readstdin = 0;
pid_t forkpid;
- if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) ==
-1)
+ if (unveil(_PATH_CONSOLE, "rw") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_RC, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_WALL, "x") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_FASTBOOT, "wc") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_NOLOGIN, "wc") == -1)
+ err(1, "unveil");
+ if (pledge("stdio unveil rpath wpath cpath getpw tty id proc exec",
NULL) == -1)
err(1, "pledge");
#ifndef DEBUG
@@ -167,6 +177,20 @@ main(int argc, char *argv[])
warnx("incompatible switches -p and -r.");
usage();
}
+
+ if (dohalt || dopower) {
+ if (unveil(_PATH_HALT, "x") == -1)
+ err(1, "unveil");
+ } else if (doreboot) {
+ if (unveil(_PATH_REBOOT, "x") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil(_PATH_BSHELL, "x") == -1)
+ err(1, "unveil");
+ }
+ if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) ==
-1)
+ err(1, "pledge");
+
getoffset(*argv++);
if (*argv) {
Index: usr.bin/calendar/calendar.c
===================================================================
RCS file: /cvs/src/usr.bin/calendar/calendar.c,v
retrieving revision 1.35
diff -u -p -u -r1.35 calendar.c
--- usr.bin/calendar/calendar.c 7 Dec 2015 18:46:35 -0000 1.35
+++ usr.bin/calendar/calendar.c 30 Jul 2018 12:52:39 -0000
@@ -40,6 +40,7 @@
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
+#include <syslog.h>
#include <string.h>
#include <limits.h>
#include <time.h>
@@ -66,12 +67,14 @@ struct specialev spev[NUMEV];
void childsig(int);
+void dothemall(void);
+
int
main(int argc, char *argv[])
{
int ch;
const char *errstr;
- char *caldir;
+ char *caldir = getenv("CALENDAR_DIR");
(void)setlocale(LC_ALL, "");
@@ -123,11 +126,23 @@ main(int argc, char *argv[])
if (argc)
usage();
+ if (unveil(_PATH_CPP, "x") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_SENDMAIL, "x") == -1)
+ err(1, "unveil");
+
+ if (unveil(calendarFile, "r") == -1)
+ err(1, "unveil");
+
if (doall) {
if (pledge("stdio rpath tmppath fattr getpw id proc exec", NULL)
== -1)
err(1, "pledge");
} else {
+ if (caldir) {
+ if (unveil(caldir, "x") == -1)
+ err(1, "unveil");
+ }
if (pledge("stdio rpath proc exec", NULL) == -1)
err(1, "pledge");
}
@@ -145,116 +160,8 @@ main(int argc, char *argv[])
settime(&f_time);
if (doall) {
- pid_t kid, deadkid;
- int kidstat, kidreaped, runningkids;
- int acstat;
- struct stat sbuf;
- time_t t;
- unsigned int sleeptime;
-
- signal(SIGCHLD, childsig);
- runningkids = 0;
- t = time(NULL);
- while ((pw = getpwent()) != NULL) {
- acstat = 0;
- /* Avoid unnecessary forks. The calendar file is only
- * opened as the user later; if it can't be opened,
- * it's no big deal. Also, get to correct directory.
- * Note that in an NFS environment root may get EACCES
- * on a chdir(), in which case we have to fork. As
long as
- * we can chdir() we can stat(), unless the user is
- * modifying permissions while this is running.
- */
- if (chdir(pw->pw_dir)) {
- if (errno == EACCES)
- acstat = 1;
- else
- continue;
- }
- if (stat(calendarFile, &sbuf) != 0) {
- if (chdir(calendarHome)) {
- if (errno == EACCES)
- acstat = 1;
- else
- continue;
- }
- if (stat(calendarNoMail, &sbuf) == 0 ||
- stat(calendarFile, &sbuf) != 0)
- continue;
- }
- sleeptime = USERTIMEOUT;
- switch ((kid = fork())) {
- case -1: /* error */
- warn("fork");
- continue;
- case 0: /* child */
- (void)setpgid(getpid(), getpid());
- (void)setlocale(LC_ALL, "");
- if (setusercontext(NULL, pw, pw->pw_uid,
- LOGIN_SETALL ^ LOGIN_SETLOGIN))
- err(1, "unable to set user context (uid
%u)",
- pw->pw_uid);
- if (acstat) {
- if (chdir(pw->pw_dir) ||
- stat(calendarFile, &sbuf) != 0 ||
- chdir(calendarHome) ||
- stat(calendarNoMail, &sbuf) == 0 ||
- stat(calendarFile, &sbuf) != 0)
- exit(0);
- }
- cal();
- exit(0);
- }
- /* parent: wait a reasonable time, then kill child if
- * necessary.
- */
- runningkids++;
- kidreaped = 0;
- do {
- sleeptime = sleep(sleeptime);
- /* Note that there is the possibility, if the
sleep
- * stops early due to some other signal, of the
child
- * terminating and not getting detected during
the next
- * sleep. In that unlikely worst case, we just
sleep
- * too long for that user.
- */
- for (;;) {
- deadkid = waitpid(-1, &kidstat,
WNOHANG);
- if (deadkid <= 0)
- break;
- runningkids--;
- if (deadkid == kid) {
- kidreaped = 1;
- sleeptime = 0;
- }
- }
- } while (sleeptime);
-
- if (!kidreaped) {
- /* It doesn't _really_ matter if the kill
fails, e.g.
- * if there's only a zombie now.
- */
- if (getpgid(kid) != getpgrp())
- (void)killpg(getpgid(kid), SIGTERM);
- else
- (void)kill(kid, SIGTERM);
- warnx("uid %u did not finish in time",
pw->pw_uid);
- }
- if (time(NULL) - t >= SECSPERDAY)
- errx(2, "'calendar -a' took more than a day; "
- "stopped at uid %u",
- pw->pw_uid);
- }
- for (;;) {
- deadkid = waitpid(-1, &kidstat, WNOHANG);
- if (deadkid <= 0)
- break;
- runningkids--;
- }
- if (runningkids)
- warnx("%d child processes still running when "
- "'calendar -a' finished", runningkids);
- } else if ((caldir = getenv("CALENDAR_DIR")) != NULL) {
+ dothemall();
+ } else if (caldir != NULL) {
if(!chdir(caldir))
cal();
} else
@@ -278,3 +185,75 @@ void
childsig(int signo)
{
}
+
+void
+dothemall(void)
+{
+ pid_t kid, kid2;
+ struct stat sbuf;
+ int acstat;
+
+ signal(SIGCHLD, SIG_IGN);
+
+ while (1) {
+ switch ((kid = fork())) {
+ case -1: /* error */
+ warn("fork");
+ continue;
+ case 0: /* child */
+ while ((pw = getpwent()) != NULL) {
+ acstat = 0;
+
+ if (chdir(pw->pw_dir)) {
+ if (errno == EACCES)
+ acstat = 1;
+ else
+ continue;
+ }
+ if (stat(calendarFile, &sbuf) != 0) {
+ if (chdir(calendarHome)) {
+ if (errno == EACCES)
+ acstat = 1;
+ else
+ continue;
+ }
+ if (stat(calendarNoMail, &sbuf) == 0 ||
+ stat(calendarFile, &sbuf) != 0)
+ continue;
+ }
+
+ switch ((kid2 = fork())) {
+ case -1: /* error */
+ warn("fork");
+ continue;
+ case 0: /* child */
+ syslog(LOG_CRIT, "trying %s",
pw->pw_name);
+ (void)setpgid(getpid(), getpid());
+ (void)setlocale(LC_ALL, "");
+ if (setusercontext(NULL, pw, pw->pw_uid,
+ LOGIN_SETALL ^ LOGIN_SETLOGIN))
+ err(1, "cannot set user context
(uid %u)",
+ pw->pw_uid);
+ if (acstat) {
+ if (chdir(pw->pw_dir) ||
+ stat(calendarFile, &sbuf)
!= 0 ||
+ chdir(calendarHome) ||
+ stat(calendarNoMail, &sbuf)
== 0 ||
+ stat(calendarFile, &sbuf)
!= 0)
+ exit(0);
+ }
+ cal();
+ exit(0);
+ default:
+ wait(NULL);
+ break;
+ }
+ }
+ syslog(LOG_CRIT, "done users");
+ exit(0);
+ default:
+ wait(NULL);
+ return;
+ }
+ }
+}
\ No newline at end of file
Index: usr.bin/ctfdump/ctfdump.c
===================================================================
RCS file: /cvs/src/usr.bin/ctfdump/ctfdump.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 ctfdump.c
--- usr.bin/ctfdump/ctfdump.c 6 Nov 2017 14:59:27 -0000 1.19
+++ usr.bin/ctfdump/ctfdump.c 28 Jul 2018 12:58:08 -0000
@@ -83,7 +83,7 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
- if (pledge("stdio rpath", NULL) == -1)
+ if (pledge("stdio rpath unveil", NULL) == -1)
err(1, "pledge");
while ((ch = getopt(argc, argv, "dfhlst")) != -1) {
@@ -121,8 +121,12 @@ main(int argc, char *argv[])
if (flags == 0)
flags = 0xff;
- while ((filename = *argv++) != NULL)
+ while ((filename = *argv++) != NULL) {
+ if (unveil(filename, "r") == -1)
+ err(1, "unveil");
+
error |= dump(filename, flags);
+ }
return error;
}
Index: usr.bin/doas/doas.c
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.72
diff -u -p -u -r1.72 doas.c
--- usr.bin/doas/doas.c 27 May 2017 09:51:07 -0000 1.72
+++ usr.bin/doas/doas.c 30 Jul 2018 13:29:40 -0000
@@ -240,6 +240,37 @@ good:
}
int
+unveilcommands(const char *ipath, const char *cmd)
+{
+ char *path, *p;
+ int unveils = 0;
+
+ if (strchr(cmd, '/') != NULL) {
+ if (unveil(cmd, "x") == -1)
+ return (0);
+ return (1);
+ }
+
+ path = strdup(ipath);
+ if (!path)
+ err(1, "copying path");
+ for (p = path; p && *p;) {
+ char buf[PATH_MAX];
+ char *cp = strsep(&p, ":");
+
+ if (cp) {
+ int r = snprintf(buf, sizeof buf, "%s/%s", cp, cmd);
+ if (r == -1 || r >= sizeof buf)
+ errx(1, "snprintf");
+ if (unveil(buf, "x") != -1)
+ unveils++;
+ }
+ }
+ free(path);
+ return (unveils);
+}
+
+int
main(int argc, char **argv)
{
const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
@@ -364,6 +395,11 @@ main(int argc, char **argv)
authuser(myname, login_style, rule->options & PERSIST);
}
+ if (unveil(_PATH_LOGIN_CONF, "r") == -1)
+ err(1, "unveil");
+ if (unveilcommands(safepath, cmd) == 0)
+ goto fail;
+
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
@@ -397,6 +433,7 @@ main(int argc, char **argv)
err(1, "failed to set PATH '%s'", safepath);
}
execvpe(cmd, argv, envp);
+fail:
if (errno == ENOENT)
errx(1, "%s: command not found", cmd);
err(1, "%s", cmd);
Index: usr.bin/encrypt/encrypt.c
===================================================================
RCS file: /cvs/src/usr.bin/encrypt/encrypt.c,v
retrieving revision 1.47
diff -u -p -u -r1.47 encrypt.c
--- usr.bin/encrypt/encrypt.c 24 May 2017 09:19:55 -0000 1.47
+++ usr.bin/encrypt/encrypt.c 12 Jul 2018 16:18:13 -0000
@@ -95,7 +95,9 @@ main(int argc, char **argv)
char *extra = NULL; /* Store login class or number of rounds */
const char *errstr;
- if (pledge("stdio rpath wpath tty", NULL) == -1)
+ if (unveil(_PATH_LOGIN_CONF, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath tty", NULL) == -1)
err(1, "pledge");
while ((opt = getopt(argc, argv, "pb:c:")) != -1) {
Index: usr.bin/from/from.c
===================================================================
RCS file: /cvs/src/usr.bin/from/from.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 from.c
--- usr.bin/from/from.c 31 May 2017 19:41:30 -0000 1.25
+++ usr.bin/from/from.c 12 Jul 2018 16:18:13 -0000
@@ -74,10 +74,16 @@ main(int argc, char *argv[])
}
argv += optind;
- if (pledge("stdio rpath getpw", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw", NULL) == -1)
err(1, "pledge");
file = mail_spool(file, *argv);
+
+ if (unveil(file, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
+
if ((fp = fopen(file, "r")) == NULL) {
if (!fflag && errno == ENOENT)
exit(EXIT_SUCCESS);
Index: usr.bin/last/last.c
===================================================================
RCS file: /cvs/src/usr.bin/last/last.c,v
retrieving revision 1.50
diff -u -p -u -r1.50 last.c
--- usr.bin/last/last.c 29 Oct 2015 03:00:31 -0000 1.50
+++ usr.bin/last/last.c 28 Jul 2018 12:58:08 -0000
@@ -98,9 +98,6 @@ main(int argc, char *argv[])
const char *errstr;
int ch, lastch = '\0', newarg = 1, prevoptind = 1;
- if (pledge("stdio rpath", NULL) == -1)
- err(1, "pledge");
-
while ((ch = getopt(argc, argv, "0123456789cf:h:n:st:d:T")) != -1) {
switch (ch) {
case '0': case '1': case '2': case '3': case '4':
@@ -154,6 +151,12 @@ main(int argc, char *argv[])
}
if (maxrec == 0)
exit(0);
+
+ if (unveil(file, "r") == -1)
+ err(1, "unveil");
+
+ if (pledge("stdio rpath", NULL) == -1)
+ err(1, "pledge");
if (argc) {
setvbuf(stdout, NULL, _IOLBF, 0);
Index: usr.bin/mesg/mesg.c
===================================================================
RCS file: /cvs/src/usr.bin/mesg/mesg.c,v
retrieving revision 1.12
diff -u -p -u -r1.12 mesg.c
--- usr.bin/mesg/mesg.c 7 Jul 2016 09:26:26 -0000 1.12
+++ usr.bin/mesg/mesg.c 28 Jul 2018 12:58:08 -0000
@@ -52,9 +52,6 @@ main(int argc, char *argv[])
char *tty;
int ch;
- if (pledge("stdio rpath fattr", NULL) == -1)
- err(2, "pledge");
-
while ((ch = getopt(argc, argv, "")) != -1)
switch (ch) {
case '?':
@@ -66,6 +63,13 @@ main(int argc, char *argv[])
if ((tty = ttyname(STDERR_FILENO)) == NULL)
err(2, "ttyname");
+
+ if (unveil(tty, "r") == -1)
+ err(1, "unveil");
+
+ if (pledge("stdio rpath fattr", NULL) == -1)
+ err(1, "unveil");
+
if (stat(tty, &sb) < 0)
err(2, "%s", tty);
Index: usr.bin/mixerctl/mixerctl.c
===================================================================
RCS file: /cvs/src/usr.bin/mixerctl/mixerctl.c,v
retrieving revision 1.30
diff -u -p -u -r1.30 mixerctl.c
--- usr.bin/mixerctl/mixerctl.c 8 Feb 2015 23:40:34 -0000 1.30
+++ usr.bin/mixerctl/mixerctl.c 28 Jul 2018 12:58:08 -0000
@@ -283,10 +283,17 @@ main(int argc, char **argv)
if (argc == 0 && tflag == 0)
aflag = 1;
-
- if ((fd = open(file, O_RDWR)) == -1)
+
+ if (unveil(file, "rw") == -1)
+ err(1, "unveil");
+
+ if ((fd = open(file, O_RDWR)) == -1) {
+ if (unveil(file, "r") == -1)
+ err(1, "unveil");
+
if ((fd = open(file, O_RDONLY)) == -1)
err(1, "%s", file);
+ }
for (ndev = 0; ; ndev++) {
dinfo.index = ndev;
Index: usr.bin/nc/netcat.c
===================================================================
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.191
diff -u -p -u -r1.191 netcat.c
--- usr.bin/nc/netcat.c 27 Apr 2018 15:17:53 -0000 1.191
+++ usr.bin/nc/netcat.c 26 Jul 2018 14:59:43 -0000
@@ -364,6 +364,30 @@ main(int argc, char *argv[])
} else
usage(1);
+ if (usetls) {
+ if (Cflag) {
+ if (unveil(Cflag, "r") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil("/etc/ssl/cert.pem", "r") == -1)
+ err(1, "unveil");
+ }
+ if (Rflag && unveil(Rflag, "r") == -1)
+ err(1, "unveil");
+ if (Kflag && unveil(Kflag, "r") == -1)
+ err(1, "unveil");
+ if (oflag && unveil(oflag, "r") == -1)
+ err(1, "unveil");
+ } else {
+ if (family == AF_UNIX) {
+ if (unveil(host, "rwc") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil("/", "") == -1)
+ err(1, "unveil");
+ }
+ }
+
if (family == AF_UNIX) {
if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
err(1, "pledge");
Index: usr.bin/nm/nm.c
===================================================================
RCS file: /cvs/src/usr.bin/nm/nm.c,v
retrieving revision 1.53
diff -u -p -u -r1.53 nm.c
--- usr.bin/nm/nm.c 27 Oct 2017 16:47:08 -0000 1.53
+++ usr.bin/nm/nm.c 30 Jul 2018 14:58:24 -0000
@@ -135,13 +135,13 @@ main(int argc, char *argv[])
const struct option *lopts;
int ch, eval;
- if (pledge("stdio rpath proc exec", NULL) == -1)
+ if (pledge("stdio rpath proc exec unveil", NULL) == -1)
err(1, "pledge");
optstr = OPTSTRING_NM;
lopts = longopts_nm;
if (!strcmp(__progname, "size")) {
- if (pledge("stdio rpath", NULL) == -1)
+ if (pledge("stdio rpath unveil", NULL) == -1)
err(1, "pledge");
issize = 1;
@@ -215,8 +215,12 @@ main(int argc, char *argv[])
if (posix_output)
(void)snprintf(posix_fmtstr, sizeof posix_fmtstr, "%%%c %%%c",
posix_radix, posix_radix);
- if (demangle)
+ if (demangle) {
+ if (unveil("/usr/bin/c++filt", "x") == -1)
+ err(1, "unveil");
+
pipe2cppfilt();
+ }
if (pledge("stdio rpath", NULL) == -1)
err(1, "pledge");
Index: usr.bin/su/su.c
===================================================================
RCS file: /cvs/src/usr.bin/su/su.c,v
retrieving revision 1.70
diff -u -p -u -r1.70 su.c
--- usr.bin/su/su.c 30 Oct 2015 19:45:03 -0000 1.70
+++ usr.bin/su/su.c 12 Jul 2018 16:18:13 -0000
@@ -73,7 +73,7 @@ main(int argc, char **argv)
uid_t ruid;
u_int flags;
- if (pledge("stdio rpath getpw proc exec id", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw proc exec id", NULL) == -1)
err(1, "pledge");
while ((ch = getopt(argc, argv, "a:c:fKLlms:-")) != -1)
@@ -160,6 +160,11 @@ main(int argc, char **argv)
}
}
+ if (unveil(_PATH_LOGIN_CONF, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
+ err(1, "unveil");
+
for (;;) {
/* get target user, default to root unless in -L mode */
if (*argv) {
@@ -215,7 +220,7 @@ main(int argc, char **argv)
fprintf(stderr, "Login incorrect\n");
}
- if (pledge("stdio rpath getpw exec id", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw exec id", NULL) == -1)
err(1, "pledge");
if (!altshell) {
@@ -233,6 +238,11 @@ main(int argc, char **argv)
}
}
+ if (unveil(shell, "x") == -1)
+ err(1, "unveil");
+ if (unveil(pwd->pw_dir, "r") == -1)
+ err(1, "unveil");
+
if ((p = strrchr(shell, '/')))
avshell = p+1;
else
@@ -260,6 +270,8 @@ main(int argc, char **argv)
if (login_getcapbool(lc, "requirehome", 0)) {
auth_err(as, 1, "%s", pwd->pw_dir);
} else {
+ if (unveil("/", "r") == -1)
+ err(1, "unveil");
printf("No home directory %s!\n",
pwd->pw_dir);
printf("Logging in with home =
\"/\".\n");
if (chdir("/") < 0)
@@ -285,6 +297,8 @@ main(int argc, char **argv)
if (setenv("SHELL", shell, 1) == -1)
auth_err(as, 1, "unable to set environment");
}
+ if (pledge("stdio rpath getpw exec id", NULL) == -1)
+ err(1, "pledge");
np = *argv ? argv : argv - 1;
if (iscsh == YES) {
Index: usr.bin/tty/tty.c
===================================================================
RCS file: /cvs/src/usr.bin/tty/tty.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 tty.c
--- usr.bin/tty/tty.c 12 Oct 2015 19:56:47 -0000 1.10
+++ usr.bin/tty/tty.c 28 Jul 2018 12:58:08 -0000
@@ -43,9 +43,6 @@ main(int argc, char *argv[])
int ch, sflag;
char *t;
- if (pledge("stdio rpath", NULL) == -1)
- err(1, "pledge");
-
sflag = 0;
while ((ch = getopt(argc, argv, "s")) != -1) {
switch(ch) {
@@ -58,6 +55,12 @@ main(int argc, char *argv[])
/* NOTREACHED */
}
}
+
+ if (unveil("/var/run/dev.db", "r") == -1)
+ err(1, "unveil");
+
+ if (pledge("stdio rpath", NULL) == -1)
+ err(1, "pledge");
t = ttyname(STDIN_FILENO);
if (!sflag)
Index: usr.bin/users/users.c
===================================================================
RCS file: /cvs/src/usr.bin/users/users.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 users.c
--- usr.bin/users/users.c 9 Oct 2015 01:37:09 -0000 1.13
+++ usr.bin/users/users.c 28 Jul 2018 12:58:08 -0000
@@ -53,6 +53,9 @@ main(int argc, char *argv[])
struct utmp utmp;
int ch;
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
+
if (pledge("stdio rpath", NULL) == -1)
err(1, "pledge");
Index: usr.bin/wall/wall.c
===================================================================
RCS file: /cvs/src/usr.bin/wall/wall.c,v
retrieving revision 1.32
diff -u -p -u -r1.32 wall.c
--- usr.bin/wall/wall.c 1 Aug 2016 20:30:25 -0000 1.32
+++ usr.bin/wall/wall.c 12 Jul 2018 16:18:13 -0000
@@ -115,6 +115,10 @@ main(int argc, char **argv)
makemsg(*argv);
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/dev", "w") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath getpw proc", NULL) == -1)
err(1, "pledge");
Index: usr.bin/who/who.c
===================================================================
RCS file: /cvs/src/usr.bin/who/who.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 who.c
--- usr.bin/who/who.c 21 Oct 2015 16:06:57 -0000 1.27
+++ usr.bin/who/who.c 12 Jul 2018 16:18:13 -0000
@@ -74,7 +74,7 @@ main(int argc, char *argv[])
setlocale(LC_ALL, "");
- if (pledge("stdio rpath getpw", NULL) == -1)
+ if (pledge("stdio unveil rpath getpw", NULL) == -1)
err(1, "pledge");
if ((mytty = ttyname(0))) {
@@ -122,8 +122,12 @@ main(int argc, char *argv[])
if (show_labels)
output_labels();
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
switch (argc) {
case 0: /* who */
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
ufp = file(_PATH_UTMP);
if (only_current_term) {
@@ -150,6 +154,10 @@ main(int argc, char *argv[])
}
break;
case 1: /* who utmp_file */
+ if (unveil(*argv, "r") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
ufp = file(*argv);
if (only_current_term) {
@@ -175,6 +183,8 @@ main(int argc, char *argv[])
}
break;
case 2: /* who am i */
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ err(1, "pledge");
ufp = file(_PATH_UTMP);
who_am_i(ufp);
break;
Index: usr.sbin/acme-client/http.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/http.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 http.c
--- usr.sbin/acme-client/http.c 6 Feb 2018 04:19:56 -0000 1.21
+++ usr.sbin/acme-client/http.c 12 Jul 2018 16:18:13 -0000
@@ -35,8 +35,6 @@
#include "http.h"
#include "extern.h"
-#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
-
/*
* A buffer for transferring HTTP/S data.
*/
Index: usr.sbin/acme-client/http.h
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/http.h,v
retrieving revision 1.5
diff -u -p -u -r1.5 http.h
--- usr.sbin/acme-client/http.h 25 Jan 2017 13:52:53 -0000 1.5
+++ usr.sbin/acme-client/http.h 12 Jul 2018 16:18:13 -0000
@@ -61,6 +61,7 @@ struct httpget {
size_t bodypartsz; /* size of bodypart */
};
+#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
int http_init(void);
/* Convenience functions. */
Index: usr.sbin/acme-client/netproc.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/netproc.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 netproc.c
--- usr.sbin/acme-client/netproc.c 14 Mar 2018 12:28:25 -0000 1.16
+++ usr.sbin/acme-client/netproc.c 12 Jul 2018 16:18:13 -0000
@@ -612,6 +612,11 @@ netproc(int kfd, int afd, int Cfd, int c
memset(&paths, 0, sizeof(struct capaths));
memset(&c, 0, sizeof(struct conn));
+ if (unveil(DEFAULT_CA_FILE, "r") == -1) {
+ warn("unveil");
+ goto out;
+ }
+
if (pledge("stdio inet rpath", NULL) == -1) {
warn("pledge");
goto out;
Index: usr.sbin/acpidump/acpidump.c
===================================================================
RCS file: /cvs/src/usr.sbin/acpidump/acpidump.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 acpidump.c
--- usr.sbin/acpidump/acpidump.c 30 Jun 2018 19:45:41 -0000 1.19
+++ usr.sbin/acpidump/acpidump.c 12 Jul 2018 16:18:13 -0000
@@ -40,6 +40,7 @@
#include <string.h>
#include <unistd.h>
#include <limits.h>
+#include <paths.h>
#define vm_page_size sysconf(_SC_PAGESIZE)
@@ -601,6 +602,18 @@ asl_dump_from_devmem(void)
acpi_user_init();
+ if (unveil(aml_dumpfile, "wc") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_MEM, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_KMEM, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_KVMDB, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_KSYMS, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/bsd", "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath cpath", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/dev_mkdb/dev_mkdb.c
===================================================================
RCS file: /cvs/src/usr.sbin/dev_mkdb/dev_mkdb.c,v
retrieving revision 1.15
diff -u -p -u -r1.15 dev_mkdb.c
--- usr.sbin/dev_mkdb/dev_mkdb.c 16 Oct 2015 13:37:44 -0000 1.15
+++ usr.sbin/dev_mkdb/dev_mkdb.c 12 Jul 2018 16:18:13 -0000
@@ -61,6 +61,15 @@ main(int argc, char *argv[])
u_char buf[MAXNAMLEN + 1];
char dbtmp[PATH_MAX], dbname[PATH_MAX];
+ (void)snprintf(dbtmp, sizeof(dbtmp), "%sdev.tmp", _PATH_VARRUN);
+ (void)snprintf(dbname, sizeof(dbtmp), "%sdev.db", _PATH_VARRUN);
+
+ if (unveil("/dev", "r") == -1)
+ err(1, "unveil");
+ if (unveil(dbtmp, "rwc") == -1)
+ err(1, "unveil");
+ if (unveil(dbname, "wc") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath cpath flock", NULL) == -1)
err(1, "pledge");
@@ -81,8 +90,6 @@ main(int argc, char *argv[])
dirp = opendir(".");
- (void)snprintf(dbtmp, sizeof(dbtmp), "%sdev.tmp", _PATH_VARRUN);
- (void)snprintf(dbname, sizeof(dbtmp), "%sdev.db", _PATH_VARRUN);
bzero(&info, sizeof(info));
info.bsize = 8192;
db = dbopen(dbtmp, O_CREAT|O_EXLOCK|O_RDWR|O_TRUNC,
@@ -101,6 +108,9 @@ main(int argc, char *argv[])
key.size = sizeof(bkey);
data.data = buf;
while ((dp = readdir(dirp))) {
+ if (strcmp(dp->d_name, "..") == 0)
+ continue;
+
if (lstat(dp->d_name, &sb)) {
warn("%s", dp->d_name);
continue;
Index: usr.sbin/dhcpd/dhcpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/dhcpd/dhcpd.c,v
retrieving revision 1.56
diff -u -p -u -r1.56 dhcpd.c
--- usr.sbin/dhcpd/dhcpd.c 16 Feb 2017 00:24:43 -0000 1.56
+++ usr.sbin/dhcpd/dhcpd.c 28 Jul 2018 12:58:08 -0000
@@ -245,6 +245,18 @@ main(int argc, char *argv[])
icmp_startup(1, lease_pinged);
+ if (unveil(path_dhcpd_db, "rwc") == -1)
+ err(1, "unveil");
+
+ if (unveil("/dev/bpf", "rw") == -1)
+ err(1, "unveil");
+
+ if (unveil(_PATH_DEV_PF, "rw") == -1)
+ err(1, "unveil");
+
+ if (unveil(_PATH_VAREMPTY, "r") == -1)
+ err(1, "unveil");
+
if (chroot(_PATH_VAREMPTY) == -1)
fatal("chroot %s", _PATH_VAREMPTY);
if (chdir("/") == -1)
Index: usr.sbin/makefs/makefs.c
===================================================================
RCS file: /cvs/src/usr.sbin/makefs/makefs.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 makefs.c
--- usr.sbin/makefs/makefs.c 17 Dec 2016 16:12:15 -0000 1.19
+++ usr.sbin/makefs/makefs.c 12 Jul 2018 16:18:13 -0000
@@ -198,6 +198,10 @@ main(int argc, char *argv[])
if (argc != 2)
usage();
+ if (unveil(argv[0], "rwc") == -1)
+ err(1, "unveil");
+ if (unveil(argv[1], "rw") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath cpath", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/ntpd/ntpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
retrieving revision 1.113
diff -u -p -u -r1.113 ntpd.c
--- usr.sbin/ntpd/ntpd.c 9 Jan 2017 14:49:22 -0000 1.113
+++ usr.sbin/ntpd/ntpd.c 29 Jul 2018 19:32:41 -0000
@@ -244,6 +244,10 @@ main(int argc, char *argv[])
* Constraint processes are forked with certificates in memory,
* then privdrop into chroot before speaking to the outside world.
*/
+ if (unveil("/etc/ssl/cert.pem", "r") == -1)
+ err(1, "unveil");
+ if (unveil("/usr/sbin/ntpd", "x") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath inet settime proc exec id", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/portmap/portmap.c
===================================================================
RCS file: /cvs/src/usr.sbin/portmap/portmap.c,v
retrieving revision 1.48
diff -u -p -u -r1.48 portmap.c
--- usr.sbin/portmap/portmap.c 14 Oct 2015 13:32:44 -0000 1.48
+++ usr.sbin/portmap/portmap.c 30 Jul 2018 12:42:00 -0000
@@ -247,7 +247,7 @@ main(int argc, char *argv[])
}
endpwent();
- if (pledge("stdio rpath inet proc", NULL) == -1)
+ if (pledge("stdio inet proc", NULL) == -1)
err(1, "pledge");
if (svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE) == 0) {
@@ -609,6 +609,8 @@ callit(struct svc_req *rqstp, SVCXPRT *x
return;
}
+ if (unveil("/etc/rpc", "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath inet", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/pstat/pstat.c
===================================================================
RCS file: /cvs/src/usr.sbin/pstat/pstat.c,v
retrieving revision 1.117
diff -u -p -u -r1.117 pstat.c
--- usr.sbin/pstat/pstat.c 18 Jun 2018 09:15:05 -0000 1.117
+++ usr.sbin/pstat/pstat.c 12 Jul 2018 16:18:13 -0000
@@ -229,6 +229,8 @@ main(int argc, char *argv[])
ttymodeprep();
}
+ if (unveil(_PATH_DEVDB, "r") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath vminfo", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/rarpd/rarpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/rarpd/rarpd.c,v
retrieving revision 1.74
diff -u -p -u -r1.74 rarpd.c
--- usr.sbin/rarpd/rarpd.c 1 Jun 2018 07:36:13 -0000 1.74
+++ usr.sbin/rarpd/rarpd.c 12 Jul 2018 16:18:13 -0000
@@ -95,6 +95,10 @@ int fflag = 0; /* don't fork */
int lflag = 0; /* log all replies */
int tflag = 0; /* tftpboot check */
+#ifndef TFTP_DIR
+#define TFTP_DIR "/tftpboot"
+#endif
+
int
main(int argc, char *argv[])
{
@@ -334,6 +338,8 @@ rarp_loop(void)
arptab_init();
+ if (unveil(TFTP_DIR, "r") == -1)
+ error("unveil");
if (pledge("stdio rpath dns", NULL) == -1)
error("pledge");
@@ -387,10 +393,6 @@ rarp_loop(void)
}
free(pfd);
}
-
-#ifndef TFTP_DIR
-#define TFTP_DIR "/tftpboot"
-#endif
/*
* True if this server can boot the host whose IP address is 'addr'.
Index: usr.sbin/rebound/rebound.c
===================================================================
RCS file: /cvs/src/usr.sbin/rebound/rebound.c,v
retrieving revision 1.98
diff -u -p -u -r1.98 rebound.c
--- usr.sbin/rebound/rebound.c 1 May 2018 15:14:43 -0000 1.98
+++ usr.sbin/rebound/rebound.c 28 Jul 2018 12:58:08 -0000
@@ -1018,6 +1018,12 @@ monitorloop(int ud, int ld, int ud6, int
int conffd = -1;
struct timespec ts, *timeout = NULL;
+ if (unveil(confname, "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/usr/sbin/rebound", "x") == -1)
+ err(1, "unveil");
+
if (pledge("stdio rpath proc exec", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/sensorsd/sensorsd.c
===================================================================
RCS file: /cvs/src/usr.sbin/sensorsd/sensorsd.c,v
retrieving revision 1.61
diff -u -p -u -r1.61 sensorsd.c
--- usr.sbin/sensorsd/sensorsd.c 20 Mar 2017 15:31:23 -0000 1.61
+++ usr.sbin/sensorsd/sensorsd.c 28 Jul 2018 14:32:26 -0000
@@ -114,6 +114,11 @@ main(int argc, char *argv[])
int ch, check_period = CHECK_PERIOD;
const char *errstr;
+ if (unveil("/etc/sensorsd.conf", "r") == -1)
+ err(1, "unveil");
+ if (unveil("/", "x") == -1)
+ err(1, "unveil");
+
if (pledge("stdio rpath proc exec", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/spamdb/spamdb.c
===================================================================
RCS file: /cvs/src/usr.sbin/spamdb/spamdb.c,v
retrieving revision 1.36
diff -u -p -u -r1.36 spamdb.c
--- usr.sbin/spamdb/spamdb.c 26 Jul 2018 19:33:20 -0000 1.36
+++ usr.sbin/spamdb/spamdb.c 29 Jul 2018 19:41:57 -0000
@@ -360,6 +360,9 @@ main(int argc, char **argv)
if (action == 0 && type != WHITE)
usage();
+ if (unveil(PATH_SPAMD_DB, "rw") == -1)
+ err(1, "unveil");
+
memset(&hashinfo, 0, sizeof(hashinfo));
db = dbopen(PATH_SPAMD_DB, O_EXLOCK | (action ? O_RDWR : O_RDONLY),
0600, DB_HASH, &hashinfo);
Index: usr.sbin/syslogd/privsep.c
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/privsep.c,v
retrieving revision 1.68
diff -u -p -u -r1.68 privsep.c
--- usr.sbin/syslogd/privsep.c 26 Apr 2018 13:40:09 -0000 1.68
+++ usr.sbin/syslogd/privsep.c 12 Jul 2018 16:18:13 -0000
@@ -184,7 +184,17 @@ priv_exec(char *conf, int numeric, int c
if (pw == NULL)
errx(1, "unknown user _syslogd");
- if (pledge("stdio rpath wpath cpath dns sendfd id proc exec",
+ if (unveil(conf, "r") == -1)
+ err(1, "unveil");
+ if (unveil(_PATH_UTMP, "r") == -1)
+ err(1, "unveil");
+ if (unveil("/dev", "rw") == -1)
+ err(1, "unveil");
+ if (unveil("/bin/sh", "x") == -1)
+ err(1, "unveil");
+// if (unveil("/var", "rw") == -1)
+// err(1, "unveil");
+ if (pledge("stdio unveil rpath wpath cpath dns sendfd id proc exec",
NULL) == -1)
err(1, "pledge priv");
@@ -312,6 +322,9 @@ priv_exec(char *conf, int numeric, int c
break;
case PRIV_DONE_CONFIG_PARSE:
+ if (pledge("stdio rpath wpath cpath dns sendfd id proc
exec",
+ NULL) == -1)
+ err(1, "pledge done config");
log_debug("[priv]: msg PRIV_DONE_CONFIG_PARSE "
"received");
increase_state(STATE_RUNNING);
@@ -554,6 +567,8 @@ check_log_name(char *lognam, size_t logs
err(1, "check_log_name() malloc");
strlcpy(lg->path, lognam, PATH_MAX);
TAILQ_INSERT_TAIL(&lognames, lg, next);
+ if (unveil(lognam, "w") == -1)
+ errx(1, "unveil");
break;
case STATE_RUNNING:
TAILQ_FOREACH(lg, &lognames, next)
Index: usr.sbin/vipw/vipw.c
===================================================================
RCS file: /cvs/src/usr.sbin/vipw/vipw.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 vipw.c
--- usr.sbin/vipw/vipw.c 12 Jul 2017 23:10:28 -0000 1.21
+++ usr.sbin/vipw/vipw.c 28 Jul 2018 12:58:08 -0000
@@ -34,6 +34,7 @@
#include <err.h>
#include <fcntl.h>
+#include <paths.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
@@ -49,6 +50,7 @@ main(int argc, char *argv[])
int pfd, tfd;
struct stat begin, end;
int ch;
+ char* editor;
while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
@@ -61,6 +63,24 @@ main(int argc, char *argv[])
if (argc != 0)
usage();
+
+ if ((editor = getenv("EDITOR")) == NULL)
+ editor = _PATH_VI;
+
+ if (unveil(_PATH_MASTERPASSWD_LOCK, "wc") == -1)
+ err(1, "unveil");
+
+ if (unveil(_PATH_MASTERPASSWD, "r") == -1)
+ err(1, "unveil");
+
+ if (unveil(editor, "x") == -1)
+ err(1, "unveil");
+
+ if (unveil(_PATH_BSHELL, "x") == -1)
+ err(1, "unveil");
+
+ if (unveil(_PATH_PWD_MKDB, "x") == -1)
+ err(1, "unveil");
if (pledge("stdio rpath wpath cpath fattr proc exec", NULL) == -1)
err(1, "pledge");
Index: usr.sbin/vmctl/main.c
===================================================================
RCS file: /cvs/src/usr.sbin/vmctl/main.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 main.c
--- usr.sbin/vmctl/main.c 12 Jul 2018 14:53:37 -0000 1.39
+++ usr.sbin/vmctl/main.c 29 Jul 2018 19:42:05 -0000
@@ -45,7 +45,15 @@ static int tty_autoconnect = 0;
__dead void usage(void);
__dead void ctl_usage(struct ctl_command *);
+int vmmaction(struct parse_result *);
int vmm_action(struct parse_result *);
+int parse_ifs(struct parse_result *, char *, int);
+int parse_network(struct parse_result *, char *);
+int parse_size(struct parse_result *, char *, long long);
+int parse_disk(struct parse_result *, char *);
+int parse_vmid(struct parse_result *, char *, int);
+void parse_free(struct parse_result *);
+int parse(int, char *[]);
int ctl_console(struct parse_result *, int, char *[]);
int ctl_create(struct parse_result *, int, char *[]);
@@ -158,9 +166,14 @@ parse(int argc, char *argv[])
res.action = ctl->action;
res.ctl = ctl;
+ if (unveil(SOCKET_NAME, "r") == -1)
+ err(1, "unveil");
+
if (!ctl->has_pledge) {
/* pledge(2) default if command doesn't have its own pledge */
- if (pledge("stdio rpath exec unix getpw", NULL) == -1)
+ if (unveil(VMCTL_CU, "x") == -1)
+ err(1, "unveil");
+ if (pledge("stdio rpath exec unix getpw unveil", NULL) == -1)
err(1, "pledge");
}
if (ctl->main(&res, argc, argv) != 0)
@@ -477,6 +490,10 @@ ctl_create(struct parse_result *res, int
paths[0] = argv[1];
paths[1] = NULL;
+
+ if (unveil(paths[0], "rwc") == -1)
+ err(1, "unveil");
+
if (pledge("stdio rpath wpath cpath", NULL) == -1)
err(1, "pledge");
argc--;
