From fe0b228694cde1e4c439d8f8271c03448388a1a2 Mon Sep 17 00:00:00 2001 From: Bryan Steele Date: Sun, 26 Aug 2018 18:26:52 +0000 Subject: Unveil pflogd(8). Similiar to florian@'s recent changes to ifconfig(8), the priviledged parent cannot be pledged due to certain ioctls, but we can use unveil(2) to lock down its access to the filesystem. To be able to use hostnames/dns in tcpdump-like filter expressions, we unveil /etc/{resolv.conf,hosts,services} "r", kept in sync with the kernel bypass for pledge("dns") Additionally, we need to unveil /dev/bpf "r" and the output log file "rwc". The unpriviledged child is pledged "stdio recvfd" and thus does not need any unveils. With feedback/testing from florian@, deraadt@ ok florian@ deraadt@ --- sbin/pflogd/privsep.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'sbin') diff --git a/sbin/pflogd/privsep.c b/sbin/pflogd/privsep.c index e0ea2026bd3..c0549727356 100644 --- a/sbin/pflogd/privsep.c +++ b/sbin/pflogd/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.31 2018/08/26 18:24:46 brynet Exp $ */ +/* $OpenBSD: privsep.c,v 1.32 2018/08/26 18:26:51 brynet Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -131,6 +131,19 @@ priv_init(int Pflag, int argc, char *argv[]) setproctitle("[priv]"); + if (unveil("/etc/resolv.conf", "r") == -1) + err(1, "unveil"); + if (unveil("/etc/hosts", "r") == -1) + err(1, "unveil"); + if (unveil("/etc/services", "r") == -1) + err(1, "unveil"); + if (unveil("/dev/bpf", "r") == -1) + err(1, "unveil"); + if (unveil(filename, "rwc") == -1) + err(1, "unveil"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + #if 0 /* This needs to do bpf ioctl */ BROKEN if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1) -- cgit v1.2.3