commit 44587340e4924f8f07bf02c57a9a1c2527c2d8d4
from: Stefan Sperling <stsp@stsp.name>
date: Fri Dec 30 08:41:00 2022 UTC

remove filesystem access via bind(2) from gotd auth process

op@ pointed out a problem in my initial patch where I forgot
to call unveil(2) with a path before unveil(NULL, NULL).

ok op, jamsek

commit - 365cf0f34d08316d433e730a8663283029f729b3
commit + 44587340e4924f8f07bf02c57a9a1c2527c2d8d4
blob - 05f659daea632d0e305556351e4d6a5e97519fa0
blob + b79d7d9818993976319266976df74331b6ba4d71
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2365,6 +2365,16 @@ apply_unveil_repo_readonly(const char *repo_path)
 {
 	if (unveil(repo_path, "r") == -1)
 		fatal("unveil %s", repo_path);
+
+	if (unveil(NULL, NULL) == -1)
+		fatal("unveil");
+}
+
+static void
+apply_unveil_none(void)
+{
+	if (unveil("/", "") == -1)
+		fatal("unveil");
 
 	if (unveil(NULL, NULL) == -1)
 		fatal("unveil");
@@ -2582,9 +2592,17 @@ main(int argc, char **argv)
 		break;
 	case PROC_AUTH:
 #ifndef PROFILE
-		if (pledge("stdio getpw recvfd unix", NULL) == -1)
+		if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
 			err(1, "pledge");
 #endif
+		/*
+		 * We need the "unix" pledge promise for getpeername(2) only.
+		 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
+		 * filesystem access via unveil(2). Access to password database
+		 * files will still work since "getpw" bypasses unveil(2).
+		 */
+		apply_unveil_none();
+
 		auth_main(title, &gotd.repos, repo_path);
 		/* NOTREACHED */
 		break;