Use unveil(2). These programs fit together in various strange ways,

so if a problem is encountered with this the whole set needs backout
and study.

8 files changed, 44 insertions, 15 deletions

diff --git a/sbin/fsck/fsck.c b/sbin/fsck/fsck.c
index ec7224e085b..7b6132032f4 100644
--- a/sbin/fsck/fsck.c
+++ b/sbin/fsck/fsck.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fsck.c,v 1.38 2015/11/23 19:19:29 deraadt Exp $	*/
+/*	$OpenBSD: fsck.c,v 1.39 2018/09/24 21:26:00 deraadt Exp $	*/
 /*	$NetBSD: fsck.c,v 1.7 1996/10/03 20:06:30 christos Exp $	*/
 
 /*
@@ -39,6 +39,7 @@
 #include <sys/mount.h>
 #include <sys/queue.h>
 #include <sys/resource.h>
+#include <sys/stat.h>
 #include <sys/wait.h>
 
 #include <err.h>
@@ -106,6 +107,14 @@ main(int argc, char *argv[])
 	} else
 		warn("Can't get resource limit for data size");
 
+	checkroot();
+
+	if (unveil("/dev", "rw") == -1)
+		err(1, "unveil");
+	if (unveil(_PATH_FSTAB, "r") == -1)
+		err(1, "unveil");
+	if (unveil("/sbin", "x") == -1)
+		err(1, "unveil");
 	if (pledge("stdio rpath wpath disklabel proc exec", NULL) == -1)
 		err(1, "pledge");
 
diff --git a/sbin/fsck/fsutil.c b/sbin/fsck/fsutil.c
index 4246a6e8240..f0b88684058 100644
--- a/sbin/fsck/fsutil.c
+++ b/sbin/fsck/fsutil.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fsutil.c,v 1.22 2015/09/27 05:25:00 guenther Exp $	*/
+/*	$OpenBSD: fsutil.c,v 1.23 2018/09/24 21:26:00 deraadt Exp $	*/
 /*	$NetBSD: fsutil.c,v 1.2 1996/10/03 20:06:31 christos Exp $	*/
 
 /*
@@ -53,6 +53,17 @@ extern char *__progname;
 
 static void vmsg(int, const char *, va_list);
 
+struct stat stslash;
+
+void
+checkroot(void)
+{
+	if (stat("/", &stslash) < 0) {
+		xperror("/");
+		printf("Can't stat root\n");
+	}
+}
+
 void
 setcdevname(const char *cd, const char *ocd, int pr)
 {
@@ -182,17 +193,12 @@ rawname(char *name)
 char *
 blockcheck(char *origname)
 {
-	struct stat stslash, stblock, stchar;
+	struct stat stblock, stchar;
 	char *newname, *raw;
 	struct fstab *fsp;
 	int retried = 0;
 
 	hot = 0;
-	if (stat("/", &stslash) < 0) {
-		xperror("/");
-		printf("Can't stat root\n");
-		return (origname);
-	}
 	newname = origname;
 retry:
 	if (stat(newname, &stblock) < 0)
diff --git a/sbin/fsck/fsutil.h b/sbin/fsck/fsutil.h
index a5b6b0b469b..01fd315dfba 100644
--- a/sbin/fsck/fsutil.h
+++ b/sbin/fsck/fsutil.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fsutil.h,v 1.7 2014/10/08 16:27:53 deraadt Exp $	*/
+/*	$OpenBSD: fsutil.h,v 1.8 2018/09/24 21:26:00 deraadt Exp $	*/
 /*	$NetBSD: fsutil.h,v 1.3 1996/10/03 20:06:31 christos Exp $	*/
 
 /*
@@ -41,6 +41,7 @@ void panic(const char *, ...)
     __attribute__((__noreturn__,__format__(__printf__,1,2)));
 char *rawname(char *);
 char *unrawname(char *);
+void checkroot(void);
 char *blockcheck(char *);
 const char *cdevname(void);
 void setcdevname(const char *, const char *, int);
diff --git a/sbin/fsck_ext2fs/main.c b/sbin/fsck_ext2fs/main.c
index d40d5a351e5..b8610a60e08 100644
--- a/sbin/fsck_ext2fs/main.c
+++ b/sbin/fsck_ext2fs/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.27 2016/03/16 15:41:10 krw Exp $	*/
+/*	$OpenBSD: main.c,v 1.28 2018/09/24 21:26:02 deraadt Exp $	*/
 /*	$NetBSD: main.c,v 1.1 1997/06/11 11:21:50 bouyer Exp $	*/
 
 /*
@@ -65,6 +65,8 @@ main(int argc, char *argv[])
 	int ch;
 	int ret = 0;
 
+	checkroot();
+
 	sync();
 	skipclean = 1;
 	while ((ch = getopt(argc, argv, "b:dfm:npy")) != -1) {
diff --git a/sbin/fsck_ffs/main.c b/sbin/fsck_ffs/main.c
index 417ea542c3b..0f6b6f7ae28 100644
--- a/sbin/fsck_ffs/main.c
+++ b/sbin/fsck_ffs/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.51 2018/01/05 09:33:47 otto Exp $	*/
+/*	$OpenBSD: main.c,v 1.52 2018/09/24 21:26:02 deraadt Exp $	*/
 /*	$NetBSD: main.c,v 1.22 1996/10/11 20:15:48 thorpej Exp $	*/
 
 /*
@@ -67,6 +67,8 @@ main(int argc, char *argv[])
 	int ch;
 	int ret = 0;
 
+	checkroot();
+
 	sync();
 	skipclean = 1;
 	while ((ch = getopt(argc, argv, "dfpnNyYb:c:m:")) != -1) {
diff --git a/sbin/fsck_ffs/setup.c b/sbin/fsck_ffs/setup.c
index aa77994f094..0d2a9dcf574 100644
--- a/sbin/fsck_ffs/setup.c
+++ b/sbin/fsck_ffs/setup.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: setup.c,v 1.64 2018/01/05 09:33:47 otto Exp $	*/
+/*	$OpenBSD: setup.c,v 1.65 2018/09/24 21:26:02 deraadt Exp $	*/
 /*	$NetBSD: setup.c,v 1.27 1996/09/27 22:45:19 christos Exp $	*/
 
 /*
@@ -102,11 +102,15 @@ setup(char *dev, int isfsdb)
 		strlcpy(rdevname, realdev, sizeof(rdevname));
 		setcdevname(rdevname, dev, preen);
 
-		if (isfsdb || !hotroot())
+		if (isfsdb || !hotroot()) {
+			if (unveil("/dev", "rw") == -1)
+				err(1, "unveil");
 			if (pledge("stdio rpath wpath getpw tty disklabel",
 			    NULL) == -1)
 				err(1, "pledge");
+		}
 	}
+
 	if (fstat(fsreadfd, &statb) < 0) {
 		printf("Can't stat %s: %s\n", realdev, strerror(errno));
 		close(fsreadfd);
diff --git a/sbin/fsck_msdos/check.c b/sbin/fsck_msdos/check.c
index bfe9450f2b1..a5d972d49f0 100644
--- a/sbin/fsck_msdos/check.c
+++ b/sbin/fsck_msdos/check.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: check.c,v 1.18 2015/10/14 16:58:55 deraadt Exp $	*/
+/*	$OpenBSD: check.c,v 1.19 2018/09/24 21:26:02 deraadt Exp $	*/
 /*	$NetBSD: check.c,v 1.8 1997/10/17 11:19:29 ws Exp $	*/
 
 /*
@@ -54,6 +54,9 @@ checkfilesys(const char *fname)
 	int i;
 	int mod = 0;
 
+	if (unveil("/dev", "rw") == -1)
+		err(1, "unveil");
+
 	rdonly = alwaysno;
 
 	dosfs = opendev(fname, rdonly ? O_RDONLY : O_RDWR, 0, &realdev);
diff --git a/sbin/fsck_msdos/main.c b/sbin/fsck_msdos/main.c
index 0f4d62123ab..0b6ed81b1a2 100644
--- a/sbin/fsck_msdos/main.c
+++ b/sbin/fsck_msdos/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.23 2016/05/28 18:00:42 tb Exp $	*/
+/*	$OpenBSD: main.c,v 1.24 2018/09/24 21:26:02 deraadt Exp $	*/
 /*	$NetBSD: main.c,v 1.8 1996/10/17 20:29:53 cgd Exp $	*/
 
 /*
@@ -57,6 +57,8 @@ main(int argc, char *argv[])
 {
 	int ch;
 
+	checkroot();
+
 	while ((ch = getopt(argc, argv, "pynf")) != -1) {
 		switch (ch) {
 		case 'f':