Ted Unangst wrote:
> Bryan Steele wrote:
> > It is not possible to unveil(2) all arguments passed to file(1), as this
> > would require walking *argv. Instead, we can unveil("/", "r") to permit
> > readonly access to the entire filesystem, while restricting all execute
> > write, and create operations.
>
> Why not? Because of the limit? We can still try unveil up to a certain
> limit.
>
> > This only provides some additional early protection for the parent, as
> > the privsep magic(5) parser already pledged tightly.
> >
> > It might be possible to use pledge instead, but this since this process
> > doesn't do much more than opening files and passing descriptors, unveil
> > alone should be enough..
>
> I think if we want to enforce read only access, pledge is still the way to go.
>
> This seems to work.
oops, forgot the error checking for some unveil calls. this is better.
Index: file.c
===================================================================
RCS file: /cvs/src/usr.bin/file/file.c,v
retrieving revision 1.66
diff -u -p -r1.66 file.c
--- file.c 15 Jan 2018 19:45:51 -0000 1.66
+++ file.c 4 Jan 2019 01:24:47 -0000
@@ -168,6 +168,19 @@ main(int argc, char **argv)
} else if (argc == 0)
usage();
+ if (argc < 64) {
+ if (unveil("/etc/magic", "r") == -1)
+ err(1, "unveil");
+ for (idx = 0; idx < argc; idx++)
+ if (unveil(argv[idx], "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+ }
+
+ if (pledge("stdio rpath getpw recvfd sendfd id proc", NULL) == -1)
+ err(1, "pledge");
+
magicfp = NULL;
if (geteuid() != 0 && !issetugid()) {
home = getenv("HOME");
