this is actually good, I made it as minimal as possible so that it
wouldn't break for me, if it breaks for you we can start from there.
On 13:41 Sat 03 Nov , Matthieu Herrb wrote:
> On Fri, Nov 02, 2018 at 07:03:11PM +0000, Ricardo Mestre wrote:
> > Hi,
> >
> > Looking at pledging xenodm a little bit more I was able to run it with
> > the diff below across X restarts, with stock configuration.
> >
> > Please test it, if you have special configs better since most likely
> > this will break it but we need to know where and why and with that maybe
> > trim xenodm's bloat.
>
> Hi,
>
> xenodm crashes if one logs out from the first session that was
> created. the pldege() call in StartDisplay is too strict.
>
> I've not had time to fully figure out if this can be fixed. Iirc I
> tried when I did the initial work on adding pledge to xenodm and it's
> not possible because of the code that creates the auth cookie and
> chown()s it to _x11.
>
> I didn't have time yet to do a more serious testing of the session
> pledge.
>
> >
> > DisplayManager:
> > rpath: open(2) /etc/X11/xenodm/xenodm-config
> > cpath: unlink(2) d->authFile
> > proc: kill(2)
> >
> > Session:
> > rpath: open(2) /etc/fbtab
> > wpath/cpath: open(2) d->authFile
> > fattr: chmod(2) d->authFile
> > dns: sysctl(2) for name resolution
> > proc: kill(2)
> > exec: execve(2) /etc/X11/xenodm/TakeConsole
> > id: setuid(2)
> >
> > Index: dm.c
> > ===================================================================
> > RCS file: /cvs/xenocara/app/xenodm/xenodm/dm.c,v
> > retrieving revision 1.6
> > diff -u -p -u -r1.6 dm.c
> > --- dm.c 11 Jul 2018 16:57:04 -0000 1.6
> > +++ dm.c 31 Oct 2018 15:15:49 -0000
> > @@ -604,6 +604,10 @@ StartDisplay (struct display *d)
> > Debug ("pid: %d\n", pid);
> > d->pid = pid;
> > d->status = running;
> > +
> > + if (pledge("stdio rpath cpath proc", NULL) == -1)
> > + exit(OPENFAILED_DISPLAY);
> > +
> > break;
> > }
> > }
> > Index: session.c
> > ===================================================================
> > RCS file: /cvs/xenocara/app/xenodm/xenodm/session.c,v
> > retrieving revision 1.12
> > diff -u -p -u -r1.12 session.c
> > --- session.c 11 Jul 2018 20:28:41 -0000 1.12
> > +++ session.c 31 Oct 2018 15:15:49 -0000
> > @@ -378,6 +378,10 @@ StartClient (
> > default:
> > Debug ("StartSession, fork succeeded %d\n", pid);
> > *pidp = pid;
> > +
> > + if (pledge("stdio rpath wpath cpath fattr dns proc exec id", NULL) ==
> > -1)
> > + exit(25);
> > +
> > return 1;
> > }
> > }
> >
> > ----- End forwarded message -----
>
> --
> Matthieu Herrb
>
