Le Wed, Nov 08, 2023 at 02:56:53PM +0100, Landry Breuil a écrit :
> Le Wed, Nov 08, 2023 at 01:49:56PM +0000, Klemens Nanni a écrit :
> > Started by D-Bus, this upowerd(8) runs as root without the usual
> > OpenBSD security considerations.
> >
> > upowerd(8) used to support scripts, but deprecated them in 2013.
> > I don't see any other code that would fork or exec stuff.
> >
> > apm(4) ioctls is not covered by pledge(2), sensors readying via
> > sysctl(2) should be, though.
> >
> > So as with openbsdisks2, unveil("/", "rwc") to strip the x bit.
> >
> > `upower --monitor-detail' and replugging my notebook's power cable
> > still provides all the details.
> >
> > Works for me on Xfce.
> > Feedback? Objection? OK?
>
> if you want to go down that road, barring any glib madness about various
> ~/.cache or .local stuff, upower itself should only need wc on
> /var/db/upower/
bah, spoke too fast, it also needs var/run/dbus to talk to the
systemwide dbus daemon:
+ if (unveil("/", "r") == -1)
+ err(1, "unveil /");
+ if (unveil("/var/run/dbus/", "rw") == -1)
+ err(1, "unveil /var/run/dbus");
+ if (unveil("/var/db/upower", "rwc") == -1)
+ err(1, "unveil /var/db/upower");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil NULL");
with that it seems to work here.
