Hi,
I had a patch with pledge(2) for quite a while ago, but my setup is too simple
and cannot test it enough so at least we can have restricted read access to the
fs in relayd(8)'s main process through unveil(2).
Comments? OK?
Index: relayd.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v
retrieving revision 1.174
diff -u -p -u -r1.174 relayd.c
--- relayd.c 9 Sep 2018 21:06:51 -0000 1.174
+++ relayd.c 22 Apr 2019 23:36:43 -0000
@@ -222,6 +222,11 @@ main(int argc, char *argv[])
if (ps->ps_noaction == 0)
log_info("startup");
+ if (unveil("/", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+
event_init();
signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
