On Sat, Jun 08, 2019 at 01:15:37PM +0200, Jeremie Courreges-Anglas wrote:
> On Sat, Jun 08 2019, Florian Obser <flor...@openbsd.org> wrote:
> > On Fri, Jun 07, 2019 at 11:24:30PM +0100, Ricardo Mestre wrote:
> >> i did that and for some for reason i didn't get it! it tries to open
> >> timezone so it kinda looks like a red flag right there...
> >>
> >> apart from /dev do we need to look into TZ on this one as well? if TZ
> >> var needs to be looked at then all bets are off :/
> >
> > this seems to do the right thing:
> >
> > diff --git sysctl.c sysctl.c
> > index dc6abc16670..c74e706942a 100644
> > --- sysctl.c
> > +++ sysctl.c
> > @@ -255,6 +255,13 @@ main(int argc, char *argv[])
> > argc -= optind;
> > argv += optind;
> >
> > + tzset(); /* for kern.boottime in localtime */
> > +
> > + if (unveil("/dev", "r") == -1)
> > + err(1, "unveil");
>
> sysctl(8) uses devname(3); the latter wants to use /var/run/dev.db and
> then falls back on listing /dev. Both /var/run/dev.db and /dev should
> be whitelisted I think.
nice catch. sure.
>
> --8<--
> 3461 sysctl CALL open(0x7fad42c9eeb,0x10000<O_RDONLY|O_CLOEXEC>)
> 3461 sysctl NAMI "/var/run/dev.db"
> 3461 sysctl RET open -1 errno 2 No such file or directory
> 3461 sysctl CALL
> open(0x7fad42c8f19,0x30000<O_RDONLY|O_CLOEXEC|O_DIRECTORY>)
> 3461 sysctl NAMI "/dev/"
> 3461 sysctl RET open 3
>
> -->8--
>
> Naive question: should sysctl(8) be pledged? I'm not objecting but
> I wonder what we are trying to protect us from, here.
shrug, I was just passive aggressively reacting to some unhelpful
asshattery.
In more general terms when working with pledge / unveil I'm not
interested in listing (exhaustively) things we need to protect
against. I try to come up with the minimal set of privileges.
That seems to be easier, at least for me.
Why is cat(1) pledged? It has 197 loc, surely a careful audit will
find all bugs... Maybe... Who knows...
So I don't have an answer to your question, but I also don't find it
interesting :)
>
> > + if (unveil(NULL, NULL) == -1)
> > + err(1, "unveil");
> > +
> > if (argc == 0 || (Aflag || aflag)) {
> > debuginit();
> > vfsinit();
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
>
--
I'm not entirely sure you are real.
