On Wed, Nov 08, 2023 at 03:30:37PM +0100, Landry Breuil wrote:
> Le Wed, Nov 08, 2023 at 02:20:22PM +0000, Klemens Nanni a écrit :
> > On Wed, Nov 08, 2023 at 03:11:33PM +0100, Landry Breuil wrote:
> > > Le Wed, Nov 08, 2023 at 02:56:53PM +0100, Landry Breuil a écrit :
> > > > if you want to go down that road, barring any glib madness about various
> > > > ~/.cache or .local stuff, upower itself should only need wc on
> > > > /var/db/upower/
> > >
> > > bah, spoke too fast, it also needs var/run/dbus to talk to the
> > > systemwide dbus daemon:
> > >
> > > + if (unveil("/", "r") == -1)
> > > + err(1, "unveil /");
> > > + if (unveil("/var/run/dbus/", "rw") == -1)
> > > + err(1, "unveil /var/run/dbus");
> > > + if (unveil("/var/db/upower", "rwc") == -1)
> > > + err(1, "unveil /var/db/upower");
> > > + if (unveil(NULL, NULL) == -1)
> > > + err(1, "unveil NULL");
> > >
> > > with that it seems to work here.
> >
> > I welcome this direction, but haven't gone through the code yet wrt.
> > read/write/create file access -- not as easy as hunting for x bits,
> > as you also demonstrated.
> >
> > If consense is to use unveil() here, I'd be happy to start with a diff
> > like mine and iterate.
>
> we're not the first ones to go this way :)
>
> https://gitlab.freedesktop.org/upower/upower/-/blob/master/src/upower.service.in?ref_type=heads#L11
>
> im pretty confident that rwc on /var/db/upower + rw on /var/run/dbus
> should be enough for regular use.
>
> we create /var/db/upower in the package, the code tries to recreate
> it/set modes in
> https://gitlab.freedesktop.org/upower/upower/-/blob/master/src/up-history.c?ref_type=heads#L413
> and then the history files are written/overwritten/created as needed in
> https://gitlab.freedesktop.org/upower/upower/-/blob/master/src/up-history.c?ref_type=heads#L545
Good enough for me to start with your diff,
OK kn
>
> it might be possible to tighten the unveil by calling it later on but
> for now it seems better than nothing.
