Restrict filesystem access with unveil(2):

First it needs to open(2) `device' with read permissions, /dev/hotplug by
default but can be changed via arguments. Then it needs read/execute on both
_PATH_ETC_HOTPLUG_{ATTACH,DETACH} to access(2) and execl(3) them.

ok deraadt@

1 files changed, 10 insertions, 4 deletions

diff --git a/usr.sbin/hotplugd/hotplugd.c b/usr.sbin/hotplugd/hotplugd.c
index 1b067b6ea33..f532f24d51a 100644
--- a/usr.sbin/hotplugd/hotplugd.c
+++ b/usr.sbin/hotplugd/hotplugd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hotplugd.c,v 1.14 2016/07/31 20:13:12 natano Exp $	*/
+/*	$OpenBSD: hotplugd.c,v 1.15 2019/04/30 17:05:15 mestre Exp $	*/
 /*
  * Copyright (c) 2004 Alexander Yurchenko <grange@openbsd.org>
  *
@@ -61,9 +61,6 @@ main(int argc, char *argv[])
 	struct sigaction sact;
 	struct hotplug_event he;
 
-	if (pledge("stdio rpath proc exec", NULL) == -1)
-		err(1, "pledge");
-
 	while ((ch = getopt(argc, argv, "d:")) != -1)
 		switch (ch) {
 		case 'd':
@@ -79,6 +76,15 @@ main(int argc, char *argv[])
 	argv += optind;
 	if (argc > 0)
 		usage();
+	
+	if (unveil(device, "r") == -1)
+		err(1, "unveil");
+	if (unveil(_PATH_ETC_HOTPLUG_ATTACH, "rx") == -1)
+		err(1, "unveil");
+	if (unveil(_PATH_ETC_HOTPLUG_DETACH, "rx") == -1)
+		err(1, "unveil");
+	if (pledge("stdio rpath proc exec", NULL) == -1)
+		err(1, "pledge");
 
 	if ((devfd = open(device, O_RDONLY | O_CLOEXEC)) == -1)
 		err(1, "%s", device);