On Sat, Dec 28, 2024 at 11:08:28PM -0500, Chaz Kettleson wrote:
> On Sat, Dec 28, 2024 at 03:54:34PM +0000, Stuart Henderson wrote:
> > On 2024/12/28 09:51, Chaz Kettleson wrote:
> > > I've been running this for a while and continued to do testing without
> > > issues. Can we get this committed? Or is someone willing to take a look.
> >
> > I'm not a fan of building up the promises string dynamically. The
> > approach I've normally seen used would be to pledge with the maximal
> > promises set first, then call pledge again with a smaller set to revoke
> > the unneeded ones as they're determined. That uses static strings so
> > doesn't require that they're in writable memory.
>
> Thank you. I've updated and referenced the net/iperf3 in cooking this
> diff.
>
> >
> > I don't run an IRC server and it's not clear how to test without that.
> > I see the port's rc script permits reload (no rc_reload=NO) - how does
> > this hold up to reloading with different config (i.e. changing from
> > config which doesn't need file access, to config which does)?
> >
>
> SIGHUP sets RESTART=1 which will just execv HOPM_BINPATH. This is why I
> carry the exec promise and only unveil the HOPM_BINPATH as part of the
> base set of promises.
>
> --
> V/r,
>
> Chaz
>
> diff --git a/patch-src_main_c b/patch-src_main_c
> new file mode 100644
> index 00000000000..c76235abed6
> --- /dev/null
> +++ b/patch-src_main_c
> @@ -0,0 +1,102 @@
> +add pledge/unveil
> +
> +Index: src/main.c
> +--- src/main.c.orig
> ++++ src/main.c
> +@@ -30,6 +30,9 @@
> + #include <fcntl.h>
> + #include <stdlib.h>
> + #include <string.h>
> ++#if defined(__OpenBSD__)
> ++#include <err.h>
> ++#endif
> +
> + #include "config.h"
> + #include "irc.h"
> +@@ -39,6 +42,9 @@
> + #include "options.h"
> + #include "memory.h"
> + #include "main.h"
> ++#if defined(__OpenBSD__)
> ++#include "match.h"
> ++#endif
> +
> +
> + static int RESTART; /* Flagged to restart on next cycle */
> +@@ -70,6 +76,65 @@ setup_corelimit(void)
> + }
> + }
> +
> ++#if defined(__OpenBSD__)
> ++static void
> ++setup_pledge(void) {
> ++ int needr = 0;
> ++ int needp = 0;
> ++
> ++ if (unveil(HOPM_BINPATH, "x") == -1) {
> ++ err(1, "unveil");
> ++ }
> ++
> ++ if (IRCItem.tls) {
> ++ if (unveil("/etc/ssl/cert.pem", "r") == -1) {
> ++ err(1, "unveil");
> ++ }
> ++
> ++ if (!EmptyString(IRCItem.rsa_private_key_file) &&
> ++ !EmptyString(IRCItem.tls_certificate_file)) {
> ++ if (unveil("IRCItem.rsa_private_key", "r") == -1) {
> ++ err(1, "unveil");
> ++ }
> ++
> ++ if (unveil("IRCItem.tls_certificate_file", "r") == -1) {
> ++ err(1, "unveil");
> ++ }
> ++ }
> ++
> ++ needr = 1;
> ++ }
> ++
> ++ if (!EmptyString(OpmItem.dnsbl_to) &&
> ++ !EmptyString(OpmItem.dnsbl_from) &&
> ++ !EmptyString(OpmItem.sendmail)) {
> ++ if (unveil("/bin/sh", "x") == -1) {
> ++ err(1, "unveil");
> ++ }
> ++
> ++ needp = 1;
> ++ }
> ++
> ++ if (needr && needp) {
> ++ if (pledge("stdio rpath inet dns proc exec", NULL) == -1) {
> ++ err(1, "pledge");
> ++ }
> ++ } else if (needr) {
> ++ if (pledge("stdio rpath inet dns exec", NULL) == -1) {
> ++ err(1, "pledge");
> ++ }
> ++ } else if (needp) {
> ++ if (pledge("stdio inet dns proc exec", NULL) == -1) {
> ++ err(1, "pledge");
> ++ }
> ++ } else {
> ++ if (pledge("stdio inet dns exec", NULL) == -1) {
> ++ err(1, "pledge");
> ++ }
> ++ }
> ++}
> ++#endif
> ++
> + static void
> + do_signal(int signum)
> + {
> +@@ -199,6 +264,10 @@ main(int argc, char *argv[])
> + exit(EXIT_FAILURE);
> + }
> +
> ++#if defined(__OpenBSD__)
> ++ setup_pledge();
> ++#endif
> ++
> + /* Setup alarm & int handlers. */
> + ALARMACTION.sa_handler = &do_signal;
> + ALARMACTION.sa_flags = SA_RESTART;
>
Good to commit?
--
Chaz
