commit 6fe3b58aaa9bdb466eabad75eb65bce86d7155af
from: Stefan Sperling <stsp@stsp.name>
date: Tue Nov 14 10:52:03 2023 UTC

fix gotwebd unveil permissions

The main process doesn't need write access anywhere and /tmp is not needed.
The sockets process didn't use unveil at all so far, but is happy with
just "x" for libexec helpers and "r" for each server's repository path.

Input from op@
Tested by myself and Kyle Ackerman who also reviewed the diffs.

Prompted by questions from mlarkin@
ok mlarkin@, op@

commit - b1c090542f4ecaf993fc81468338839febcb8e37
commit + 6fe3b58aaa9bdb466eabad75eb65bce86d7155af
blob - 1355425a306b5f1305bfc75b471bd657c206cbb0
blob + 61fb6877f63be71b25e656fc29c058fc075dcd89
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -249,10 +249,7 @@ main(int argc, char **argv)
 		err(1, "gmon.out");
 #endif
 
-	if (unveil(env->httpd_chroot, "rwc") == -1)
-		err(1, "unveil");
-
-	if (unveil(GOT_TMPDIR_STR, "rw") == -1)
+	if (unveil(env->httpd_chroot, "r") == -1)
 		err(1, "unveil");
 
 	if (unveil(GOTWEBD_CONF, "r") == -1)
blob - 341d3774c799acfb106876120fa0e5ae0b9131c0
blob + 41cd91c3bd6c1f4770326a36d2946029e390fb11
--- gotwebd/sockets.c
+++ gotwebd/sockets.c
@@ -53,6 +53,7 @@
 #include "got_opentemp.h"
 #include "got_reference.h"
 #include "got_repository.h"
+#include "got_privsep.h"
 
 #include "proc.h"
 #include "gotwebd.h"
@@ -112,8 +113,8 @@ sockets_run(struct privsep *ps, struct privsep_proc *p
 	signal_add(&ps->ps_evsigchld, NULL);
 
 #ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd",
-	    NULL) == -1)
+	if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd "
+	    "unveil", NULL) == -1)
 		fatal("pledge");
 #endif
 }
@@ -246,6 +247,8 @@ static void
 sockets_launch(void)
 {
 	struct socket *sock;
+	struct server *srv;
+	const struct got_error *error;
 
 	TAILQ_FOREACH(sock, &gotwebd_env->sockets, entry) {
 		log_debug("%s: configuring socket %d (%d)", __func__,
@@ -262,6 +265,18 @@ sockets_launch(void)
 		log_debug("%s: running socket listener %d", __func__,
 		    sock->conf.id);
 	}
+
+	TAILQ_FOREACH(srv, &gotwebd_env->servers, entry) {
+		if (unveil(srv->repos_path, "r") == -1)
+			fatal("unveil %s", srv->repos_path);
+	}
+
+	error = got_privsep_unveil_exec_helpers();
+	if (error)
+		fatal("%s", error->msg);
+
+	if (unveil(NULL, NULL) == -1)
+		fatal("unveil");
 }
 
 static void