Collapse krazy abstractions for other sandbox models, using chroot and

pledge directly as needed.
ok florian

13 files changed, 57 insertions, 240 deletions

diff --git a/usr.sbin/acme-client/Makefile b/usr.sbin/acme-client/Makefile
index 6d373e561cb..5df53d61b55 100644
--- a/usr.sbin/acme-client/Makefile
+++ b/usr.sbin/acme-client/Makefile
@@ -1,8 +1,8 @@
-#	$OpenBSD: Makefile,v 1.3 2016/08/31 22:28:23 florian Exp $
+#	$OpenBSD: Makefile,v 1.4 2016/09/01 00:21:36 deraadt Exp $
 PROG=		acme-client
 SRCS=		acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
 SRCS+=		fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+=		revokeproc.c rsa.c sandbox-pledge.c util-pledge.c util.c
+SRCS+=		revokeproc.c rsa.c util.c
 MAN=		acme-client.1
 
 LDADD=		-ltls -lssl -lcrypto
diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c
index dc1189cae8d..2559c43ede4 100644
--- a/usr.sbin/acme-client/acctproc.c
+++ b/usr.sbin/acme-client/acctproc.c
@@ -1,4 +1,4 @@
-/*	$Id: acctproc.c,v 1.3 2016/08/31 23:52:30 benno Exp $ */
+/*	$Id: acctproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -348,17 +348,12 @@ acctproc(int netsock, const char *acctkey, int newacct)
 
 	/* File-system, user, and sandbox jailing. */
 
-	if ( ! sandbox_before())
-		goto out;
-
 	ERR_load_crypto_strings();
 
-	if ( ! dropfs(PATH_VAR_EMPTY))
-		goto out;
-	else if ( ! dropprivs())
-		goto out;
-	else if ( ! sandbox_after())
+	if (pledge("stdio", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/*
 	 * Seed our PRNG with data from arc4random().
diff --git a/usr.sbin/acme-client/certproc.c b/usr.sbin/acme-client/certproc.c
index a75112b84ee..b005f647566 100644
--- a/usr.sbin/acme-client/certproc.c
+++ b/usr.sbin/acme-client/certproc.c
@@ -1,4 +1,4 @@
-/*	$Id: certproc.c,v 1.3 2016/08/31 23:53:58 benno Exp $ */
+/*	$Id: certproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -104,17 +104,12 @@ certproc(int netsock, int filesock)
 
 	/* File-system and sandbox jailing. */
 
-	if ( ! sandbox_before())
-		goto out;
-
 	ERR_load_crypto_strings();
 
-	if ( ! dropfs(PATH_VAR_EMPTY))
-		goto out;
-	else if ( ! dropprivs())
-		goto out;
-	else if ( ! sandbox_after())
+	if (pledge("stdio", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/* Read what the netproc wants us to do. */
 
diff --git a/usr.sbin/acme-client/chngproc.c b/usr.sbin/acme-client/chngproc.c
index f7c11e2306c..55aae1cbe0c 100644
--- a/usr.sbin/acme-client/chngproc.c
+++ b/usr.sbin/acme-client/chngproc.c
@@ -1,4 +1,4 @@
-/*	$Id: chngproc.c,v 1.2 2016/08/31 22:49:09 benno Exp $ */
+/*	$Id: chngproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -47,14 +47,18 @@ chngproc(int netsock, const char *root, int remote)
 	fs = NULL;
 	fsz = 0;
 
-	/* File-system and sandbox jailing. */
-
-	if ( ! sandbox_before())
+	if (chroot(root) == -1) {
+		warn("chroot");
 		goto out;
-	else if ( ! dropfs(root))
+	}
+	if (chdir("/") == -1) {
+		warn("chdir");
 		goto out;
-	else if ( ! sandbox_after())
+	}
+	if (pledge("stdio cpath wpath", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/*
 	 * Loop while we wait to get a thumbprint and token.
diff --git a/usr.sbin/acme-client/dnsproc.c b/usr.sbin/acme-client/dnsproc.c
index 50b808237a5..56c167eea92 100644
--- a/usr.sbin/acme-client/dnsproc.c
+++ b/usr.sbin/acme-client/dnsproc.c
@@ -1,4 +1,4 @@
-/*	$Id: dnsproc.c,v 1.2 2016/08/31 22:49:09 benno Exp $ */
+/*	$Id: dnsproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -127,23 +127,10 @@ dnsproc(int nfd)
 	look = last = NULL;
 	vsz = 0;
 
-	/*
-	 * Why don't we chroot() here?
-	 * On OpenBSD, the pledge(2) takes care of our constraining the
-	 * environment to DNS resolution only, so the chroot(2) is
-	 * unnecessary.
-	 * On Mac OS X, we can't chroot(2): we'd need to have an mdns
-	 * responder thing in each jail.
-	 * On Linux, forget it.  getaddrinfo(2) pulls on all sorts of
-	 * mystery meat.
-	 */
-
-	if ( ! sandbox_before())
-		goto out;
-	else if ( ! dropprivs())
-		goto out;
-	else if ( ! sandbox_after())
+	if (pledge("stdio dns", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/*
 	 * This is simple: just loop on a request operation, and each
diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h
index eed991c7a0d..c2085266874 100644
--- a/usr.sbin/acme-client/extern.h
+++ b/usr.sbin/acme-client/extern.h
@@ -1,4 +1,4 @@
-/*	$Id: extern.h,v 1.2 2016/08/31 22:49:09 benno Exp $ */
+/*	$Id: extern.h,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -245,13 +245,6 @@ char		*json_fmt_thumb_rsa(const char *, const char *);
 char		*json_fmt_signed(const char *,
 			const char *, const char *, const char *);
 
-int		 dropprivs(void);
-int		 dropfs(const char *);
-int		 checkprivs(void);
-
-int		 sandbox_after(void);
-int		 sandbox_before(void);
-
 /*
  * Should we print debugging messages?
  */
diff --git a/usr.sbin/acme-client/fileproc.c b/usr.sbin/acme-client/fileproc.c
index 29b681fa2dd..20da2381b7c 100644
--- a/usr.sbin/acme-client/fileproc.c
+++ b/usr.sbin/acme-client/fileproc.c
@@ -1,4 +1,4 @@
-/*	$Id: fileproc.c,v 1.2 2016/08/31 23:00:17 benno Exp $ */
+/*	$Id: fileproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -81,12 +81,23 @@ fileproc(int certsock, int backup, const char *certdir)
 
 	/* File-system and sandbox jailing. */
 
-	if ( ! sandbox_before())
+	if (chroot(certdir) == -1) {
+		warn("chroot");
 		goto out;
-	else if ( ! dropfs(certdir))
+	}
+	if (chdir("/") == -1) {
+		warn("chdir");
 		goto out;
-	else if ( ! sandbox_after())
+	}
+
+	/*
+	 * rpath and cpath for rename, wpath and cpath for
+	 * writing to the temporary.
+	 */
+	if (pledge("stdio cpath wpath rpath", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/* Read our operation. */
 
diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c
index 0013ce549cd..001064637a1 100644
--- a/usr.sbin/acme-client/keyproc.c
+++ b/usr.sbin/acme-client/keyproc.c
@@ -1,4 +1,4 @@
-/*	$Id: keyproc.c,v 1.2 2016/08/31 23:25:10 benno Exp $ */
+/*	$Id: keyproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -116,17 +116,12 @@ keyproc(int netsock, const char *keyfile,
 
 	/* File-system, user, and sandbox jail. */
 
-	if ( ! sandbox_before())
-		goto out;
-
 	ERR_load_crypto_strings();
 
-	if ( ! dropfs(PATH_VAR_EMPTY))
-		goto out;
-	else if ( ! dropprivs())
-		goto out;
-	else if ( ! sandbox_after())
+	if (pledge("stdio", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/*
 	 * Seed our PRNG with data from arc4random().
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index a9e943208e7..9d26cc145fc 100644
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -1,4 +1,4 @@
-/*	$Id: main.c,v 1.5 2016/09/01 00:03:39 benno Exp $ */
+/*	$Id: main.c,v 1.6 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -172,7 +172,7 @@ main(int argc, char *argv[])
 	argc--;
 	argv++;
 
-	if ( ! checkprivs())
+	if ( getuid() != 0)
 		errx(EXIT_FAILURE, "must be run as root");
 
 	/*
@@ -437,14 +437,10 @@ main(int argc, char *argv[])
 
 	/* Jail: sandbox, file-system, user. */
 
-	if ( ! sandbox_before())
-		exit(EXIT_FAILURE);
-	else if ( ! dropfs(PATH_VAR_EMPTY))
-		exit(EXIT_FAILURE);
-	else if ( ! dropprivs())
-		exit(EXIT_FAILURE);
-	else if ( ! sandbox_after())
+	if (pledge("stdio", NULL) == -1) {
+		warn("pledge");
 		exit(EXIT_FAILURE);
+	}
 
 	/*
 	 * Collect our subprocesses.
diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c
index 0a81f765a4d..9fe5453d420 100644
--- a/usr.sbin/acme-client/netproc.c
+++ b/usr.sbin/acme-client/netproc.c
@@ -1,4 +1,4 @@
-/*	$Id: netproc.c,v 1.3 2016/08/31 23:36:16 benno Exp $ */
+/*	$Id: netproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -600,16 +600,10 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
 	url = cert = thumb = NULL;
 	chngs = NULL;
 
-	/* File-system, user, and sandbox jail. */
-
-	if ( ! sandbox_before())
-		goto out;
-	else if ( ! dropfs(PATH_VAR_EMPTY))
-		goto out;
-	else if ( ! dropprivs())
-		goto out;
-	else if ( ! sandbox_after())
+	if (pledge("stdio inet", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/*
 	 * Wait until the acctproc, keyproc, and revokeproc have started
diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c
index 20423ba8d16..b5189560f7f 100644
--- a/usr.sbin/acme-client/revokeproc.c
+++ b/usr.sbin/acme-client/revokeproc.c
@@ -1,4 +1,4 @@
-/*	$Id: revokeproc.c,v 1.4 2016/08/31 23:41:23 benno Exp $ */
+/*	$Id: revokeproc.c,v 1.5 2016/09/01 00:21:36 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -141,17 +141,12 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 
 	/* File-system and sandbox jailing. */
 
-	if ( ! sandbox_before())
-		goto out;
-
 	ERR_load_crypto_strings();
 
-	if ( ! dropfs(PATH_VAR_EMPTY))
-		goto out;
-	else if ( ! dropprivs())
-		goto out;
-	else if ( ! sandbox_after())
+	if (pledge("stdio", NULL) == -1) {
+		warn("pledge");
 		goto out;
+	}
 
 	/*
 	 * If we couldn't open the certificate, it doesn't exist so we
diff --git a/usr.sbin/acme-client/sandbox-pledge.c b/usr.sbin/acme-client/sandbox-pledge.c
deleted file mode 100644
index 88b5a263a9c..00000000000
--- a/usr.sbin/acme-client/sandbox-pledge.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*	$Id: sandbox-pledge.c,v 1.2 2016/08/31 23:46:34 benno Exp $ */
-/*
- * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifdef HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#include <err.h>
-#include <errno.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "extern.h"
-
-int
-sandbox_before(void)
-{
-
-	return(1);
-}
-
-int
-sandbox_after(void)
-{
-
-	switch (proccomp) {
-	case (COMP_ACCOUNT):
-	case (COMP_CERT):
-	case (COMP_KEY):
-	case (COMP_REVOKE):
-	case (COMP__MAX):
-		if (-1 == pledge("stdio", NULL)) {
-			warn("pledge");
-			return(0);
-		}
-		break;
-	case (COMP_CHALLENGE):
-		if (-1 == pledge("stdio cpath wpath", NULL)) {
-			warn("pledge");
-			return(0);
-		}
-		break;
-	case (COMP_DNS):
-		if (-1 == pledge("stdio dns", NULL)) {
-			warn("pledge");
-			return(0);
-		}
-		break;
-	case (COMP_FILE):
-		/*
-		 * Rpath and cpath for rename, wpath and cpath for
-		 * writing to the temporary.
-		 */
-		if (-1 == pledge("stdio cpath wpath rpath", NULL)) {
-			warn("pledge");
-			return(0);
-		}
-		break;
-	case (COMP_NET):
-		if (-1 == pledge("stdio inet", NULL)) {
-			warn("pledge");
-			return(0);
-		}
-		break;
-	}
-	return(1);
-}
diff --git a/usr.sbin/acme-client/util-pledge.c b/usr.sbin/acme-client/util-pledge.c
deleted file mode 100644
index 6b5e78d9b34..00000000000
--- a/usr.sbin/acme-client/util-pledge.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*	$Id: util-pledge.c,v 1.1 2016/08/31 22:01:42 florian Exp $ */
-/*
- * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifdef HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#include <err.h>
-#include <unistd.h>
-
-#include "extern.h"
-
-int
-dropfs(const char *path)
-{
-
-	/*
-	 * Only the challenge and file processes touch files within the
-	 * pledge, so only these need to be chrooted.
-	 */
-	
-	if (COMP_CHALLENGE != proccomp &&
-	    COMP_FILE != proccomp)
-		return(1);
-
-	if (-1 == chroot(path))
-		warn("%s: chroot", path);
-	else if (-1 == chdir("/")) 
-		warn("/: chdir");
-	else
-		return(1);
-
-	return(0);
-}
-
-int
-checkprivs(void)
-{
-
-	/* Needed for chroot(2) calls in dropfs(). */
-
-	return(0 == getuid());
-}
-
-int
-dropprivs(void)
-{
-
-	/* Don't need to drop privileges like this. */
-
-	return(1);
-}