diff options
author | June McEnroe <june@causal.agency> | 2021-09-26 17:25:58 -0400 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2021-09-26 17:25:58 -0400 |
commit | bdcb9ab46fa5b2e86c9d7253523dea5f4fd43d38 (patch) | |
tree | 7d2091550d8653f4b0a45f53472bb461a005e4b2 | |
parent | Fix inverted exec prepend logic (diff) | |
download | catsit-bdcb9ab46fa5b2e86c9d7253523dea5f4fd43d38.tar.gz catsit-bdcb9ab46fa5b2e86c9d7253523dea5f4fd43d38.zip |
OpenBSD: Simplify pledge(2) and unveil(2) strategy
-rw-r--r-- | daemon.c | 45 |
1 files changed, 16 insertions, 29 deletions
diff --git a/daemon.c b/daemon.c index 1bab9ef..88f59b2 100644 --- a/daemon.c +++ b/daemon.c @@ -216,30 +216,6 @@ int main(int argc, char *argv[]) { } } -#ifdef __OpenBSD__ - struct { - const char *path; - const char *mode; - } paths[] = { - { fifoPath, "crw" }, - { configPath, "r" }, - { "/", "r" }, - { "/dev/null", "rw" }, - { serviceDir, "r" }, - { _PATH_BSHELL, "x" }, - { pidPath, "cw" }, - { NULL, NULL }, - }; - for (size_t i = 0; paths[i].path; ++i) { - error = unveil(paths[i].path, paths[i].mode); - if (error) err(EX_CANTCREAT, "%s", paths[i].path); - } - error = pledge( - "stdio cpath dpath rpath wpath flock getpw proc exec id", NULL - ); - if (error) err(EX_OSERR, "pledge"); -#endif - error = access(serviceDir, X_OK); if (error) err(EX_NOINPUT, "%s", serviceDir); @@ -303,16 +279,27 @@ int main(int argc, char *argv[]) { return EX_OSERR; } } - if (pidPath) { - int len = dprintf(pidFile, "%ju", (uintmax_t)getpid()); - if (len < 0) syslog(LOG_WARNING, "%s: %m", pidPath); - } #ifdef __OpenBSD__ - error = pledge("stdio cpath rpath proc exec id", NULL); + error = 0 + || unveil(fifoPath, "c") + || unveil(configPath, "r") + || unveil(serviceDir, "r") + || unveil(_PATH_BSHELL, "x"); + if (error) err(EX_OSERR, "unveil"); + if (pidPath) { + error = unveil(pidPath, "c"); + if (error) err(EX_OSERR, "unveil"); + } + error = pledge("stdio rpath cpath proc exec id", NULL); if (error) err(EX_OSERR, "pledge"); #endif + if (pidPath) { + int len = dprintf(pidFile, "%ju", (uintmax_t)getpid()); + if (len < 0) syslog(LOG_WARNING, "%s: %m", pidPath); + } + signal(SIGHUP, signalHandler); signal(SIGINT, signalHandler); signal(SIGTERM, signalHandler); |