Hi,
Are there any brave souls out there with unveil(2) enabled already?
If yes please test this diff for spamlogd(8) which seems to only need rw
access to the file PATH_SPAMD_DB and nothing else.
Not asking for OKs yet, but if the code pattern is correct can I start looking
at other programs?
Index: spamlogd.c
===================================================================
RCS file: /cvs/src/libexec/spamlogd/spamlogd.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 spamlogd.c
--- spamlogd.c 16 Mar 2016 14:47:04 -0000 1.27
+++ spamlogd.c 18 Jul 2018 11:46:59 -0000
@@ -376,12 +376,15 @@ main(int argc, char **argv)
}
if (syncsend) {
- if (pledge("stdio rpath wpath inet flock", NULL) == -1)
+ if (pledge("stdio rpath wpath inet flock unveil", NULL) == -1)
err(1, "pledge");
} else {
- if (pledge("stdio rpath wpath flock", NULL) == -1)
+ if (pledge("stdio rpath wpath flock unveil", NULL) == -1)
err(1, "pledge");
}
+
+ if (unveil(PATH_SPAMD_DB, "rw") == -1)
+ err(1, "unveil");
pcap_loop(hpcap, -1, phandler, NULL);
