commit - 0bcde4c8df9f0fc2d418667c5f91831a88a6a425
commit + b942ab080a771fcaa36e5806fe6ee2ad2a311c8a
blob - 04db9fb475f2974cda1ee29f5a46ad6f1da68f2b
blob + 79a12fe132a7c0b06fc5c57a696e6e7570a953d4
--- gotd/gotd.c
+++ gotd/gotd.c
{
if (unveil(repo_path, "r") == -1)
fatal("unveil %s", repo_path);
+
+ if (unveil(NULL, NULL) == -1)
+ fatal("unveil");
+}
+
+static void
+apply_unveil_none(void)
+{
+ if (unveil("/", "") == -1)
+ fatal("unveil");
if (unveil(NULL, NULL) == -1)
fatal("unveil");
break;
case PROC_AUTH:
#ifndef PROFILE
- if (pledge("stdio getpw recvfd unix", NULL) == -1)
+ if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
err(1, "pledge");
#endif
+ /*
+ * We need the "unix" pledge promise for getpeername(2) only.
+ * Ensure that AF_UNIX bind(2) cannot be used by revoking all
+ * filesystem access via unveil(2). Access to password database
+ * files will still work since "getpw" bypasses unveil(2).
+ */
+ apply_unveil_none();
+
auth_main(title, &gotd.repos, repo_path);
/* NOTREACHED */
break;