On Wed, Aug 28, 2019 at 12:03:07PM -0600, Theo de Raadt wrote: > ping and traceroute are setuid programs, so increased access-reduction > features are worthwhile. > > they can both lock their filesystem visibility to "readonly" very early on. > > the attack model being prevented against is very obscure. it imagines a > bug in something between start-of-program and call-to-pledge (which > entirely removes filesystem access). implying a getaddrinfo related > bug. meanwhile, there is privdrop as another protection. > > these still feel like improvements.
I think so too. Restricting filesystem access early here only helps. OK brynet@ > Index: usr.sbin/traceroute/traceroute.c > =================================================================== > RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v > retrieving revision 1.161 > diff -u -p -u -r1.161 traceroute.c > --- usr.sbin/traceroute/traceroute.c 28 Jun 2019 13:32:51 -0000 1.161 > +++ usr.sbin/traceroute/traceroute.c 27 Aug 2019 17:56:56 -0000 > @@ -327,6 +327,12 @@ main(int argc, char *argv[]) > uid_t ouid, uid; > gid_t gid; > > + /* Cannot pledge due to special setsockopt()s below */ > + if (unveil("/", "r") == -1) > + err(1, "unveil"); > + if (unveil(NULL, NULL) == -1) > + err(1, "unveil"); > + > if ((conf = calloc(1, sizeof(*conf))) == NULL) > err(1,NULL); > > Index: sbin/ping/ping.c > =================================================================== > RCS file: /cvs/src/sbin/ping/ping.c,v > retrieving revision 1.237 > diff -u -p -u -r1.237 ping.c > --- sbin/ping/ping.c 20 Jul 2019 00:49:54 -0000 1.237 > +++ sbin/ping/ping.c 27 Aug 2019 17:56:17 -0000 > @@ -264,6 +264,12 @@ main(int argc, char *argv[]) > u_int rtableid = 0; > extern char *__progname; > > + /* Cannot pledge due to special setsockopt()s below */ > + if (unveil("/", "r") == -1) > + err(1, "unveil"); > + if (unveil(NULL, NULL) == -1) > + err(1, "unveil"); > + > if (strcmp("ping6", __progname) == 0) { > v6flag = 1; > maxpayload = MAXPAYLOAD6; > >