commit b942ab080a771fcaa36e5806fe6ee2ad2a311c8a
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Fri Dec 30 14:58:04 2022 UTC

remove filesystem access via bind(2) from gotd auth process

op@ pointed out a problem in my initial patch where I forgot
to call unveil(2) with a path before unveil(NULL, NULL).

ok op, jamsek

commit - 0bcde4c8df9f0fc2d418667c5f91831a88a6a425
commit + b942ab080a771fcaa36e5806fe6ee2ad2a311c8a
blob - 04db9fb475f2974cda1ee29f5a46ad6f1da68f2b
blob + 79a12fe132a7c0b06fc5c57a696e6e7570a953d4
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2364,6 +2364,16 @@ apply_unveil_repo_readonly(const char *repo_path)
 {
 	if (unveil(repo_path, "r") == -1)
 		fatal("unveil %s", repo_path);
+
+	if (unveil(NULL, NULL) == -1)
+		fatal("unveil");
+}
+
+static void
+apply_unveil_none(void)
+{
+	if (unveil("/", "") == -1)
+		fatal("unveil");
 
 	if (unveil(NULL, NULL) == -1)
 		fatal("unveil");
@@ -2581,9 +2591,17 @@ main(int argc, char **argv)
 		break;
 	case PROC_AUTH:
 #ifndef PROFILE
-		if (pledge("stdio getpw recvfd unix", NULL) == -1)
+		if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
 			err(1, "pledge");
 #endif
+		/*
+		 * We need the "unix" pledge promise for getpeername(2) only.
+		 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
+		 * filesystem access via unveil(2). Access to password database
+		 * files will still work since "getpw" bypasses unveil(2).
+		 */
+		apply_unveil_none();
+
 		auth_main(title, &gotd.repos, repo_path);
 		/* NOTREACHED */
 		break;