From 8b61ea286be88c7e1ec1f6dc5ad18e3213c99228 Mon Sep 17 00:00:00 2001 From: Ricardo Mestre Date: Wed, 19 Aug 2020 14:23:27 +0000 Subject: add unveil(2) again this allows reading from anywhere in the filesystem (in order to read the config file and those ones included from it), but also executing, which I missed from my last attempt, because it's required for "check script(s)". even though it's a broad permission, and the main proc cannot be pledged due to forbidden ioctls, then this at least prevents it from creating/writing/deleting files which is not required here. OK benno@ a long time ago --- usr.sbin/relayd/relayd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c index fc10929359f..d431e70e42b 100644 --- a/usr.sbin/relayd/relayd.c +++ b/usr.sbin/relayd/relayd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.c,v 1.182 2019/09/15 19:23:29 rob Exp $ */ +/* $OpenBSD: relayd.c,v 1.183 2020/08/19 14:23:26 mestre Exp $ */ /* * Copyright (c) 2007 - 2016 Reyk Floeter @@ -223,6 +223,11 @@ main(int argc, char *argv[]) if (ps->ps_noaction == 0) log_info("startup"); + if (unveil("/", "rx") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + event_init(); signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); -- cgit v1.2.3