At startup, unveil entire filesystem to read-only. If after privdrop, some

implausible bug existed in the socket setup (mostly dns-related and
setsockopt) it would be largely neutered.  of course, a very restrictive
pledge is installed soon after that...
ok mestre brynet florian

2 files changed, 14 insertions, 2 deletions

diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
index 21fbee06493..b1b6947b461 100644
--- a/sbin/ping/ping.c
+++ b/sbin/ping/ping.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ping.c,v 1.237 2019/07/20 00:49:54 cheloha Exp $	*/
+/*	$OpenBSD: ping.c,v 1.238 2019/08/28 20:03:51 deraadt Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -264,6 +264,12 @@ main(int argc, char *argv[])
 	u_int rtableid = 0;
 	extern char *__progname;
 
+	/* Cannot pledge due to special setsockopt()s below */
+	if (unveil("/", "r") == -1)
+		err(1, "unveil");
+	if (unveil(NULL, NULL) == -1)
+		err(1, "unveil");
+
 	if (strcmp("ping6", __progname) == 0) {
 		v6flag = 1;
 		maxpayload = MAXPAYLOAD6;
diff --git a/usr.sbin/traceroute/traceroute.c b/usr.sbin/traceroute/traceroute.c
index b120620528f..d079e91b4f5 100644
--- a/usr.sbin/traceroute/traceroute.c
+++ b/usr.sbin/traceroute/traceroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: traceroute.c,v 1.161 2019/06/28 13:32:51 deraadt Exp $	*/
+/*	$OpenBSD: traceroute.c,v 1.162 2019/08/28 20:03:51 deraadt Exp $	*/
 /*	$NetBSD: traceroute.c,v 1.10 1995/05/21 15:50:45 mycroft Exp $	*/
 
 /*
@@ -327,6 +327,12 @@ main(int argc, char *argv[])
 	uid_t		 ouid, uid;
 	gid_t		 gid;
 
+	/* Cannot pledge due to special setsockopt()s below */
+	if (unveil("/", "r") == -1)
+		err(1, "unveil");
+	if (unveil(NULL, NULL) == -1)
+		err(1, "unveil");
+
 	if ((conf = calloc(1, sizeof(*conf))) == NULL)
 		err(1,NULL);