unveil(2) for spamlogd(8)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

unveil(2) for spamlogd(8)

Ricardo Mestre-2
Hi,

Are there any brave souls out there with unveil(2) enabled already?

If yes please test this diff for spamlogd(8) which seems to only need rw
access to the file PATH_SPAMD_DB and nothing else.

Not asking for OKs yet, but if the code pattern is correct can I start looking
at other programs?

Sorry for my earlier email, my clock was WAY off.

Index: spamlogd.c
===================================================================
RCS file: /cvs/src/libexec/spamlogd/spamlogd.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 spamlogd.c
--- spamlogd.c 16 Mar 2016 14:47:04 -0000 1.27
+++ spamlogd.c 18 Jul 2018 11:46:59 -0000
@@ -376,12 +376,15 @@ main(int argc, char **argv)
  }
 
  if (syncsend) {
- if (pledge("stdio rpath wpath inet flock", NULL) == -1)
+ if (pledge("stdio rpath wpath inet flock unveil", NULL) == -1)
  err(1, "pledge");
  } else {
- if (pledge("stdio rpath wpath flock", NULL) == -1)
+ if (pledge("stdio rpath wpath flock unveil", NULL) == -1)
  err(1, "pledge");
  }
+
+ if (unveil(PATH_SPAMD_DB, "rw") == -1)
+ err(1, "unveil");
 
  pcap_loop(hpcap, -1, phandler, NULL);
 

Reply | Threaded
Open this post in threaded view
|

Re: unveil(2) for spamlogd(8)

Robert Nagy
Hi

I think you should call unveil before pledge, so that you don't
need to pledge unveil.
This will prevent futher calls to unveil.

On 18/07/18 12:59 +0100, Ricardo Mestre wrote:

> Hi,
>
> Are there any brave souls out there with unveil(2) enabled already?
>
> If yes please test this diff for spamlogd(8) which seems to only need rw
> access to the file PATH_SPAMD_DB and nothing else.
>
> Not asking for OKs yet, but if the code pattern is correct can I start looking
> at other programs?
>
> Sorry for my earlier email, my clock was WAY off.
>
> Index: spamlogd.c
> ===================================================================
> RCS file: /cvs/src/libexec/spamlogd/spamlogd.c,v
> retrieving revision 1.27
> diff -u -p -u -r1.27 spamlogd.c
> --- spamlogd.c 16 Mar 2016 14:47:04 -0000 1.27
> +++ spamlogd.c 18 Jul 2018 11:46:59 -0000
> @@ -376,12 +376,15 @@ main(int argc, char **argv)
>   }
>  
>   if (syncsend) {
> - if (pledge("stdio rpath wpath inet flock", NULL) == -1)
> + if (pledge("stdio rpath wpath inet flock unveil", NULL) == -1)
>   err(1, "pledge");
>   } else {
> - if (pledge("stdio rpath wpath flock", NULL) == -1)
> + if (pledge("stdio rpath wpath flock unveil", NULL) == -1)
>   err(1, "pledge");
>   }
> +
> + if (unveil(PATH_SPAMD_DB, "rw") == -1)
> + err(1, "unveil");
>  
>   pcap_loop(hpcap, -1, phandler, NULL);
>  
>

Reply | Threaded
Open this post in threaded view
|

Re: unveil(2) for spamlogd(8)

Ricardo Mestre-2
Hi Robert,

Good catch! I just tested it and it still works, trying to open another file
after the pledge even with rpath/wpath promises the file won't be seen.

So in this case the unveil promise can be removed since it's no longer needed.

Thank you!

On 14:58 Wed 18 Jul     , Robert Nagy wrote:
> Hi
>
> I think you should call unveil before pledge, so that you don't
> need to pledge unveil.
> This will prevent futher calls to unveil.
>

Reply | Threaded
Open this post in threaded view
|

Re: unveil(2) for spamlogd(8)

Sebastien Marie-3
In reply to this post by Ricardo Mestre-2
On Wed, Jul 18, 2018 at 12:59:12PM +0100, Ricardo Mestre wrote:
> Hi,
>
> Are there any brave souls out there with unveil(2) enabled already?
>
> If yes please test this diff for spamlogd(8) which seems to only need rw
> access to the file PATH_SPAMD_DB and nothing else.
>
> Not asking for OKs yet, but if the code pattern is correct can I start looking
> at other programs?

mostly about the code pattern.

first, I didn't know all arcane of unveil, so I could be wrong at some
point. hearing from beck@ would help too :)

- pledge and unveil

  I think, if possible, you should configure unveil(2) before calling
  pledge(2). This way, you don't have to let the "unveil" promise
  allowed.


- locking unveil

  You should call unveil(NULL, NULL) when all your unveil(2) stuff is
  done: this way, you would lock further unveil addition. But with
  pledge(2) call after, any unveil(2) call would abort the program
  anyway (with no "unveil" promise).

>
> Index: spamlogd.c
> ===================================================================
> RCS file: /cvs/src/libexec/spamlogd/spamlogd.c,v
> retrieving revision 1.27
> diff -u -p -u -r1.27 spamlogd.c
> --- spamlogd.c 16 Mar 2016 14:47:04 -0000 1.27
> +++ spamlogd.c 18 Jul 2018 11:46:59 -0000
> @@ -376,12 +376,15 @@ main(int argc, char **argv)
>   }
>  
>   if (syncsend) {
> - if (pledge("stdio rpath wpath inet flock", NULL) == -1)
> + if (pledge("stdio rpath wpath inet flock unveil", NULL) == -1)
>   err(1, "pledge");
>   } else {
> - if (pledge("stdio rpath wpath flock", NULL) == -1)
> + if (pledge("stdio rpath wpath flock unveil", NULL) == -1)
>   err(1, "pledge");
>   }
> +
> + if (unveil(PATH_SPAMD_DB, "rw") == -1)
> + err(1, "unveil");
>  
>   pcap_loop(hpcap, -1, phandler, NULL);
>  
>

Thanks.
--
Sebastien Marie