diff options
author | Ricardo Mestre <mestre@cvs.openbsd.org> | 2020-08-19 14:23:27 +0000 |
---|---|---|
committer | Ricardo Mestre <mestre@cvs.openbsd.org> | 2020-08-19 14:23:27 +0000 |
commit | 8b61ea286be88c7e1ec1f6dc5ad18e3213c99228 (patch) | |
tree | f7ae32c1d7639bba4b802357847f3f88cb060e5b | |
parent | 3b4fd29a6e44d9175fd9721e96752dfdbe617d65 (diff) |
add unveil(2) again
this allows reading from anywhere in the filesystem (in order to read the
config file and those ones included from it), but also executing, which I
missed from my last attempt, because it's required for "check script(s)".
even though it's a broad permission, and the main proc cannot be pledged due to
forbidden ioctls, then this at least prevents it from creating/writing/deleting
files which is not required here.
OK benno@ a long time ago
-rw-r--r-- | usr.sbin/relayd/relayd.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c index fc10929359f..d431e70e42b 100644 --- a/usr.sbin/relayd/relayd.c +++ b/usr.sbin/relayd/relayd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.c,v 1.182 2019/09/15 19:23:29 rob Exp $ */ +/* $OpenBSD: relayd.c,v 1.183 2020/08/19 14:23:26 mestre Exp $ */ /* * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org> @@ -223,6 +223,11 @@ main(int argc, char *argv[]) if (ps->ps_noaction == 0) log_info("startup"); + if (unveil("/", "rx") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + event_init(); signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); |