diff options
-rw-r--r-- | usr.sbin/acme-client/Makefile | 4 | ||||
-rw-r--r-- | usr.sbin/acme-client/acctproc.c | 13 | ||||
-rw-r--r-- | usr.sbin/acme-client/certproc.c | 13 | ||||
-rw-r--r-- | usr.sbin/acme-client/chngproc.c | 16 | ||||
-rw-r--r-- | usr.sbin/acme-client/dnsproc.c | 21 | ||||
-rw-r--r-- | usr.sbin/acme-client/extern.h | 9 | ||||
-rw-r--r-- | usr.sbin/acme-client/fileproc.c | 19 | ||||
-rw-r--r-- | usr.sbin/acme-client/keyproc.c | 13 | ||||
-rw-r--r-- | usr.sbin/acme-client/main.c | 14 | ||||
-rw-r--r-- | usr.sbin/acme-client/netproc.c | 14 | ||||
-rw-r--r-- | usr.sbin/acme-client/revokeproc.c | 13 | ||||
-rw-r--r-- | usr.sbin/acme-client/sandbox-pledge.c | 83 | ||||
-rw-r--r-- | usr.sbin/acme-client/util-pledge.c | 65 |
13 files changed, 57 insertions, 240 deletions
diff --git a/usr.sbin/acme-client/Makefile b/usr.sbin/acme-client/Makefile index 6d373e561cb..5df53d61b55 100644 --- a/usr.sbin/acme-client/Makefile +++ b/usr.sbin/acme-client/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.3 2016/08/31 22:28:23 florian Exp $ +# $OpenBSD: Makefile,v 1.4 2016/09/01 00:21:36 deraadt Exp $ PROG= acme-client SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c -SRCS+= revokeproc.c rsa.c sandbox-pledge.c util-pledge.c util.c +SRCS+= revokeproc.c rsa.c util.c MAN= acme-client.1 LDADD= -ltls -lssl -lcrypto diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c index dc1189cae8d..2559c43ede4 100644 --- a/usr.sbin/acme-client/acctproc.c +++ b/usr.sbin/acme-client/acctproc.c @@ -1,4 +1,4 @@ -/* $Id: acctproc.c,v 1.3 2016/08/31 23:52:30 benno Exp $ */ +/* $Id: acctproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -348,17 +348,12 @@ acctproc(int netsock, const char *acctkey, int newacct) /* File-system, user, and sandbox jailing. */ - if ( ! sandbox_before()) - goto out; - ERR_load_crypto_strings(); - if ( ! dropfs(PATH_VAR_EMPTY)) - goto out; - else if ( ! dropprivs()) - goto out; - else if ( ! sandbox_after()) + if (pledge("stdio", NULL) == -1) { + warn("pledge"); goto out; + } /* * Seed our PRNG with data from arc4random(). diff --git a/usr.sbin/acme-client/certproc.c b/usr.sbin/acme-client/certproc.c index a75112b84ee..b005f647566 100644 --- a/usr.sbin/acme-client/certproc.c +++ b/usr.sbin/acme-client/certproc.c @@ -1,4 +1,4 @@ -/* $Id: certproc.c,v 1.3 2016/08/31 23:53:58 benno Exp $ */ +/* $Id: certproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -104,17 +104,12 @@ certproc(int netsock, int filesock) /* File-system and sandbox jailing. */ - if ( ! sandbox_before()) - goto out; - ERR_load_crypto_strings(); - if ( ! dropfs(PATH_VAR_EMPTY)) - goto out; - else if ( ! dropprivs()) - goto out; - else if ( ! sandbox_after()) + if (pledge("stdio", NULL) == -1) { + warn("pledge"); goto out; + } /* Read what the netproc wants us to do. */ diff --git a/usr.sbin/acme-client/chngproc.c b/usr.sbin/acme-client/chngproc.c index f7c11e2306c..55aae1cbe0c 100644 --- a/usr.sbin/acme-client/chngproc.c +++ b/usr.sbin/acme-client/chngproc.c @@ -1,4 +1,4 @@ -/* $Id: chngproc.c,v 1.2 2016/08/31 22:49:09 benno Exp $ */ +/* $Id: chngproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -47,14 +47,18 @@ chngproc(int netsock, const char *root, int remote) fs = NULL; fsz = 0; - /* File-system and sandbox jailing. */ - - if ( ! sandbox_before()) + if (chroot(root) == -1) { + warn("chroot"); goto out; - else if ( ! dropfs(root)) + } + if (chdir("/") == -1) { + warn("chdir"); goto out; - else if ( ! sandbox_after()) + } + if (pledge("stdio cpath wpath", NULL) == -1) { + warn("pledge"); goto out; + } /* * Loop while we wait to get a thumbprint and token. diff --git a/usr.sbin/acme-client/dnsproc.c b/usr.sbin/acme-client/dnsproc.c index 50b808237a5..56c167eea92 100644 --- a/usr.sbin/acme-client/dnsproc.c +++ b/usr.sbin/acme-client/dnsproc.c @@ -1,4 +1,4 @@ -/* $Id: dnsproc.c,v 1.2 2016/08/31 22:49:09 benno Exp $ */ +/* $Id: dnsproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -127,23 +127,10 @@ dnsproc(int nfd) look = last = NULL; vsz = 0; - /* - * Why don't we chroot() here? - * On OpenBSD, the pledge(2) takes care of our constraining the - * environment to DNS resolution only, so the chroot(2) is - * unnecessary. - * On Mac OS X, we can't chroot(2): we'd need to have an mdns - * responder thing in each jail. - * On Linux, forget it. getaddrinfo(2) pulls on all sorts of - * mystery meat. - */ - - if ( ! sandbox_before()) - goto out; - else if ( ! dropprivs()) - goto out; - else if ( ! sandbox_after()) + if (pledge("stdio dns", NULL) == -1) { + warn("pledge"); goto out; + } /* * This is simple: just loop on a request operation, and each diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h index eed991c7a0d..c2085266874 100644 --- a/usr.sbin/acme-client/extern.h +++ b/usr.sbin/acme-client/extern.h @@ -1,4 +1,4 @@ -/* $Id: extern.h,v 1.2 2016/08/31 22:49:09 benno Exp $ */ +/* $Id: extern.h,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -245,13 +245,6 @@ char *json_fmt_thumb_rsa(const char *, const char *); char *json_fmt_signed(const char *, const char *, const char *, const char *); -int dropprivs(void); -int dropfs(const char *); -int checkprivs(void); - -int sandbox_after(void); -int sandbox_before(void); - /* * Should we print debugging messages? */ diff --git a/usr.sbin/acme-client/fileproc.c b/usr.sbin/acme-client/fileproc.c index 29b681fa2dd..20da2381b7c 100644 --- a/usr.sbin/acme-client/fileproc.c +++ b/usr.sbin/acme-client/fileproc.c @@ -1,4 +1,4 @@ -/* $Id: fileproc.c,v 1.2 2016/08/31 23:00:17 benno Exp $ */ +/* $Id: fileproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -81,12 +81,23 @@ fileproc(int certsock, int backup, const char *certdir) /* File-system and sandbox jailing. */ - if ( ! sandbox_before()) + if (chroot(certdir) == -1) { + warn("chroot"); goto out; - else if ( ! dropfs(certdir)) + } + if (chdir("/") == -1) { + warn("chdir"); goto out; - else if ( ! sandbox_after()) + } + + /* + * rpath and cpath for rename, wpath and cpath for + * writing to the temporary. + */ + if (pledge("stdio cpath wpath rpath", NULL) == -1) { + warn("pledge"); goto out; + } /* Read our operation. */ diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c index 0013ce549cd..001064637a1 100644 --- a/usr.sbin/acme-client/keyproc.c +++ b/usr.sbin/acme-client/keyproc.c @@ -1,4 +1,4 @@ -/* $Id: keyproc.c,v 1.2 2016/08/31 23:25:10 benno Exp $ */ +/* $Id: keyproc.c,v 1.3 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -116,17 +116,12 @@ keyproc(int netsock, const char *keyfile, /* File-system, user, and sandbox jail. */ - if ( ! sandbox_before()) - goto out; - ERR_load_crypto_strings(); - if ( ! dropfs(PATH_VAR_EMPTY)) - goto out; - else if ( ! dropprivs()) - goto out; - else if ( ! sandbox_after()) + if (pledge("stdio", NULL) == -1) { + warn("pledge"); goto out; + } /* * Seed our PRNG with data from arc4random(). diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c index a9e943208e7..9d26cc145fc 100644 --- a/usr.sbin/acme-client/main.c +++ b/usr.sbin/acme-client/main.c @@ -1,4 +1,4 @@ -/* $Id: main.c,v 1.5 2016/09/01 00:03:39 benno Exp $ */ +/* $Id: main.c,v 1.6 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -172,7 +172,7 @@ main(int argc, char *argv[]) argc--; argv++; - if ( ! checkprivs()) + if ( getuid() != 0) errx(EXIT_FAILURE, "must be run as root"); /* @@ -437,14 +437,10 @@ main(int argc, char *argv[]) /* Jail: sandbox, file-system, user. */ - if ( ! sandbox_before()) - exit(EXIT_FAILURE); - else if ( ! dropfs(PATH_VAR_EMPTY)) - exit(EXIT_FAILURE); - else if ( ! dropprivs()) - exit(EXIT_FAILURE); - else if ( ! sandbox_after()) + if (pledge("stdio", NULL) == -1) { + warn("pledge"); exit(EXIT_FAILURE); + } /* * Collect our subprocesses. diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c index 0a81f765a4d..9fe5453d420 100644 --- a/usr.sbin/acme-client/netproc.c +++ b/usr.sbin/acme-client/netproc.c @@ -1,4 +1,4 @@ -/* $Id: netproc.c,v 1.3 2016/08/31 23:36:16 benno Exp $ */ +/* $Id: netproc.c,v 1.4 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -600,16 +600,10 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, url = cert = thumb = NULL; chngs = NULL; - /* File-system, user, and sandbox jail. */ - - if ( ! sandbox_before()) - goto out; - else if ( ! dropfs(PATH_VAR_EMPTY)) - goto out; - else if ( ! dropprivs()) - goto out; - else if ( ! sandbox_after()) + if (pledge("stdio inet", NULL) == -1) { + warn("pledge"); goto out; + } /* * Wait until the acctproc, keyproc, and revokeproc have started diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c index 20423ba8d16..b5189560f7f 100644 --- a/usr.sbin/acme-client/revokeproc.c +++ b/usr.sbin/acme-client/revokeproc.c @@ -1,4 +1,4 @@ -/* $Id: revokeproc.c,v 1.4 2016/08/31 23:41:23 benno Exp $ */ +/* $Id: revokeproc.c,v 1.5 2016/09/01 00:21:36 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -141,17 +141,12 @@ revokeproc(int fd, const char *certdir, int force, int revocate, /* File-system and sandbox jailing. */ - if ( ! sandbox_before()) - goto out; - ERR_load_crypto_strings(); - if ( ! dropfs(PATH_VAR_EMPTY)) - goto out; - else if ( ! dropprivs()) - goto out; - else if ( ! sandbox_after()) + if (pledge("stdio", NULL) == -1) { + warn("pledge"); goto out; + } /* * If we couldn't open the certificate, it doesn't exist so we diff --git a/usr.sbin/acme-client/sandbox-pledge.c b/usr.sbin/acme-client/sandbox-pledge.c deleted file mode 100644 index 88b5a263a9c..00000000000 --- a/usr.sbin/acme-client/sandbox-pledge.c +++ /dev/null @@ -1,83 +0,0 @@ -/* $Id: sandbox-pledge.c,v 1.2 2016/08/31 23:46:34 benno Exp $ */ -/* - * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ -#ifdef HAVE_CONFIG_H -# include "config.h" -#endif - -#include <err.h> -#include <errno.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include "extern.h" - -int -sandbox_before(void) -{ - - return(1); -} - -int -sandbox_after(void) -{ - - switch (proccomp) { - case (COMP_ACCOUNT): - case (COMP_CERT): - case (COMP_KEY): - case (COMP_REVOKE): - case (COMP__MAX): - if (-1 == pledge("stdio", NULL)) { - warn("pledge"); - return(0); - } - break; - case (COMP_CHALLENGE): - if (-1 == pledge("stdio cpath wpath", NULL)) { - warn("pledge"); - return(0); - } - break; - case (COMP_DNS): - if (-1 == pledge("stdio dns", NULL)) { - warn("pledge"); - return(0); - } - break; - case (COMP_FILE): - /* - * Rpath and cpath for rename, wpath and cpath for - * writing to the temporary. - */ - if (-1 == pledge("stdio cpath wpath rpath", NULL)) { - warn("pledge"); - return(0); - } - break; - case (COMP_NET): - if (-1 == pledge("stdio inet", NULL)) { - warn("pledge"); - return(0); - } - break; - } - return(1); -} diff --git a/usr.sbin/acme-client/util-pledge.c b/usr.sbin/acme-client/util-pledge.c deleted file mode 100644 index 6b5e78d9b34..00000000000 --- a/usr.sbin/acme-client/util-pledge.c +++ /dev/null @@ -1,65 +0,0 @@ -/* $Id: util-pledge.c,v 1.1 2016/08/31 22:01:42 florian Exp $ */ -/* - * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ -#ifdef HAVE_CONFIG_H -# include "config.h" -#endif - -#include <err.h> -#include <unistd.h> - -#include "extern.h" - -int -dropfs(const char *path) -{ - - /* - * Only the challenge and file processes touch files within the - * pledge, so only these need to be chrooted. - */ - - if (COMP_CHALLENGE != proccomp && - COMP_FILE != proccomp) - return(1); - - if (-1 == chroot(path)) - warn("%s: chroot", path); - else if (-1 == chdir("/")) - warn("/: chdir"); - else - return(1); - - return(0); -} - -int -checkprivs(void) -{ - - /* Needed for chroot(2) calls in dropfs(). */ - - return(0 == getuid()); -} - -int -dropprivs(void) -{ - - /* Don't need to drop privileges like this. */ - - return(1); -} |