pledge(2) unbound-checkconf(8)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pledge(2) unbound-checkconf(8)

Ricardo Mestre-2
Hi,

unbound-checkconf(8) needs to chdir(2) and then open(2) the config file and
to call getpwnam(3). This means it needs to pledge for rpath and getpw, but
after calling getpwnam(3) the config file was already loaded so we can drop
both promises afterwards.

Comments? OK?

Index: unbound-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 unbound-checkconf.c
--- unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11
+++ unbound-checkconf.c 22 May 2019 12:49:12 -0000
@@ -588,6 +588,10 @@ morechecks(struct config_file* cfg)
 #  endif
  }
 #endif
+
+ if (pledge("stdio", NULL) == -1)
+ fatal_exit("Could not pledge");
+
  if(cfg->remote_control_enable && options_remote_is_address(cfg)
  && cfg->control_use_cert) {
  check_chroot_string("server-key-file", &cfg->server_key_file,
@@ -724,6 +728,10 @@ int main(int argc, char* argv[])
  if(argc == 1)
  f = argv[0];
  else f = cfgfile;
+
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ fatal_exit("Could not pledge");
+
  checkconf(f, opt, final);
  checklock_stop();
  return 0;

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) unbound-checkconf(8)

Stuart Henderson-6
On 2019/05/22 14:12, Ricardo Mestre wrote:

> Hi,
>
> unbound-checkconf(8) needs to chdir(2) and then open(2) the config file and
> to call getpwnam(3). This means it needs to pledge for rpath and getpw, but
> after calling getpwnam(3) the config file was already loaded so we can drop
> both promises afterwards.
>
> Comments? OK?
>
> Index: unbound-checkconf.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
> retrieving revision 1.11
> diff -u -p -u -r1.11 unbound-checkconf.c
> --- unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11
> +++ unbound-checkconf.c 22 May 2019 12:49:12 -0000
> @@ -588,6 +588,10 @@ morechecks(struct config_file* cfg)
>  #  endif
>   }
>  #endif
> +
> + if (pledge("stdio", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
>   if(cfg->remote_control_enable && options_remote_is_address(cfg)
>   && cfg->control_use_cert) {
>   check_chroot_string("server-key-file", &cfg->server_key_file,
> @@ -724,6 +728,10 @@ int main(int argc, char* argv[])
>   if(argc == 1)
>   f = argv[0];
>   else f = cfgfile;
> +
> + if (pledge("stdio rpath getpw", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
>   checkconf(f, opt, final);
>   checklock_stop();
>   return 0;

Not ok - if you're using remote-control with certificates (for example,
to control remote unbound instances over a network connection) it hits the
following:

unbound-checkcon[21086]: pledge "rpath", syscall 38

(gdb) bt
#0  stat () at -:3
#1  0x000004da8ddd61dc in is_file (fname=0x4dd11e9e3c0 "/var/unbound/etc/unbound_server.key")
    at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:278
#2  0x000004da8ddd5f10 in check_chroot_string (desc=0x4da8dda7c5d "server-key-file", ss=0x4dca3ee33d0,
    chrootdir=0x0, cfg=0x4dca3ee3000) at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:335
#3  0x000004da8ddd5114 in morechecks (cfg=0x4dca3ee3000)
    at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:597
#4  0x000004da8ddd4776 in checkconf (cfgfile=0x4da8dda9506 "/var/unbound/etc/unbound.conf", opt=0x0, final=0)
    at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:674
#5  0x000004da8ddd44e2 in main (argc=0, argv=0x7f7ffffd1850)
    at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:735

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) unbound-checkconf(8)

Ricardo Mestre-2
bonkers my brain must have farted :\ rpath should be dropped after loading the
certs. I just tested it with remote-control with certificates, could you
please let me know if it works for you now?

Index: unbound-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
retrieving revision 1.11
diff -u -p -u -r1.11 unbound-checkconf.c
--- unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11
+++ unbound-checkconf.c 23 May 2019 10:45:48 -0000
@@ -602,6 +602,9 @@ morechecks(struct config_file* cfg)
  cfg->control_cert_file);
  }
 
+ if (pledge("stdio", NULL) == -1)
+ fatal_exit("Could not pledge");
+
  localzonechecks(cfg);
  view_and_respipchecks(cfg);
 #ifdef CLIENT_SUBNET
@@ -724,6 +727,10 @@ int main(int argc, char* argv[])
  if(argc == 1)
  f = argv[0];
  else f = cfgfile;
+
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ fatal_exit("Could not pledge");
+
  checkconf(f, opt, final);
  checklock_stop();
  return 0;

On 10:29 Thu 23 May     , Stuart Henderson wrote:

> Not ok - if you're using remote-control with certificates (for example,
> to control remote unbound instances over a network connection) it hits the
> following:
>
> unbound-checkcon[21086]: pledge "rpath", syscall 38
>
> (gdb) bt
> #0  stat () at -:3
> #1  0x000004da8ddd61dc in is_file (fname=0x4dd11e9e3c0 "/var/unbound/etc/unbound_server.key")
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:278
> #2  0x000004da8ddd5f10 in check_chroot_string (desc=0x4da8dda7c5d "server-key-file", ss=0x4dca3ee33d0,
>     chrootdir=0x0, cfg=0x4dca3ee3000) at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:335
> #3  0x000004da8ddd5114 in morechecks (cfg=0x4dca3ee3000)
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:597
> #4  0x000004da8ddd4776 in checkconf (cfgfile=0x4da8dda9506 "/var/unbound/etc/unbound.conf", opt=0x0, final=0)
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:674
> #5  0x000004da8ddd44e2 in main (argc=0, argv=0x7f7ffffd1850)
>     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:735
>

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) unbound-checkconf(8)

Stuart Henderson-6
On 2019/05/23 11:54, Ricardo Mestre wrote:

> bonkers my brain must have farted :\ rpath should be dropped after loading the
> certs. I just tested it with remote-control with certificates, could you
> please let me know if it works for you now?
>
> Index: unbound-checkconf.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
> retrieving revision 1.11
> diff -u -p -u -r1.11 unbound-checkconf.c
> --- unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11
> +++ unbound-checkconf.c 23 May 2019 10:45:48 -0000
> @@ -602,6 +602,9 @@ morechecks(struct config_file* cfg)
>   cfg->control_cert_file);
>   }
>  
> + if (pledge("stdio", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
>   localzonechecks(cfg);
>   view_and_respipchecks(cfg);
>  #ifdef CLIENT_SUBNET
> @@ -724,6 +727,10 @@ int main(int argc, char* argv[])
>   if(argc == 1)
>   f = argv[0];
>   else f = cfgfile;
> +
> + if (pledge("stdio rpath getpw", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
>   checkconf(f, opt, final);
>   checklock_stop();
>   return 0;
>
> On 10:29 Thu 23 May     , Stuart Henderson wrote:
> > Not ok - if you're using remote-control with certificates (for example,
> > to control remote unbound instances over a network connection) it hits the
> > following:
> >
> > unbound-checkcon[21086]: pledge "rpath", syscall 38
> >
> > (gdb) bt
> > #0  stat () at -:3
> > #1  0x000004da8ddd61dc in is_file (fname=0x4dd11e9e3c0 "/var/unbound/etc/unbound_server.key")
> >     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:278
> > #2  0x000004da8ddd5f10 in check_chroot_string (desc=0x4da8dda7c5d "server-key-file", ss=0x4dca3ee33d0,
> >     chrootdir=0x0, cfg=0x4dca3ee3000) at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:335
> > #3  0x000004da8ddd5114 in morechecks (cfg=0x4dca3ee3000)
> >     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:597
> > #4  0x000004da8ddd4776 in checkconf (cfgfile=0x4da8dda9506 "/var/unbound/etc/unbound.conf", opt=0x0, final=0)
> >     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:674
> > #5  0x000004da8ddd44e2 in main (argc=0, argv=0x7f7ffffd1850)
> >     at /usr/src/usr.sbin/unbound/smallapp/unbound-checkconf.c:735
> >

        check_mod(cfg, val_get_funcblock());

- needs to read the DNSSEC root key,

        check_hints(cfg);

- needs to read hints files,

        check_auth(cfg);

- needs to read zones

I think you could do this, though:

Index: smallapp/unbound-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
retrieving revision 1.11
diff -u -p -r1.11 unbound-checkconf.c
--- smallapp/unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11
+++ smallapp/unbound-checkconf.c 23 May 2019 12:17:03 -0000
@@ -587,6 +587,10 @@ morechecks(struct config_file* cfg)
  endpwent();
 #  endif
  }
+
+ if (pledge("stdio rpath", NULL) == -1)
+ fatal_exit("Could not pledge");
+
 #endif
  if(cfg->remote_control_enable && options_remote_is_address(cfg)
  && cfg->control_use_cert) {
@@ -724,6 +728,10 @@ int main(int argc, char* argv[])
  if(argc == 1)
  f = argv[0];
  else f = cfgfile;
+
+ if (pledge("stdio rpath getpw", NULL) == -1)
+ fatal_exit("Could not pledge");
+
  checkconf(f, opt, final);
  checklock_stop();
  return 0;

Reply | Threaded
Open this post in threaded view
|

Re: pledge(2) unbound-checkconf(8)

Ricardo Mestre-2
it must be one of those days...

it's ok mestre if you feel like commiting it and doesn't add any burden
for you when upgrading unbound.

On 13:18 Thu 23 May     , Stuart Henderson wrote:

>         check_mod(cfg, val_get_funcblock());
>
> - needs to read the DNSSEC root key,
>
>         check_hints(cfg);
>
> - needs to read hints files,
>
>         check_auth(cfg);
>
> - needs to read zones
>
> I think you could do this, though:
>
> Index: smallapp/unbound-checkconf.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
> retrieving revision 1.11
> diff -u -p -r1.11 unbound-checkconf.c
> --- smallapp/unbound-checkconf.c 8 Feb 2019 10:29:08 -0000 1.11
> +++ smallapp/unbound-checkconf.c 23 May 2019 12:17:03 -0000
> @@ -587,6 +587,10 @@ morechecks(struct config_file* cfg)
>   endpwent();
>  #  endif
>   }
> +
> + if (pledge("stdio rpath", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
>  #endif
>   if(cfg->remote_control_enable && options_remote_is_address(cfg)
>   && cfg->control_use_cert) {
> @@ -724,6 +728,10 @@ int main(int argc, char* argv[])
>   if(argc == 1)
>   f = argv[0];
>   else f = cfgfile;
> +
> + if (pledge("stdio rpath getpw", NULL) == -1)
> + fatal_exit("Could not pledge");
> +
>   checkconf(f, opt, final);
>   checklock_stop();
>   return 0;
>