Re: unveil dhclient (privileged process)

Mon, 05 Nov 2018 14:05:11 -0800 

As per krw@ I probably should add a #define to /sbin/dhclient and use
that instead of saved_argv and you wouldn't have that error but you'd still 
have to make install.

On 22:53 Mon 05 Nov     , Remi Locherer wrote:
> On Mon, Nov 05, 2018 at 12:30:08PM +0000, Ricardo Mestre wrote:
> > Hi,
> > 
> > dhclient(8)'s privileged process cannot be pledged yet due to some route
> > related sysctl(2)'s, but it seems it only needs to access two files. One is
> > /etc/resolv.conf with write/create permissions and saved_argv[0] (usually
> > /sbin/dhclient) with execute since we may receive a SIGHUP and it will need 
> > to
> > re-exec itself. We could go further and keep /etc/resolv.conf veiled if we
> > superseed both domain-name and domain-name-servers in the config file, but 
> > it
> > seems a bit overkill, and with the simple diff below I didn't have any
> > problems.
> > 
> > Comments? OK? Cluebat stick?
> 
> First I thougt the diff does not work:
> 
> typhoon ..n/dhclient$ doas obj/dhclient -d iwm0 
> fatal in iwm0 [priv]: unveil: No such file or directory
> iwm0: DHCPREQUEST to 255.255.255.255
> iwm0: unpriv_ibuf: ERR|HUP|NVAL
> 
> 
> It does not work because "obj" is a symlink here. When called without
> a symlink in the path it works as expected. The error message is a bit
> awkward.
> 
> > 
> > Index: dhclient.c
> > ===================================================================
> > RCS file: /cvs/src/sbin/dhclient/dhclient.c,v
> > retrieving revision 1.581
> > diff -u -p -u -r1.581 dhclient.c
> > --- dhclient.c      4 Nov 2018 19:10:34 -0000       1.581
> > +++ dhclient.c      5 Nov 2018 12:02:51 -0000
> > @@ -2234,6 +2234,13 @@ fork_privchld(struct interface_info *ifi
> >     if ((routefd = socket(AF_ROUTE, SOCK_RAW, 0)) == -1)
> >             fatal("socket(AF_ROUTE, SOCK_RAW)");
> >  
> > +   if (unveil("/etc/resolv.conf", "wc") == -1)
> > +           fatal("unveil");
> > +   if (unveil(saved_argv[0], "x") == -1)
> > +           fatal("unveil");
> > +   if (unveil(NULL, NULL) == -1)
> > +           fatal("unveil");
> > +
> >     while (quit == 0) {
> >             pfd[0].fd = priv_ibuf->fd;
> >             pfd[0].events = POLLIN;
> > 
>

Reply via email to