unveil(2) in getty. This has been in snaps for more than 2 months,

author deraadt <deraadt@openbsd.org>

Mon, 24 Sep 2018 21:30:00 +0000 (21:30 +0000)

committer deraadt <deraadt@openbsd.org>

Mon, 24 Sep 2018 21:30:00 +0000 (21:30 +0000)
author deraadt <deraadt@openbsd.org>
Mon, 24 Sep 2018 21:30:00 +0000 (21:30 +0000)
committer deraadt <deraadt@openbsd.org>
Mon, 24 Sep 2018 21:30:00 +0000 (21:30 +0000)
diff --git a/libexec/getty/main.c b/libexec/getty/main.c

index b55bd1a..6032432 100644 (file)
--- a/libexec/getty/main.c
+++ b/libexec/getty/main.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: main.c,v 1.48 2017/05/29 04:40:35 deraadt Exp $       */
+/*     $OpenBSD: main.c,v 1.49 2018/09/24 21:30:00 deraadt Exp $       */
  
  /*-
   * Copyright (c) 1980, 1993
@@ -169,6 +169,19 @@ main(int argc, char *argv[])
  
         ioctl(0, FIOASYNC, &off);       /* turn off async mode */
  
+       if (unveil("/usr/bin/login", "x") == -1) {
+               syslog(LOG_ERR, "%s: %m", tname);
+               exit(1);
+       }
+       if (unveil(_PATH_GETTYTAB, "r") == -1) {
+               syslog(LOG_ERR, "%s: %m", tname);
+               exit(1);
+       }
+       if (unveil("/dev", "rw") == -1) {
+               syslog(LOG_ERR, "%s: %m", tname);
+               exit(1);
+       }
+
         /*
          * The following is a work around for vhangup interactions
          * which cause great problems getting window systems started.
author	deraadt <deraadt@openbsd.org>
	Mon, 24 Sep 2018 21:30:00 +0000 (21:30 +0000)
committer	deraadt <deraadt@openbsd.org>
	Mon, 24 Sep 2018 21:30:00 +0000 (21:30 +0000)