From c2cd191676f5b491324d29484148c557dad548a5 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Wed, 31 May 2023 08:02:46 +0100 Subject: util/nvmutil: Harden pledge promises After reading a file, remove rpath. When removing rpath, also remove wpath if flags are not to O_RDONLY (read-only disk operation). When wpath is permitted, and a file was successfully written, remove wpath. In order to permit /dev/urandom access in rhex(), I call it as a void just before re-calling pledge. The rhex() function has been written in such a way that /dev/urandom only needs to be read *once*. Signed-off-by: Leah Rowe --- util/nvmutil/nvmutil.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index 9702ff0b..524e678e 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -124,6 +124,11 @@ main(int argc, char *argv[]) skipread[part ^ 1] = (cmd == &cmd_copy) | (cmd == &cmd_setchecksum) | (cmd == &cmd_brick); readGbeFile(&fd, FILENAME, flags, nr); + (void)rhex(); + if (flags == O_RDONLY) + xpledge("stdio", NULL); + else + xpledge("stdio wpath", NULL); if (strMac != NULL) cmd_setmac(strMac); /* nvm gbe.bin setmac */ else if (cmd != NULL) @@ -219,18 +224,16 @@ hextonum(char ch) uint8_t rhex(void) { - static int rfd = -1; - static uint64_t rnum = 0; - if (rnum == 0) { + static int rfd = -1, n = 0; + static uint8_t rnum[16]; + if (!n) { if (rfd == -1) if ((rfd = open("/dev/urandom", O_RDONLY)) == -1) err(errno, "/dev/urandom"); - if (read(rfd, (uint8_t *) &rnum, 8) == -1) + if (read(rfd, (uint8_t *) &rnum, (n = 15) + 1) == -1) err(errno, "/dev/urandom"); } - uint8_t rval = (uint8_t) (rnum & 0xf); - rnum >>= 4; - return rval; + return rnum[n--] & 0xf; } void @@ -366,6 +369,7 @@ next_part: } if (close((*fd))) err(errno, "%s", filename); + xpledge("stdio", NULL); } void -- cgit v1.2.1