From e248a5b61bac95bf5f1cc76702e3c728432ff9f2 Mon Sep 17 00:00:00 2001
From: Ricardo Mestre <mestre@cvs.openbsd.org>
Date: Wed, 24 Apr 2019 19:13:50 +0000
Subject: restrict filesystem access to read only on main process via unveil(2)

ok benno@ deraadt@
---
 usr.sbin/relayd/relayd.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'usr.sbin')

diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c
index 5781389f379..9e80bed2d09 100644
--- a/usr.sbin/relayd/relayd.c
+++ b/usr.sbin/relayd/relayd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.c,v 1.174 2018/09/09 21:06:51 bluhm Exp $	*/
+/*	$OpenBSD: relayd.c,v 1.175 2019/04/24 19:13:49 mestre Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -222,6 +222,11 @@ main(int argc, char *argv[])
 	if (ps->ps_noaction == 0)
 		log_info("startup");
 
+	if (unveil("/", "r") == -1)
+		err(1, "unveil");
+	if (unveil(NULL, NULL) == -1)
+		err(1, "unveil");
+
 	event_init();
 
 	signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
-- 
cgit v1.2.3