Re: disable fs access on ripd

Tue, 30 Oct 2018 09:50:24 -0700 

On Tue, Oct 30, 2018 at 03:20:35PM +0000, Ricardo Mestre wrote:
> Hi,
> 
> After all files are opened ripd(8) can have the fs access disabled just before
> each process main loop. Its 2 childs already run under chroot, but since they
> are still not pledged at least they have no way to read/write/create files 
> within
> the chroot. No loads or reloads of the config file happen through any signal,
> nor can we do it via ripctl(8).
> 
> I was able to run a simple daemon with the example file. Comments? OK?

control_cleanup() unlinks the control socket on exit. I think you should
either unveil(conf->csock, "c") or remove control_cleanup().

> 
> Index: rde.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ripd/rde.c,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 rde.c
> --- rde.c     3 Sep 2016 10:28:08 -0000       1.21
> +++ rde.c     30 Oct 2018 15:09:44 -0000
> @@ -151,6 +151,11 @@ rde(struct ripd_conf *xconf, int pipe_pa
>               free(r);
>       }
>  
> +     if (unveil("/", "") == -1)
> +             fatal("unveil");
> +     if (unveil(NULL, NULL) == -1)
> +             fatal("unveil");
> +
>       event_dispatch();
>  
>       rde_shutdown();
> Index: ripd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ripd/ripd.c,v
> retrieving revision 1.30
> diff -u -p -u -r1.30 ripd.c
> --- ripd.c    3 Sep 2016 10:28:08 -0000       1.30
> +++ ripd.c    30 Oct 2018 15:09:44 -0000
> @@ -251,6 +251,11 @@ main(int argc, char *argv[])
>           conf->rdomain) == -1)
>               fatalx("kr_init failed");
>  
> +     if (unveil("/", "") == -1)
> +             fatal("unveil");
> +     if (unveil(NULL, NULL) == -1)
> +             fatal("unveil");
> +
>       event_dispatch();
>  
>       ripd_shutdown();
> Index: ripe.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ripd/ripe.c,v
> retrieving revision 1.22
> diff -u -p -u -r1.22 ripe.c
> --- ripe.c    3 Sep 2016 10:28:08 -0000       1.22
> +++ ripe.c    30 Oct 2018 15:09:44 -0000
> @@ -201,6 +201,11 @@ ripe(struct ripd_conf *xconf, int pipe_p
>  
>       ripe_imsg_compose_rde(IMSG_FULL_REQUEST, 0, 0, NULL, 0);
>  
> +     if (unveil("/", "") == -1)
> +             fatal("unveil");
> +     if (unveil(NULL, NULL) == -1)
> +             fatal("unveil");
> +
>       event_dispatch();
>  
>       ripe_shutdown();
>

Reply via email to