From 78fc89352b23571f6bf4d7ef7e9f4a464dfe373c Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Wed, 31 May 2023 08:53:08 +0100 Subject: util/nvmutil: Use unveil, and harden pledges After /dev/urandom (for MAC address randomisation) and the GbE file have been handled, unveil them. Unveil is a system call provided by OpenBSD that, when called, restricts access only to the files and/or directories specified, each given specific permissions. You can learn more about unveil here: https://man.openbsd.org/unveil.2 An ifdef rule makes nvmutil only use unveil on OpenBSD, because it's not available anywhere else. This is the same as with the pledge() system call. Where invalid arguments are given, and no action performed, pledge promises are also reduced to just stdio, preventing any writes to files, or reads from files. Signed-off-by: Leah Rowe --- util/nvmutil/nvmutil.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index 524e678e..26c31d2c 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -57,6 +57,7 @@ void setWord(int pos16, int partnum, uint16_t val16); void byteswap(int n, int partnum); void writeGbeFile(int *fd, const char *filename, size_t nw); void xpledge(const char *promises, const char *execpromises); +void xunveil(const char *path, const char *permissions); #define FILENAME argv[1] #define COMMAND argv[2] @@ -79,7 +80,7 @@ uint8_t big_endian; int main(int argc, char *argv[]) { - xpledge("stdio rpath wpath", NULL); + xpledge("stdio rpath wpath unveil", NULL); size_t nr = 128; int fd, flags = O_RDWR; void (*cmd)(void) = NULL; @@ -92,7 +93,7 @@ main(int argc, char *argv[]) if (argc == 3) { if (strcmp(COMMAND, "dump") == 0) { - xpledge("stdio rpath", NULL); + xpledge("stdio rpath unveil", NULL); flags = O_RDONLY; cmd = &cmd_dump; } else if (strcmp(COMMAND, "setmac") == 0) { @@ -125,16 +126,20 @@ main(int argc, char *argv[]) (cmd == &cmd_setchecksum) | (cmd == &cmd_brick); readGbeFile(&fd, FILENAME, flags, nr); (void)rhex(); - if (flags == O_RDONLY) + xunveil("/dev/urandom", "r"); + if (flags == O_RDONLY) { xpledge("stdio", NULL); - else - xpledge("stdio wpath", NULL); + } else { + xpledge("stdio wpath unveil", NULL); + xunveil(FILENAME, "w"); + } if (strMac != NULL) cmd_setmac(strMac); /* nvm gbe.bin setmac */ else if (cmd != NULL) (*cmd)(); /* all other commands except setmac */ writeGbeFile(&fd, FILENAME, nr); - } + } else + xpledge("stdio", NULL); if ((errno != 0) && (cmd != &cmd_dump)) err(errno, NULL); @@ -381,3 +386,13 @@ xpledge(const char *promises, const char *execpromises) err(errno, NULL); #endif } + +void +xunveil(const char *path, const char *permissions) +{ + (void)path; (void)permissions; +#ifdef __OpenBSD__ + if (unveil(path, permissions) == -1) + err(errno, NULL); +#endif +} -- cgit v1.2.1