From 7793ca36bb5aadee1a6f5e2708ec2ff9917aba6b Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Tue, 29 Jun 2021 03:21:42 +0200 Subject: OpenBSD: unveil logs regardless of restrict mode Simplify logic and decouple the two features such that the code gets even more self-ducumenting. Previously `catgirl -R -l' would never unveil and therefore "proc exec" could execute arbitrary paths without "rpath" as is usual unveil/pledge semantic. Now that `catgirl -l' alone triggers unveil(2), previous "proc exec" alone is not enough since the first unveil() hides everything else from filesystem; unveil all of root executable-only in order to restore non-restrict mode's visibility. This leaves yields distinct cases wrt. filesystem visibility (hoisted save file functionality excluded): 1. restrict on, log off: no access 2. restrict on, log on : logdir write/create 3. restrict off, log off: all exec-only 4. restrict off, log on : logdir write/create, all else exec-only In the first case `unveil("/", "")' could be used but with no benefit as the later lack of "rpath wpath cpath", i.e. filesystem access is revoked entirely by pledge alone already. Practically, this does not change functionality but improves correctness and readability. --- chat.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chat.c b/chat.c index 9934fc3..0bdb69c 100644 --- a/chat.c +++ b/chat.c @@ -282,12 +282,17 @@ int main(int argc, char *argv[]) { } #ifdef __OpenBSD__ - if (self.restricted && log) { + if (log) { const char *logdir = dataMkdir("log"); int error = unveil(logdir, "wc"); if (error) err(EX_OSERR, "unveil"); } + if (!self.restricted) { + int error = unveil("/", "x"); + if (error) err(EX_OSERR, "unveil"); + } + char promises[64] = "stdio tty"; char *ptr = &promises[strlen(promises)], *end = &promises[sizeof(promises)]; if (log) ptr = seprintf(ptr, end, " wpath cpath"); -- cgit 1.4.1