tighten the pledge for spamd, from Ricardo Mestre <serial@helheim.mooo.com>

this loads the tls certificate files pre-pledge then does the bulk of the tls
setup goo pledged.

1 files changed, 36 insertions, 27 deletions

diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c
index bdc22b9ec8d..aafe0cd440b 100644
--- a/libexec/spamd/spamd.c
+++ b/libexec/spamd/spamd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: spamd.c,v 1.135 2015/12/08 03:21:09 beck Exp $	*/
+/*	$OpenBSD: spamd.c,v 1.136 2015/12/10 16:06:29 beck Exp $	*/
 
 /*
  * Copyright (c) 2015 Henning Brauer <henning@openbsd.org>
@@ -111,7 +111,7 @@ char    *loglists(struct con *);
 void     getcaddr(struct con *);
 void     gethelo(char *, size_t, char *);
 int      read_configline(FILE *);
-void	 spamd_tls_init(char *, char *);
+void	 spamd_tls_init(void);
 void	 check_spamd_db(void);
 
 char hostname[HOST_NAME_MAX+1];
@@ -132,6 +132,12 @@ u_short cfg_port;
 u_short sync_port;
 struct tls_config *tlscfg;
 struct tls *tlsctx;
+uint8_t	*pubcert;
+size_t	 pubcertlen;
+uint8_t	*privkey;
+size_t	 privkeylen;
+char 	*tlskeyfile = NULL;
+char 	*tlscertfile = NULL;
 
 extern struct sdlist *blacklists;
 extern int pfdev;
@@ -433,11 +439,11 @@ read_configline(FILE *config)
 }
 
 void
-spamd_tls_init(char *keyfile, char *certfile)
+spamd_tls_init()
 {
-	if (keyfile == NULL && certfile == NULL)
+	if (tlskeyfile == NULL && tlscertfile == NULL)
 		return;
-	if (keyfile == NULL || certfile == NULL)
+	if (tlskeyfile == NULL || tlscertfile == NULL)
 		errx(1, "need key and certificate for TLS");
 
 	if (tls_init() != 0)
@@ -453,10 +459,10 @@ spamd_tls_init(char *keyfile, char *certfile)
 	if (tls_config_set_ciphers(tlscfg, "compat") != 0)
 		errx(1, "failed to set tls ciphers");
 
-	if (tls_config_set_cert_file(tlscfg, certfile) != 0)
-		err(1, "could not load certificate %s", certfile);
-	if (tls_config_set_key_file(tlscfg, keyfile) != 0)
-		err(1, "could not load key %s", keyfile);
+	if (tls_config_set_cert_mem(tlscfg, pubcert, pubcertlen) == -1)
+		errx(1, "unable to set TLS certificate file %s", tlscertfile);
+	if (tls_config_set_key_mem(tlscfg, privkey, privkeylen) == -1)
+		errx(1, "unable to set TLS key file %s", tlskeyfile);
 	if (tls_configure(tlsctx, tlscfg) != 0)
 		errx(1, "failed to configure TLS - %s", tls_error(tlsctx));
 
@@ -1227,8 +1233,6 @@ main(int argc, char *argv[])
 	const char *errstr;
 	char *sync_iface = NULL;
 	char *sync_baddr = NULL;
-	char *tlskeyfile = NULL;
-	char *tlscertfile = NULL;
 
 	tzset();
 	openlog_r("spamd", LOG_PID | LOG_NDELAY, LOG_DAEMON, &sdata);
@@ -1371,6 +1375,13 @@ main(int argc, char *argv[])
 	} else if (maxblack > maxcon)
 		usage();
 
+	if (tlscertfile &&
+		(pubcert=tls_load_file(tlscertfile, &pubcertlen, NULL)) == NULL)
+		errx(1, "unable to load TLS certificate file %s", tlscertfile);
+	if (tlskeyfile &&
+		(privkey=tls_load_file(tlskeyfile, &privkeylen, NULL)) == NULL)
+		errx(1, "unable to load TLS key file %s", tlskeyfile);
+
 	rlp.rlim_cur = rlp.rlim_max = maxcon + 15;
 	if (setrlimit(RLIMIT_NOFILE, &rlp) == -1)
 		err(1, "setrlimit");
@@ -1448,9 +1459,6 @@ main(int argc, char *argv[])
 
 		check_spamd_db();
 
-		if (pledge("stdio rpath wpath flock inet proc exec id", NULL) == -1)
-			err(1, "pledge");
-
 		maxblack = (maxblack >= maxcon) ? maxcon - 100 : maxblack;
 		if (maxblack < 0)
 			maxblack = 0;
@@ -1486,6 +1494,18 @@ main(int argc, char *argv[])
 				_exit(1);
 			}
 			close(trappipe[1]);
+
+			if (chroot("/var/empty") == -1 || chdir("/") == -1) {
+				syslog(LOG_ERR, "cannot chdir to /var/empty.");
+				exit(1);
+			}
+
+			if (pw)
+				if (setgroups(1, &pw->pw_gid) ||
+					setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
+					setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
+					err(1, "failed to drop privs");
+
 			goto jail;
 		}
 		/* parent - run greylister */
@@ -1506,22 +1526,11 @@ main(int argc, char *argv[])
 	}
 
 jail:
-	spamd_tls_init(tlskeyfile, tlscertfile);
-
-	if (chroot("/var/empty") == -1 || chdir("/") == -1) {
-		syslog(LOG_ERR, "cannot chdir to /var/empty.");
-		exit(1);
-	}
-
-	if (pw)
-		if (setgroups(1, &pw->pw_gid) ||
-		    setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
-		    setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
-			err(1, "failed to drop privs");
-
 	if (pledge("stdio inet", NULL) == -1)
 		err(1, "pledge");
 
+	spamd_tls_init();
+
 	if (listen(smtplisten, 10) == -1)
 		err(1, "listen");