Re: unveil bdftopcf

[Ricardo Mestre]

Something like this then?

If it's too much burden to keep these local patches I can drop it, no problem.

Index: bdftopcf.c
===================================================================
RCS file: /cvs/xenocara/app/bdftopcf/bdftopcf.c,v
retrieving revision 1.5
diff -u -p -u -r1.5 bdftopcf.c
--- bdftopcf.c  29 Mar 2018 20:34:30 -0000      1.5
+++ bdftopcf.c  25 Oct 2018 07:00:50 -0000
@@ -39,6 +39,7 @@ from The Open Group.
 #include "bdfint.h"
 #include "pcf.h"
 #include <stdio.h>
+#include <unistd.h>
 #include <X11/Xos.h>
 
 int
@@ -158,6 +159,38 @@ main(int argc, char *argv[])
         }
         argv++;
     }
+
+    if (input_name) {
+        if (unveil(input_name, "r") == -1) {
+            fprintf(stderr, "%s: could not unveil %s\n",
+                    program_name, input_name);
+            exit(1);
+               }
+    }
+    if (output_name) {
+        if (unveil(output_name, "rwc") == -1) {
+            fprintf(stderr, "%s: could not unveil %s\n",
+                    program_name, output_name);
+            exit(1);
+        }
+        if (pledge("stdio rpath wpath cpath", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+    if (input_name && !output_name) {
+        if (pledge("stdio rpath", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+    if (!input_name && !output_name) {
+        if (pledge("stdio", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+
     if (input_name) {
         input = FontFileOpen(input_name);
         if (!input) {

On 10:41 Wed 24 Oct     , Theo de Raadt wrote:
> Matthieu Herrb <matth...@herrb.eu> wrote:
> 
> > Generally, I'm not too found of pledging/unveiling random X client
> > programs. There are a lot of "hidden" features in X libraries that
> > will probably break with too strict pledges and/or unveils.
> 
> Well eventually we want to see if something can be done about xterm.
> Especially if the lessons learned (I suspect some hoisting will occur)
> can be pushed back upstream, and maybe allow others to apply their
> own system call limiter mechanism.  Perhaps not possible...
> 
> > Also since this is OpenBSD-specific, it will be difficult to get it
> > upstreams, especially if you don't provide the autoconf goo to make
> > the code still build/work on Linux. And when not upstreaming it
> > creates more burden to merge new versions of the applications.
> 
> Well, I doubt it will create too much burden, generally these unveil
> or pledge chunks are a small set of + lines, without changing other
> logic.
> 
> Anyways, bdftopcf is not running near a security boundary.
>