commit d4940d40064a4fd732c26af1bb551d1ff633852d
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Fri Jan 06 09:33:00 2023 UTC

revoke filesystem access in gotd listen process via unveil(2)

This should avoid involuntary use of bind(2) with arbitrary socket paths.

ok op@

commit - c8cf682107ebbe81da9db3dbd267c51ff151b049
commit + d4940d40064a4fd732c26af1bb551d1ff633852d
blob - fbc0a43b6e9215f801753d222c5d0fa31d57fbbd
blob + 0ec673eb543fe43b8a1f452e450e37666f04588b
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2543,9 +2543,15 @@ main(int argc, char **argv)
 		break;
 	case PROC_LISTEN:
 #ifndef PROFILE
-		if (pledge("stdio sendfd unix", NULL) == -1)
+		if (pledge("stdio sendfd unix unveil", NULL) == -1)
 			err(1, "pledge");
 #endif
+		/*
+		 * Ensure that AF_UNIX bind(2) cannot be used with any other
+		 * sockets by revoking all filesystem access via unveil(2).
+		 */
+		apply_unveil_none();
+
 		listen_main(title, fd, gotd.connection_limits,
 		    gotd.nconnection_limits);
 		/* NOTREACHED */