Hi,
The unveil(2) for nc -U -u -l is wrong. Basically we cannot unveil
as the server has to connect to the client socket. The latter is
determined dynamically.
Instead we can add a restrictive pledge(2) after connect(2).
Note that you need my previous diff that fixes dns as the wrong
lookup does not work with the new pledge.
ok?
bluhm
Index: usr.bin/nc/netcat.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.212
diff -u -p -r1.212 netcat.c
--- usr.bin/nc/netcat.c 17 Nov 2019 17:38:33 -0000 1.212
+++ usr.bin/nc/netcat.c 6 Jan 2020 12:56:06 -0000
@@ -371,13 +371,24 @@ main(int argc, char *argv[])
err(1, "unveil");
if (oflag && unveil(oflag, "r") == -1)
err(1, "unveil");
+ } else if (family == AF_UNIX && uflag && lflag && !kflag) {
+ /*
+ * After recvfrom(2) from client, the server connects
+ * to the client socket. As the client path is determined
+ * during runtime, we cannot unveil(2).
+ */
} else {
if (family == AF_UNIX) {
if (unveil(host, "rwc") == -1)
err(1, "unveil");
- if (uflag && !lflag) {
- if (unveil(sflag ? sflag : "/tmp", "rwc") == -1)
- err(1, "unveil");
+ if (uflag && !kflag) {
+ if (sflag) {
+ if (unveil(sflag, "rwc") == -1)
+ err(1, "unveil");
+ } else {
+ if (unveil("/tmp", "rwc") == -1)
+ err(1, "unveil");
+ }
}
} else {
/* no filesystem visibility */
@@ -569,6 +580,10 @@ main(int argc, char *argv[])
if (s == -1)
err(1, NULL);
if (uflag && kflag) {
+ if (family == AF_UNIX) {
+ if (pledge("stdio unix", NULL) == -1)
+ err(1, "pledge");
+ }
/*
* For UDP and -k, don't connect the socket,
* let it receive datagrams from multiple
@@ -595,6 +610,10 @@ main(int argc, char *argv[])
if (rv == -1)
err(1, "connect");
+ if (family == AF_UNIX) {
+ if (pledge("stdio unix", NULL) == -1)
+ err(1, "pledge");
+ }
if (vflag)
report_sock("Connection received",
(struct sockaddr *)&z, len, NULL);
