util/nvmutil: call unveil earlier, and harden

The mentality behind pledge and unveil is that you should
think ahead, so that large parts of code can run under
extremely tight restrictions.

The pledge calls have been adjusted accordingly, also.
Disallow all unveil calls after the gbe file and the
file /dev/urandom have been unveiled.

Signed-off-by: Leah Rowe <leah@libreboot.org>

1 files changed, 11 insertions, 6 deletions

diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c
index e9eda94..2af1037 100644
--- a/util/nvmutil/nvmutil.c
+++ b/util/nvmutil/nvmutil.c
@@ -7,12 +7,19 @@ int
 main(int argc, char *argv[])
 {
 	xpledge("stdio rpath wpath unveil", NULL);
+	xunveil("/dev/urandom", "r");
 	err_if((errno = argc < 3 ? EINVAL : errno));
 	if ((flags = (strcmp(COMMAND, "dump") == 0) ? O_RDONLY : flags)
-	    == O_RDONLY)
-		xpledge("stdio rpath unveil", NULL);
+	    == O_RDONLY) {
+		xunveil(FILENAME, "r");
+		xpledge("stdio rpath", NULL);
+	} else {
+		xunveil(FILENAME, "rw");
+		xpledge("stdio rpath wpath", NULL);
+	}
 	openFiles(FILENAME);
 	xpledge("stdio", NULL);
+
 	for (int i = 0; i < 6; i++)
 		if (strcmp(COMMAND, op[i].str) == 0)
 			if ((cmd = argc >= op[i].args ? op[i].cmd : NULL))
@@ -23,9 +30,10 @@ main(int argc, char *argv[])
 		err_if((errno = (!((part = PARTNUM[0] - '0') == 0 || part == 1))
 		    || PARTNUM[1] ? EINVAL : errno));
 	err_if((errno = (cmd == NULL) ? EINVAL : errno));
-	readGbeFile(FILENAME);
 
+	readGbeFile(FILENAME);
 	(*cmd)();
+
 	if ((gbeFileModified) && (flags != O_RDONLY))
 		writeGbeFile(FILENAME);
 	err_if((errno != 0) && (cmd != &cmd_dump));
@@ -41,9 +49,6 @@ openFiles(const char *path)
 		err(errno = ECANCELED, "File `%s` not 8KiB", path);
 	xopen(rfd, "/dev/urandom", O_RDONLY);
 	errno = errno != ENOTDIR ? errno : 0;
-	xunveil("/dev/urandom", "r");
-	if (flags != O_RDONLY)
-		xunveil(path, "w");
 }
 
 void