Bryan Steele wrote:
> It is not possible to unveil(2) all arguments passed to file(1), as this
> would require walking *argv. Instead, we can unveil("/", "r") to permit
> readonly access to the entire filesystem, while restricting all execute
> write, and create operations.
Why not? Because of the limit? We can still try unveil up to a certain
limit.
> This only provides some additional early protection for the parent, as
> the privsep magic(5) parser already pledged tightly.
>
> It might be possible to use pledge instead, but this since this process
> doesn't do much more than opening files and passing descriptors, unveil
> alone should be enough..
I think if we want to enforce read only access, pledge is still the way to go.
This seems to work.
Index: file.c
===================================================================
RCS file: /cvs/src/usr.bin/file/file.c,v
retrieving revision 1.66
diff -u -p -r1.66 file.c
--- file.c 15 Jan 2018 19:45:51 -0000 1.66
+++ file.c 4 Jan 2019 01:22:31 -0000
@@ -168,6 +168,17 @@ main(int argc, char **argv)
} else if (argc == 0)
usage();
+ if (argc < 64) {
+ unveil("/etc/magic", "r");
+ for (idx = 0; idx < argc; idx++)
+ if (unveil(argv[idx], "r") == -1)
+ err(1, "unveil");
+ unveil(NULL, NULL);
+ }
+
+ if (pledge("stdio rpath getpw recvfd sendfd id proc", NULL) == -1)
+ err(1, "pledge");
+
magicfp = NULL;
if (geteuid() != 0 && !issetugid()) {
home = getenv("HOME");
