From: timkuijsten <timkuijsten@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] pledge(2) all programs
Date: Thu, 13 Aug 2020 16:03:05 +0200 [thread overview]
Message-ID: <20200813140305.KzCLPYlv436ESSc-Q8Rc-GClKw5WMr_YtlsP-nr8laU@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 867 bytes --]
There is an updated pull request by timkuijsten against master on the mblaze repository
https://github.com/timkuijsten/mblaze renewpledge
https://github.com/leahneukirchen/mblaze/pull/179
pledge(2) all programs
I have checked all pledge calls and added some to ensure all main() functions are pledged as tight as possible.
The only program remaining with a broad pledge is mshow (full filesystem access plus fork/exec). I think the most important improvement there would be to use unveil(2), but I consider adding support for unveil a separate endeavour.
I've been running this code without problems since December (with the exception of mdate which I just pledged), although I have only just rebased my work on all changes that happended in 2020 on master.
/cc @holsta
A patch file from https://github.com/leahneukirchen/mblaze/pull/179.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-renewpledge-179.patch --]
[-- Type: text/x-diff, Size: 10938 bytes --]
From 59137944e4e8f24c1498429826d6c84bb8e7275e Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 02:15:41 +0100
Subject: [PATCH] pledge(2) all programs
All programs except mshow have a very tight set of promises. mshow
has a broad set of promises and might be a good future candidate
to further restrict using unveil(2).
This patch is based on commit 0300a112 by Alex Holst (dated
2017-12-07), which was proposed in GH PR #79.
* pledged mpick, mflow and mdate so that now all programs are pledged
* removed some unneeded promises and added some missing promises
* move err.h include and OpenBSD ifdef into a new xpledge.h
* cleaned up code aligning and whitespace
---
maddr.c | 3 +++
magrep.c | 3 +++
mdate.c | 8 +++++++-
mdeliver.c | 3 +++
mdirs.c | 3 +++
mexport.c | 3 +++
mflag.c | 3 +++
mflow.c | 5 +++++
mgenmid.c | 3 +++
mhdr.c | 3 +++
minc.c | 3 +++
mlist.c | 3 +++
mmime.c | 3 +++
mpick.c | 3 +++
mscan.c | 7 +++++++
msed.c | 3 +++
mseq.c | 3 +++
mshow.c | 8 ++++++++
msort.c | 2 ++
mthread.c | 3 +++
xpledge.h | 26 ++++++++++++++++++++++++++
21 files changed, 100 insertions(+), 1 deletion(-)
create mode 100644 xpledge.h
diff --git a/maddr.c b/maddr.c
index 339acad..0169458 100644
--- a/maddr.c
+++ b/maddr.c
@@ -7,6 +7,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static int aflag;
static int dflag;
@@ -108,6 +109,8 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath", "");
+
if (argc == optind && isatty(0))
blaze822_loop1(":", addr);
else
diff --git a/magrep.c b/magrep.c
index 8cb3d1f..6f93a57 100644
--- a/magrep.c
+++ b/magrep.c
@@ -10,6 +10,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static int aflag;
static int cflag;
@@ -218,6 +219,8 @@ main(int argc, char *argv[])
if (!rx)
goto usage;
+ xpledge("stdio rpath", "");
+
*rx++ = 0;
int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
if (r != 0) {
diff --git a/mdate.c b/mdate.c
index fb95d7c..793f65e 100644
--- a/mdate.c
+++ b/mdate.c
@@ -1,11 +1,17 @@
#include <time.h>
#include <unistd.h>
+#include "xpledge.h"
+
int
main()
{
char buf[64];
- time_t now = time(0);
+ time_t now;
+
+ xpledge("stdio", "");
+
+ now = time(0);
ssize_t l = strftime(buf, sizeof buf,
"%a, %d %b %Y %T %z\n", localtime(&now));
diff --git a/mdeliver.c b/mdeliver.c
index c599d9d..161cea5 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -13,6 +13,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
/*
design rationale:
@@ -340,6 +341,8 @@ main(int argc, char *argv[])
if (argc != optind+1)
goto usage2;
+ xpledge("stdio rpath wpath cpath", "");
+
targetdir = argv[optind];
gethost();
diff --git a/mdirs.c b/mdirs.c
index 46b2426..5f49906 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -9,6 +9,7 @@
#include "blaze822.h"
#include "blaze822_priv.h"
+#include "xpledge.h"
static char sep = '\n';
int aflag;
@@ -88,6 +89,8 @@ main(int argc, char *argv[])
if (argc == optind)
goto usage;
+ xpledge("stdio rpath", "");
+
char toplevel[PATH_MAX];
if (!getcwd(toplevel, sizeof toplevel)) {
perror("mdirs: getcwd");
diff --git a/mexport.c b/mexport.c
index 91fa9a6..d758d0c 100644
--- a/mexport.c
+++ b/mexport.c
@@ -10,6 +10,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static int Sflag;
@@ -141,6 +142,8 @@ main(int argc, char *argv[])
status = 0;
+ xpledge("stdio rpath", "");
+
if (argc == optind && isatty(0))
blaze822_loop1(":", export);
else
diff --git a/mflag.c b/mflag.c
index 7708946..ddf633c 100644
--- a/mflag.c
+++ b/mflag.c
@@ -13,6 +13,7 @@
#include "blaze822.h"
#include "blaze822_priv.h"
+#include "xpledge.h"
static int8_t flags[255];
static int vflag = 0;
@@ -134,6 +135,8 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath cpath", "");
+
curfile = blaze822_seq_cur();
if (vflag) {
diff --git a/mflow.c b/mflow.c
index 41db508..af6755d 100644
--- a/mflow.c
+++ b/mflow.c
@@ -10,6 +10,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
int column = 0;
int maxcolumn = 80;
@@ -107,6 +108,8 @@ main(int argc, char *argv[])
int force = 0;
int delsp = 0;
+ xpledge("stdio rpath tty", "");
+
char *ct = getenv("PIPE_CONTENTTYPE");
if (ct) {
char *s, *se;
@@ -130,6 +133,8 @@ main(int argc, char *argv[])
}
}
+ xpledge("stdio", "");
+
char *maxcols = getenv("MAXCOLUMNS");
if (maxcols && isdigit(*maxcols)) {
int m = atoi(maxcols);
diff --git a/mgenmid.c b/mgenmid.c
index c7d713c..eb161cf 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -13,6 +13,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
void
printb36(uint64_t x)
@@ -36,6 +37,8 @@ int main()
char *f = blaze822_home_file("profile");
struct message *config = blaze822(f);
+ xpledge("stdio rpath", "");
+
if (config) // try FQDN: first
host = blaze822_hdr(config, "fqdn");
diff --git a/mhdr.c b/mhdr.c
index 18cbc5e..d434d1d 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -10,6 +10,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static char *hflag;
static char *pflag;
@@ -245,6 +246,8 @@ main(int argc, char *argv[])
status = 1;
+ xpledge("stdio rpath", "");
+
if (argc == optind && isatty(0))
blaze822_loop1(".", header);
else
diff --git a/minc.c b/minc.c
index f495da1..c1d28fd 100644
--- a/minc.c
+++ b/minc.c
@@ -12,6 +12,7 @@
#include "blaze822.h"
#include "blaze822_priv.h"
+#include "xpledge.h"
static int qflag;
static int status;
@@ -76,6 +77,8 @@ main(int argc, char *argv[])
if (optind == argc)
goto usage;
+ xpledge("stdio rpath cpath", "");
+
status = 0;
for (i = optind; i < argc; i++)
inc(argv[i]);
diff --git a/mlist.c b/mlist.c
index 3cb082f..5debf99 100644
--- a/mlist.c
+++ b/mlist.c
@@ -13,6 +13,7 @@
#include "blaze822.h"
#include "blaze822_priv.h"
+#include "xpledge.h"
/*
@@ -272,6 +273,8 @@ main(int argc, char *argv[])
int i;
+ xpledge("stdio rpath", "");
+
for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
if (flags[i] != 0)
flagset++;
diff --git a/mmime.c b/mmime.c
index da7f179..e27a6a8 100644
--- a/mmime.c
+++ b/mmime.c
@@ -16,6 +16,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static int cflag;
static int rflag;
@@ -520,6 +521,8 @@ main(int argc, char *argv[])
if (argc != optind)
goto usage;
+ xpledge("stdio rpath", "");
+
if (cflag)
return check();
diff --git a/mpick.c b/mpick.c
index bff0cc3..93bbafb 100644
--- a/mpick.c
+++ b/mpick.c
@@ -43,6 +43,7 @@
#include <wchar.h>
#include "blaze822.h"
+#include "xpledge.h"
enum op {
EXPR_OR = 1,
@@ -1463,6 +1464,8 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath", "");
+
void *cb = need_thr ? collect : oneline;
if (argc == optind && isatty(0))
i = blaze822_loop1(":", cb);
diff --git a/mscan.c b/mscan.c
index 6ae1628..52ba9a4 100644
--- a/mscan.c
+++ b/mscan.c
@@ -2,6 +2,8 @@
#define _XOPEN_SOURCE 700
#endif
+#include "xpledge.h"
+
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -549,6 +551,8 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath tty proc exec", NULL);
+
if (nflag) {
if (argc == optind && isatty(0))
blaze822_loop1(":", numline);
@@ -584,6 +588,9 @@ main(int argc, char *argv[])
}
if (ttyfd >= 0)
close(ttyfd);
+
+ xpledge("stdio rpath", "");
+
if (getenv("COLUMNS"))
cols = atoi(getenv("COLUMNS"));
if (cols <= 40)
diff --git a/msed.c b/msed.c
index 4fef8f4..7bb0b82 100644
--- a/msed.c
+++ b/msed.c
@@ -11,6 +11,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static char *expr;
@@ -323,6 +324,8 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath", "");
+
expr = argv[optind];
optind++;
diff --git a/mseq.c b/mseq.c
index 4bcb89f..f63aaae 100644
--- a/mseq.c
+++ b/mseq.c
@@ -13,6 +13,7 @@
#include "blaze822.h"
#include "blaze822_priv.h"
+#include "xpledge.h"
static int fflag;
static int rflag;
@@ -298,6 +299,8 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath wpath cpath", "");
+
if (cflag)
blaze822_loop1(cflag, overridecur);
diff --git a/mshow.c b/mshow.c
index 8ecf157..8d70120 100644
--- a/mshow.c
+++ b/mshow.c
@@ -14,6 +14,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static int Bflag;
static int rflag;
@@ -797,6 +798,8 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath wpath cpath proc exec", NULL);
+
if (!rflag && !xflag && !Oflag && !Rflag)
safe_output = 1;
@@ -822,17 +825,22 @@ main(int argc, char *argv[])
}
if (xflag) { // extract
+ xpledge("stdio rpath wpath cpath", NULL);
extract(xflag, argc-optind, argv+optind, 0);
} else if (Oflag) { // extract to stdout
+ xpledge("stdio rpath", NULL);
extract(Oflag, argc-optind, argv+optind, 1);
} else if (tflag) { // list
+ xpledge("stdio rpath", NULL);
if (argc == optind && isatty(0))
blaze822_loop1(".", list);
else
blaze822_loop(argc-optind, argv+optind, list);
} else if (Rflag) { // render for reply
+ xpledge("stdio rpath", NULL);
blaze822_loop(argc-optind, argv+optind, reply);
} else { // show
+ /* XXX pledge: still r/w on the whole file-system + fork/exec */
if (!(qflag || rflag || Fflag)) {
char *f = getenv("MAILFILTER");
if (!f)
diff --git a/msort.c b/msort.c
index e07ac69..5d2d88d 100644
--- a/msort.c
+++ b/msort.c
@@ -10,6 +10,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
struct mail {
char *file;
@@ -316,6 +317,7 @@ main(int argc, char *argv[])
exit(1);
}
+ xpledge("stdio rpath", "");
mails = calloc(sizeof (struct mail), mailalloc);
if (!mails)
diff --git a/mthread.c b/mthread.c
index 8a7172a..9d718fc 100644
--- a/mthread.c
+++ b/mthread.c
@@ -19,6 +19,7 @@
#include <unistd.h>
#include "blaze822.h"
+#include "xpledge.h"
static int vflag;
static int pflag;
@@ -419,6 +420,8 @@ main(int argc, char *argv[])
optional = 1;
+ xpledge("stdio rpath", "");
+
while ((c = getopt(argc, argv, "S:prv")) != -1)
switch (c) {
case 'S': blaze822_loop1(optarg, thread); break;
diff --git a/xpledge.h b/xpledge.h
new file mode 100644
index 0000000..f0fb9a0
--- /dev/null
+++ b/xpledge.h
@@ -0,0 +1,26 @@
+#ifndef PLEDGE_H
+#define PLEDGE_H
+
+#ifdef __OpenBSD__
+
+#ifndef _BSD_SOURCE
+#define _BSD_SOURCE
+#endif
+
+#include <err.h>
+#include <unistd.h>
+
+static void
+xpledge(const char *promises, const char *execpromises)
+{
+ if (pledge(promises, execpromises) == -1)
+ err(1, "pledge");
+}
+
+#endif /* __OpenBSD__ */
+
+#elif
+
+#define xpledge(promises, execpromises)) 0
+
+#endif /* PLEDGE_H */
next prev parent reply other threads:[~2020-08-13 14:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
2020-08-03 17:43 ` leahneukirchen
2020-08-08 14:12 ` [PR PATCH] [Updated] " timkuijsten
2020-08-08 14:18 ` timkuijsten
2020-08-12 8:43 ` leahneukirchen
2020-08-13 13:55 ` [PR PATCH] [Updated] " timkuijsten
2020-08-13 14:03 ` timkuijsten [this message]
2020-09-06 14:35 ` [PR PATCH] [Closed]: " leahneukirchen
2020-09-06 14:35 ` leahneukirchen
2020-09-10 17:46 ` timkuijsten
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200813140305.KzCLPYlv436ESSc-Q8Rc-GClKw5WMr_YtlsP-nr8laU@z \
--to=timkuijsten@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).