summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRicardo Mestre <mestre@cvs.openbsd.org>2020-08-19 14:23:27 +0000
committerRicardo Mestre <mestre@cvs.openbsd.org>2020-08-19 14:23:27 +0000
commit8b61ea286be88c7e1ec1f6dc5ad18e3213c99228 (patch)
treef7ae32c1d7639bba4b802357847f3f88cb060e5b
parent3b4fd29a6e44d9175fd9721e96752dfdbe617d65 (diff)
add unveil(2) again
this allows reading from anywhere in the filesystem (in order to read the config file and those ones included from it), but also executing, which I missed from my last attempt, because it's required for "check script(s)". even though it's a broad permission, and the main proc cannot be pledged due to forbidden ioctls, then this at least prevents it from creating/writing/deleting files which is not required here. OK benno@ a long time ago
-rw-r--r--usr.sbin/relayd/relayd.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c
index fc10929359f..d431e70e42b 100644
--- a/usr.sbin/relayd/relayd.c
+++ b/usr.sbin/relayd/relayd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.c,v 1.182 2019/09/15 19:23:29 rob Exp $ */
+/* $OpenBSD: relayd.c,v 1.183 2020/08/19 14:23:26 mestre Exp $ */
/*
* Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -223,6 +223,11 @@ main(int argc, char *argv[])
if (ps->ps_noaction == 0)
log_info("startup");
+ if (unveil("/", "rx") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+
event_init();
signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);