xserver's priv proc is responsible for opening devices in O_RDWR mode and send

their fds over to the parent proc. Knowing this then we already have a list of all possible devices that might be opened in the future, in struct okdev allowed_devices[], and we just need to traverse them and unveil(2) each one with read/write permissions. positive feedback from semarie@, OK matthieu@
author: Ricardo Mestre <mestre@cvs.openbsd.org> 2018-10-25 06:41:26 +0000
committer: Ricardo Mestre <mestre@cvs.openbsd.org> 2018-10-25 06:41:26 +0000
commit: 111fae579fb630706c13d3245d129f093ebf1453 (patch)
tree: 4761043f4c09052d269cce43392e8add369e96bc /xserver
parent: 55cb2fba6b88f820c2dfee1f4bfc2b978dfe23a0 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/xserver/os/privsep.c b/xserver/os/privsep.c
index 4c38e308d..445031bea 100644
--- a/xserver/os/privsep.c
+++ b/xserver/os/privsep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: privsep.c,v 1.29 2018/08/06 20:11:34 matthieu Exp $ */
+/* $OpenBSD: privsep.c,v 1.30 2018/10/25 06:41:25 mestre Exp $ */
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
@@ -274,6 +274,10 @@ priv_init(uid_t uid, gid_t gid)
 	setproctitle("[priv]");
 	close(socks[1]);
 
+	for (dev = allowed_devices; dev->name != NULL; dev++) {
+		if (unveil(dev->name, "rw") == -1)
+			err(1, "unveil");
+	}
 	if (pledge("stdio rpath wpath sendfd proc", NULL) == -1)
 		err(1, "pledge");
author	Ricardo Mestre <mestre@cvs.openbsd.org>	2018-10-25 06:41:26 +0000
committer	Ricardo Mestre <mestre@cvs.openbsd.org>	2018-10-25 06:41:26 +0000
commit	111fae579fb630706c13d3245d129f093ebf1453 (patch)
tree	4761043f4c09052d269cce43392e8add369e96bc /xserver
parent	55cb2fba6b88f820c2dfee1f4bfc2b978dfe23a0 (diff)