From 94aa43d85750c676450e7ae0e29c06c861a126f8 Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Sat, 3 Jun 2023 20:03:18 +0100 Subject: util/nvmutil: call unveil earlier, and harden The mentality behind pledge and unveil is that you should think ahead, so that large parts of code can run under extremely tight restrictions. The pledge calls have been adjusted accordingly, also. Disallow all unveil calls after the gbe file and the file /dev/urandom have been unveiled. Signed-off-by: Leah Rowe --- util/nvmutil/nvmutil.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'util') diff --git a/util/nvmutil/nvmutil.c b/util/nvmutil/nvmutil.c index e9eda943..2af10373 100644 --- a/util/nvmutil/nvmutil.c +++ b/util/nvmutil/nvmutil.c @@ -7,12 +7,19 @@ int main(int argc, char *argv[]) { xpledge("stdio rpath wpath unveil", NULL); + xunveil("/dev/urandom", "r"); err_if((errno = argc < 3 ? EINVAL : errno)); if ((flags = (strcmp(COMMAND, "dump") == 0) ? O_RDONLY : flags) - == O_RDONLY) - xpledge("stdio rpath unveil", NULL); + == O_RDONLY) { + xunveil(FILENAME, "r"); + xpledge("stdio rpath", NULL); + } else { + xunveil(FILENAME, "rw"); + xpledge("stdio rpath wpath", NULL); + } openFiles(FILENAME); xpledge("stdio", NULL); + for (int i = 0; i < 6; i++) if (strcmp(COMMAND, op[i].str) == 0) if ((cmd = argc >= op[i].args ? op[i].cmd : NULL)) @@ -23,9 +30,10 @@ main(int argc, char *argv[]) err_if((errno = (!((part = PARTNUM[0] - '0') == 0 || part == 1)) || PARTNUM[1] ? EINVAL : errno)); err_if((errno = (cmd == NULL) ? EINVAL : errno)); - readGbeFile(FILENAME); + readGbeFile(FILENAME); (*cmd)(); + if ((gbeFileModified) && (flags != O_RDONLY)) writeGbeFile(FILENAME); err_if((errno != 0) && (cmd != &cmd_dump)); @@ -41,9 +49,6 @@ openFiles(const char *path) err(errno = ECANCELED, "File `%s` not 8KiB", path); xopen(rfd, "/dev/urandom", O_RDONLY); errno = errno != ENOTDIR ? errno : 0; - xunveil("/dev/urandom", "r"); - if (flags != O_RDONLY) - xunveil(path, "w"); } void -- cgit v1.2.1