In netproc process, unveil to only expose the CA file.

ok florian

3 files changed, 9 insertions, 5 deletions

diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c
index 599f161437c..423c5e03311 100644
--- a/usr.sbin/acme-client/http.c
+++ b/usr.sbin/acme-client/http.c
@@ -1,4 +1,4 @@
-/*	$Id: http.c,v 1.21 2018/02/06 04:19:56 florian Exp $ */
+/*	$Id: http.c,v 1.22 2018/08/08 17:47:44 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -35,8 +35,6 @@
 #include "http.h"
 #include "extern.h"
 
-#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
-
 /*
  * A buffer for transferring HTTP/S data.
  */
diff --git a/usr.sbin/acme-client/http.h b/usr.sbin/acme-client/http.h
index c648186d16f..df1a601c288 100644
--- a/usr.sbin/acme-client/http.h
+++ b/usr.sbin/acme-client/http.h
@@ -1,4 +1,4 @@
-/*	$Id: http.h,v 1.5 2017/01/25 13:52:53 inoguchi Exp $ */
+/*	$Id: http.h,v 1.6 2018/08/08 17:47:44 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -61,6 +61,7 @@ struct	httpget {
 	size_t		 bodypartsz; /* size of bodypart */
 };
 
+#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
 int		 http_init(void);
 
 /* Convenience functions. */
diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c
index dd78580e852..a0f1afab915 100644
--- a/usr.sbin/acme-client/netproc.c
+++ b/usr.sbin/acme-client/netproc.c
@@ -1,4 +1,4 @@
-/*	$Id: netproc.c,v 1.16 2018/03/14 12:28:25 florian Exp $ */
+/*	$Id: netproc.c,v 1.17 2018/08/08 17:47:44 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -612,6 +612,11 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
 	memset(&paths, 0, sizeof(struct capaths));
 	memset(&c, 0, sizeof(struct conn));
 
+	if (unveil(DEFAULT_CA_FILE, "r") == -1) {
+		warn("unveil");
+		goto out;
+	}
+
 	if (pledge("stdio inet rpath", NULL) == -1) {
 		warn("pledge");
 		goto out;