commit 77f619a8442c52e9c02e8060b76c25def0b5f1c6
from: Stefan Sperling <stsp@stsp.name>
date: Wed Jan 04 21:12:08 2023 UTC

revoke filesystem access in gotd listen process via unveil(2)

This should avoid involuntary use of bind(2) with arbitrary socket paths.

ok op@

commit - 7843333165edf3bdaa739cd96c701e1b7d53aa81
commit + 77f619a8442c52e9c02e8060b76c25def0b5f1c6
blob - e50353765bff681f33ccb4684dc31c73acce7967
blob + ebce2cfaa618ecbd64466a003b70fe6044a4fafe
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -2544,9 +2544,15 @@ main(int argc, char **argv)
 		break;
 	case PROC_LISTEN:
 #ifndef PROFILE
-		if (pledge("stdio sendfd unix", NULL) == -1)
+		if (pledge("stdio sendfd unix unveil", NULL) == -1)
 			err(1, "pledge");
 #endif
+		/*
+		 * Ensure that AF_UNIX bind(2) cannot be used with any other
+		 * sockets by revoking all filesystem access via unveil(2).
+		 */
+		apply_unveil_none();
+
 		listen_main(title, fd, gotd.connection_limits,
 		    gotd.nconnection_limits);
 		/* NOTREACHED */