OK with me. I'll say it again, the unveils in here are misguided. Almost as misguided as the mmap's (which prevents large file transfer, and there are other problems..)
Claudio Jeker <cje...@diehard.n-r-g.com> wrote: > There is no need for cpath or the unveil of . in the rsync process. > That process just does fork+exec for rsync. > Removing the unveil pledge is the same as unveil(NULL, NULL) so skip that > too. > > OK? > -- > :wq Claudio > > Index: main.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v > retrieving revision 1.104 > diff -u -p -r1.104 main.c > --- main.c 22 Feb 2021 09:46:05 -0000 1.104 > +++ main.c 23 Feb 2021 10:42:24 -0000 > @@ -941,8 +941,7 @@ main(int argc, char *argv[]) > if (fchdir(cachefd) == -1) > err(1, "fchdir"); > > - if (pledge("stdio rpath cpath proc exec unveil", NULL) > - == -1) > + if (pledge("stdio rpath proc exec unveil", NULL) == -1) > err(1, "pledge"); > > proc_rsync(rsync_prog, bind_addr, fd[0]); > Index: rsync.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v > retrieving revision 1.18 > diff -u -p -r1.18 rsync.c > --- rsync.c 19 Feb 2021 08:14:49 -0000 1.18 > +++ rsync.c 23 Feb 2021 10:41:50 -0000 > @@ -160,13 +160,6 @@ proc_rsync(char *prog, char *bind_addr, > } else if (unveil(prog, "x") == -1) > err(1, "%s: unveil", prog); > > - /* Unveil the repository directory and terminate unveiling. */ > - > - if (unveil(".", "c") == -1) > - err(1, "unveil"); > - if (unveil(NULL, NULL) == -1) > - err(1, "unveil"); > - > if (pledge("stdio proc exec", NULL) == -1) > err(1, "pledge"); > >