Use unveil(2)

Pledge is not possible due to the ioctls, but as apmd hoists both the
control socket and apm device early at startup and only ever possibly
executes scripts under /etc/apm/, hiding the rest of the filesystem
becomes easy.

Technically, only "x" is required to traverse the directory and run
scripts, but apmd carefully access(2) each script, which requires
the read bit regardless of the permission bits being tested.

OK mestre

diff --git a/usr.sbin/apmd/apmd.c b/usr.sbin/apmd/apmd.c
index f520656..ae8cef3 100644 (file)
--- a/usr.sbin/apmd/apmd.c
+++ b/usr.sbin/apmd/apmd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: apmd.c,v 1.99 2020/09/28 21:35:14 jca Exp $   */
+/*     $OpenBSD: apmd.c,v 1.100 2021/03/11 18:12:41 kn Exp $   */
 
 /*
  *  Copyright (c) 1995, 1996 John T. Kohl
@@ -490,6 +490,11 @@ main(int argc, char *argv[])
        if (statonly)
                exit(0);
 
+       if (unveil(_PATH_APM_ETC_DIR, "rx") == -1)
+               err(1, "unveil");
+       if (unveil(NULL, NULL) == -1)
+               err(1, "unveil");
+
        set_driver_messages(ctl_fd, APM_PRINT_OFF);
 
        kq = kqueue();