ping?
On 12:33 Wed 22 May , Ricardo Mestre wrote:
> Hi,
>
> Like we did on other daemons that cannot be pledged due to forbidden ioctls
> the
> main process can be unveiled to restrict filesystem access. In this case we
> can
> restrict it to only read, although it must be the entire / since the daemon is
> able to include config files from anywhere.
>
> Additionally the ldpe process currently has cpath promise to unlink the
> socket,
> nevertheless the socket is actually unlinked from the main proc so this
> permission can be removed. As we discussed before leaving the socket behind
> doesn't do any harm that's why I didn't unveil it in the main proc.
>
> Comments? OK?
>
> Index: ldpd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldpd/ldpd.c,v
> retrieving revision 1.64
> diff -u -p -u -r1.64 ldpd.c
> --- ldpd.c 31 Mar 2019 03:36:18 -0000 1.64
> +++ ldpd.c 22 May 2019 11:09:33 -0000
> @@ -222,6 +222,11 @@ main(int argc, char *argv[])
> pipe_parent2ldpe[1], debug, global.cmd_opts & LDPD_OPT_VERBOSE,
> sockname);
>
> + if (unveil("/", "r") == -1)
> + fatal("unveil");
> + if (unveil(NULL, NULL) == -1)
> + fatal("unveil");
> +
> event_init();
>
> /* setup signal handler */
> Index: ldpe.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ldpd/ldpe.c,v
> retrieving revision 1.75
> diff -u -p -u -r1.75 ldpe.c
> --- ldpe.c 23 Jan 2019 02:02:04 -0000 1.75
> +++ ldpe.c 22 May 2019 11:09:33 -0000
> @@ -107,7 +107,7 @@ ldpe(int debug, int verbose, char *sockn
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> fatal("can't drop privileges");
>
> - if (pledge("stdio cpath inet mcast recvfd", NULL) == -1)
> + if (pledge("stdio inet mcast recvfd", NULL) == -1)
> fatal("pledge");
>
> event_init();
