OK with me.
I'll say it again, the unveils in here are misguided. Almost as
misguided as the mmap's (which prevents large file transfer, and
there are other problems..)
Claudio Jeker <
[hidden email]> wrote:
> There is no need for cpath or the unveil of . in the rsync process.
> That process just does fork+exec for rsync.
> Removing the unveil pledge is the same as unveil(NULL, NULL) so skip that
> too.
>
> OK?
> --
> :wq Claudio
>
> Index: main.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
> retrieving revision 1.104
> diff -u -p -r1.104 main.c
> --- main.c 22 Feb 2021 09:46:05 -0000 1.104
> +++ main.c 23 Feb 2021 10:42:24 -0000
> @@ -941,8 +941,7 @@ main(int argc, char *argv[])
> if (fchdir(cachefd) == -1)
> err(1, "fchdir");
>
> - if (pledge("stdio rpath cpath proc exec unveil", NULL)
> - == -1)
> + if (pledge("stdio rpath proc exec unveil", NULL) == -1)
> err(1, "pledge");
>
> proc_rsync(rsync_prog, bind_addr, fd[0]);
> Index: rsync.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
> retrieving revision 1.18
> diff -u -p -r1.18 rsync.c
> --- rsync.c 19 Feb 2021 08:14:49 -0000 1.18
> +++ rsync.c 23 Feb 2021 10:41:50 -0000
> @@ -160,13 +160,6 @@ proc_rsync(char *prog, char *bind_addr,
> } else if (unveil(prog, "x") == -1)
> err(1, "%s: unveil", prog);
>
> - /* Unveil the repository directory and terminate unveiling. */
> -
> - if (unveil(".", "c") == -1)
> - err(1, "unveil");
> - if (unveil(NULL, NULL) == -1)
> - err(1, "unveil");
> -
> if (pledge("stdio proc exec", NULL) == -1)
> err(1, "pledge");
>
>