It is not possible to unveil(2) all arguments passed to file(1), as this
would require walking *argv. Instead, we can unveil("/", "r") to permit
readonly access to the entire filesystem, while restricting all execute
write, and create operations.
This only provides some additional early protection for the parent, as
the privsep magic(5) parser already pledged tightly.
It might be possible to use pledge instead, but this since this process
doesn't do much more than opening files and passing descriptors, unveil
alone should be enough..
Needs the recent unveil(2) commit in -current by Bob Beck.
ok?
Index: file.c
===================================================================
RCS file: /cvs/src/usr.bin/file/file.c,v
retrieving revision 1.66
diff -u -p -u -r1.66 file.c
--- usr.bin/file/file.c 15 Jan 2018 19:45:51 -0000 1.66
+++ usr.bin/file/file.c 3 Jan 2019 23:07:41 -0000
@@ -168,6 +168,11 @@ main(int argc, char **argv)
} else if (argc == 0)
usage();
+ if (unveil("/", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+
magicfp = NULL;
if (geteuid() != 0 && !issetugid()) {
home = getenv("HOME");
