Re: Cleanup of err(1, "unveil") pattern: bin, games, sbin

Ashton Fagg Sun, 02 May 2021 17:43:55 -0700

Thanks for the review - wasn't sure if that was useful. Will
regenerate without the symbolic names.


On Sun, 2 May 2021 at 20:37, Theo de Raadt <dera...@openbsd.org> wrote:
>
> Showing the symbolic name is not doing anywhere else in the tree.
>
> Most likely they should be
>
>            err(1, "unveil: %s", path);
>
>
> Ashton Fagg <ash...@fagg.id.au> wrote:
>
> > Ashton Fagg <ash...@fagg.id.au> writes:
> >
> > > Hi all,
> > >
> > > I saw a discussion on here a while ago about the use of patterns like:
> > >
> > > if (unveil(some_path, "r") == -1)
> > >    err(1, "unveil");
> > >
> > > And why that's maybe not preferable for debugging and troubleshooting
> > > purposes for programs which have multiple unveil calls (which happens
> > > fairly often).
> > >
> > > Original message here: 
> > > https://marc.info/?l=openbsd-tech&m=161470144611031&w=2
> >
> > I decided just to go ahead and do this since I noticed there's some
> > newer stuff not following this pattern (dhcpleased for example). Here are 
> > patches for:
> >
> > games/tetris
> > bin/ps
> > sbin/dhclient
> > sbin/fsck
> > sbin/fsck_msdos
> > sbin/fsck_ffs
> > sbin/nologin
> > sbin/pflogd
> > sbin/ping
> > sbin/shutdown
> > sbin/sysctl
> > sbin/unwind
> >
> > I'll tackle /usr/bin and /usr/sbin another time.
> >
> > diff --git a/bin/ps/ps.c b/bin/ps/ps.c
> > index 84be7afe802..3b6593a46a1 100644
> > --- a/bin/ps/ps.c
> > +++ b/bin/ps/ps.c
> > @@ -276,18 +276,18 @@ main(int argc, char *argv[])
> >               errx(1, "%s", errbuf);
> >
> >       if (unveil(_PATH_DEVDB, "r") == -1 && errno != ENOENT)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_DEVDB -> %s", _PATH_DEVDB);
> >       if (unveil(_PATH_DEV, "r") == -1 && errno != ENOENT)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_DEV -> %s", _PATH_DEV);
> >       if (swapf)
> >               if (unveil(swapf, "r") == -1)
> > -                     err(1, "unveil");
> > +                     err(1, "unveil: swapf -> %s", swapf);
> >       if (nlistf)
> >               if (unveil(nlistf, "r") == -1)
> > -                     err(1, "unveil");
> > +                     err(1, "unveil: nlistf -> %s", nlistf);
> >       if (memf)
> >               if (unveil(memf, "r") == -1)
> > -                     err(1, "unveil");
> > +                     err(1, "unveil: memf -> %s", memf);
> >       if (pledge("stdio rpath getpw ps", NULL) == -1)
> >               err(1, "pledge");
> >
> > diff --git a/games/tetris/tetris.c b/games/tetris/tetris.c
> > index 69f4532a4ac..fdb7e7d2d40 100644
> > --- a/games/tetris/tetris.c
> > +++ b/games/tetris/tetris.c
> > @@ -234,7 +234,7 @@ main(int argc, char *argv[])
> >       scr_init();
> >
> >       if (unveil(scorepath, "rwc") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: scorepath -> %s", scorepath);
> >
> >       if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
> >               err(1, "pledge");
> > diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
> > index 993c829f2d2..ba88d9f5f67 100644
> > --- a/sbin/dhclient/dhclient.c
> > +++ b/sbin/dhclient/dhclient.c
> > @@ -2334,11 +2334,11 @@ fork_privchld(struct interface_info *ifi, int fd, 
> > int fd2)
> >               fatal("socket(AF_ROUTE, SOCK_RAW)");
> >
> >       if (unveil(_PATH_RESCONF, "wc") == -1)
> > -             fatal("unveil");
> > +             fatal("unveil: _PATH_RESCONF -> %s", _PATH_RESCONF);
> >       if (unveil("/etc/resolv.conf.tail", "r") == -1)
> > -             fatal("unveil");
> > +             fatal("unveil: /etc/resolve.conf.tail");
> >       if (unveil(NULL, NULL) == -1)
> > -             fatal("unveil");
> > +             fatal("unveil(NULL,NULL)");
> >
> >       while (quit == 0) {
> >               pfd[0].fd = priv_ibuf->fd;
> > diff --git a/sbin/fsck/fsck.c b/sbin/fsck/fsck.c
> > index 09475f346d3..ce3826885c4 100644
> > --- a/sbin/fsck/fsck.c
> > +++ b/sbin/fsck/fsck.c
> > @@ -110,11 +110,11 @@ main(int argc, char *argv[])
> >       checkroot();
> >
> >       if (unveil("/dev", "rw") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: /dev");
> >       if (unveil(_PATH_FSTAB, "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_FSTAB -> %s", _PATH_FSTAB);
> >       if (unveil("/sbin", "x") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil /sbin");
> >       if (pledge("stdio rpath wpath disklabel proc exec", NULL) == -1)
> >               err(1, "pledge");
> >
> > diff --git a/sbin/fsck_msdos/check.c b/sbin/fsck_msdos/check.c
> > index 4a2f07f1131..b011cd7dca6 100644
> > --- a/sbin/fsck_msdos/check.c
> > +++ b/sbin/fsck_msdos/check.c
> > @@ -55,7 +55,7 @@ checkfilesys(const char *fname)
> >       int mod = 0;
> >
> >       if (unveil("/dev", "rw") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil /dev");
> >
> >       rdonly = alwaysno;
> >
> > diff --git a/sbin/fsck_ffs/setup.c b/sbin/fsck_ffs/setup.c
> > index e9c922d7c37..e3706d7b759 100644
> > --- a/sbin/fsck_ffs/setup.c
> > +++ b/sbin/fsck_ffs/setup.c
> > @@ -105,7 +105,7 @@ setup(char *dev, int isfsdb)
> >
> >               if (isfsdb || !hotroot()) {
> >                       if (unveil("/dev", "rw") == -1)
> > -                             err(1, "unveil");
> > +                             err(1, "unveil /dev");
> >                       if (pledge("stdio rpath wpath getpw tty disklabel",
> >                           NULL) == -1)
> >                               err(1, "pledge");
> > diff --git a/sbin/nologin/nologin.c b/sbin/nologin/nologin.c
> > index 88bdd5f6fd7..7eb39266c56 100644
> > --- a/sbin/nologin/nologin.c
> > +++ b/sbin/nologin/nologin.c
> > @@ -47,7 +47,7 @@ main(int argc, char *argv[])
> >       char nbuf[BUFSIZ];
> >
> >       if (unveil(_PATH_NOLOGIN_TXT, "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_NOLOGIN_TXT -> %s", _PATH_NOLOGIN_TXT);
> >       if (pledge("stdio rpath", NULL) == -1)
> >               err(1, "pledge");
> >
> > diff --git a/sbin/pflogd/privsep.c b/sbin/pflogd/privsep.c
> > index a1c109005cf..fa0ec37ae6a 100644
> > --- a/sbin/pflogd/privsep.c
> > +++ b/sbin/pflogd/privsep.c
> > @@ -134,17 +134,17 @@ priv_init(int Pflag, int argc, char *argv[])
> >       setproctitle("[priv]");
> >
> >       if (unveil(_PATH_RESCONF, "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_RECONF -> %s", _PATH_RESCONF);
> >       if (unveil(_PATH_HOSTS, "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_HOSTS -> %s", _PATH_HOSTS);
> >       if (unveil(_PATH_SERVICES, "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_SERVICES -> %s", _PATH_SERVICES);
> >       if (unveil("/dev/bpf", "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil /dev/bpf");
> >       if (unveil(filename, "rwc") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: filename -> %s", filename);
> >       if (unveil(NULL, NULL) == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil(NULL,NULL)");
> >
> >  #if 0
> >       /* This needs to do bpf ioctl */
> > diff --git a/sbin/ping/ping.c b/sbin/ping/ping.c
> > index f7c3c101b25..63585019da2 100644
> > --- a/sbin/ping/ping.c
> > +++ b/sbin/ping/ping.c
> > @@ -266,9 +266,9 @@ main(int argc, char *argv[])
> >
> >       /* Cannot pledge due to special setsockopt()s below */
> >       if (unveil("/", "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil /");
> >       if (unveil(NULL, NULL) == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil(NULL,NULL)");
> >
> >       if (strcmp("ping6", __progname) == 0) {
> >               v6flag = 1;
> > diff --git a/sbin/shutdown/shutdown.c b/sbin/shutdown/shutdown.c
> > index d28eb676172..94c323c25dc 100644
> > --- a/sbin/shutdown/shutdown.c
> > +++ b/sbin/shutdown/shutdown.c
> > @@ -166,24 +166,24 @@ main(int argc, char *argv[])
> >       }
> >
> >       if (unveil(_PATH_CONSOLE, "rw") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_CONSOLE -> %s", _PATH_CONSOLE);
> >       if (unveil(_PATH_RC, "r") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_RC -> %s", _PATH_RC);
> >       if (unveil(_PATH_WALL, "x") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_WALL -> %s", _PATH_WALL);
> >       if (unveil(_PATH_FASTBOOT, "wc") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_FASTBOOT -> %s", _PATH_FASTBOOT);
> >       if (unveil(_PATH_NOLOGIN, "wc") == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil: _PATH_NOLOGIN -> %s", _PATH_NOLOGIN);
> >       if (dohalt || dopower) {
> >               if (unveil(_PATH_HALT, "x") == -1)
> > -                     err(1, "unveil");
> > +                     err(1, "unveil: _PATH_HALT -> %s", _PATH_HALT);
> >       } else if (doreboot) {
> >               if (unveil(_PATH_REBOOT, "x") == -1)
> > -                     err(1, "unveil");
> > +                     err(1, "unveil: _PATH_REBOOT -> %s", _PATH_REBOOT);
> >       } else {
> >               if (unveil(_PATH_BSHELL, "x") == -1)
> > -                     err(1, "unveil");
> > +                     err(1, "unveil: _PATH_BSHELL -> %s", _PATH_BSHELL);
> >       }
> >       if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) == 
> > -1)
> >               err(1, "pledge");
> > diff --git a/sbin/sysctl/sysctl.c b/sbin/sysctl/sysctl.c
> > index 5e9e562d308..b2fc7588b76 100644
> > --- a/sbin/sysctl/sysctl.c
> > +++ b/sbin/sysctl/sysctl.c
> > @@ -264,11 +264,11 @@ main(int argc, char *argv[])
> >       ctime(&boottime); /* satisfy potential $TZ expansion before unveil() 
> > */
> >
> >       if (unveil(_PATH_DEVDB, "r") == -1 && errno != ENOENT)
> > -             err(1,"unveil");
> > +             err(1,"unveil: _PATH_DEVDB -> %s", _PATH_DEVDB);
> >       if (unveil("/dev", "r") == -1 && errno != ENOENT)
> > -             err(1, "unveil");
> > +             err(1, "unveil /dev");
> >       if (unveil(NULL, NULL) == -1)
> > -             err(1, "unveil");
> > +             err(1, "unveil(NULL,NULL)");
> >
> >       if (argc == 0 || (Aflag || aflag)) {
> >               debuginit();
> > diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c
> > index 2db2e7274ab..9c4916e2a8c 100644
> > --- a/sbin/unwind/resolver.c
> > +++ b/sbin/unwind/resolver.c
> > @@ -377,7 +377,7 @@ resolver(int debug, int verbose)
> >               fatal("can't drop privileges");
> >
> >       if (unveil(TLS_DEFAULT_CA_CERT_FILE, "r") == -1)
> > -             fatal("unveil");
> > +             fatal("unveil: TLS_DEFAULT_CA_CERT_FILE -> %s", 
> > TLS_DEFAULT_CA_CERT_FILE);
> >
> >       if (pledge("stdio inet dns rpath recvfd", NULL) == -1)
> >               fatal("pledge");

Re: Cleanup of err(1, "unveil") pattern: bin, games, sbin

Reply via email to