Hi,
Like we did on other daemons that cannot be pledged due to forbidden ioctls the
main process can be unveiled to restrict filesystem access. In this case we can
restrict it to only read, although it must be the entire / since the daemon is
able to include config files from anywhere.
Additionally the ldpe process currently has cpath promise to unlink the socket,
nevertheless the socket is actually unlinked from the main proc so this
permission can be removed. As we discussed before leaving the socket behind
doesn't do any harm that's why I didn't unveil it in the main proc.
Comments? OK?
Index: ldpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldpd/ldpd.c,v
retrieving revision 1.64
diff -u -p -u -r1.64 ldpd.c
--- ldpd.c 31 Mar 2019 03:36:18 -0000 1.64
+++ ldpd.c 22 May 2019 11:09:33 -0000
@@ -222,6 +222,11 @@ main(int argc, char *argv[])
pipe_parent2ldpe[1], debug, global.cmd_opts & LDPD_OPT_VERBOSE,
sockname);
+ if (unveil("/", "r") == -1)
+ fatal("unveil");
+ if (unveil(NULL, NULL) == -1)
+ fatal("unveil");
+
event_init();
/* setup signal handler */
Index: ldpe.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldpd/ldpe.c,v
retrieving revision 1.75
diff -u -p -u -r1.75 ldpe.c
--- ldpe.c 23 Jan 2019 02:02:04 -0000 1.75
+++ ldpe.c 22 May 2019 11:09:33 -0000
@@ -107,7 +107,7 @@ ldpe(int debug, int verbose, char *sockn
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
fatal("can't drop privileges");
- if (pledge("stdio cpath inet mcast recvfd", NULL) == -1)
+ if (pledge("stdio inet mcast recvfd", NULL) == -1)
fatal("pledge");
event_init();
