Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8),

the priviledged parent cannot be pledged due to certain ioctls, but we
can use unveil(2) to lock down its access to the filesystem.

To be able to use hostnames/dns in tcpdump-like filter expressions,
we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the
kernel bypass for pledge("dns")

Additionally, we need to unveil /dev/bpf "r" and the output log file
"rwc".

The unpriviledged child is pledged "stdio recvfd" and thus does not need
any unveils.

With feedback/testing from florian@, deraadt@

ok florian@ deraadt@

1 files changed, 14 insertions, 1 deletions

diff --git a/sbin/pflogd/privsep.c b/sbin/pflogd/privsep.c
index e0ea2026bd3..c0549727356 100644
--- a/sbin/pflogd/privsep.c
+++ b/sbin/pflogd/privsep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: privsep.c,v 1.31 2018/08/26 18:24:46 brynet Exp $	*/
+/*	$OpenBSD: privsep.c,v 1.32 2018/08/26 18:26:51 brynet Exp $	*/
 
 /*
  * Copyright (c) 2003 Can Erkin Acar
@@ -131,6 +131,19 @@ priv_init(int Pflag, int argc, char *argv[])
 
 	setproctitle("[priv]");
 
+	if (unveil("/etc/resolv.conf", "r") == -1)
+		err(1, "unveil");
+	if (unveil("/etc/hosts", "r") == -1)
+		err(1, "unveil");
+	if (unveil("/etc/services", "r") == -1)
+		err(1, "unveil");
+	if (unveil("/dev/bpf", "r") == -1)
+		err(1, "unveil");
+	if (unveil(filename, "rwc") == -1)
+		err(1, "unveil");
+	if (unveil(NULL, NULL) == -1)
+		err(1, "unveil");
+
 #if 0
 	/* This needs to do bpf ioctl */
 BROKEN	if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1)