Remove unveil() from the rsync_sender() and flist_gen(). The sender is

not able to properly unveil itself because you can request many files
as arguments. At the same time the sender is read-only and uses rpath
pledge() so the gain from unveil() is less of an issue.
On the receiver side all files land in one directory and this part still
uses unveil() to protect rsync to somehow walk out of the destination
directory.
From kristaps@

diff --git a/usr.bin/rsync/flist.c b/usr.bin/rsync/flist.c
index 88c777b..e12cb81 100644 (file)
--- a/usr.bin/rsync/flist.c
+++ b/usr.bin/rsync/flist.c
@@ -1,4 +1,4 @@
-/*     $Id: flist.c,v 1.30 2021/03/22 11:26:44 claudio Exp $ */
+/*     $Id: flist.c,v 1.31 2021/03/22 11:49:15 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  * Copyright (c) 2019 Florian Obser <florian@openbsd.org>
@@ -834,10 +834,6 @@ flist_gen_dirent(struct sess *sess, char *root, struct flist **fl, size_t *sz,
                        ERRX1("flist_append");
                        return 0;
                }
-               if (unveil(root, "r") == -1) {
-                       ERR("%s: unveil", root);
-                       return 0;
-               }
                return 1;
        } else if (S_ISLNK(st.st_mode)) {
                if (!sess->opts->preserve_links) {
@@ -854,10 +850,6 @@ flist_gen_dirent(struct sess *sess, char *root, struct flist **fl, size_t *sz,
                        ERRX1("flist_append");
                        return 0;
                }
-               if (unveil(root, "r") == -1) {
-                       ERR("%s: unveil", root);
-                       return 0;
-               }
                return 1;
        } else if (!S_ISDIR(st.st_mode)) {
                WARNX("%s: skipping special", root);
@@ -994,10 +986,6 @@ flist_gen_dirent(struct sess *sess, char *root, struct flist **fl, size_t *sz,
                ERR("fts_read");
                goto out;
        }
-       if (unveil(root, "r") == -1) {
-               ERR("%s: unveil", root);
-               goto out;
-       }
 
        LOG3("generated %zu filenames: %s", flsz, root);
        rc = 1;
@@ -1091,10 +1079,6 @@ flist_gen_files(struct sess *sess, size_t argc, char **argv,
 
                /* Add this file to our file-system worldview. */
 
-               if (unveil(argv[i], "r") == -1) {
-                       ERR("%s: unveil", argv[i]);
-                       goto out;
-               }
                if (!flist_append(f, &st, argv[i])) {
                        ERRX1("flist_append");
                        goto out;
@@ -1133,10 +1117,6 @@ flist_gen(struct sess *sess, size_t argc, char **argv, struct flist **flp,
 
        /* After scanning, lock our file-system view. */
 
-       if (unveil(NULL, NULL) == -1) {
-               ERR("unveil");
-               return 0;
-       }
        if (!rc)
                return 0;
 

diff --git a/usr.bin/rsync/sender.c b/usr.bin/rsync/sender.c
index 524a4f3..186dabf 100644 (file)
--- a/usr.bin/rsync/sender.c
+++ b/usr.bin/rsync/sender.c
@@ -1,4 +1,4 @@
-/*     $Id: sender.c,v 1.26 2020/11/24 16:54:44 claudio Exp $ */
+/*     $Id: sender.c,v 1.27 2021/03/22 11:49:15 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -350,7 +350,7 @@ send_dl_enqueue(struct sess *sess, struct send_dlq *q,
  * It queues requests for updates as soon as it receives them.
  * Returns zero on failure, non-zero on success.
  *
- * Pledges: stdio, rpath, unveil.
+ * Pledges: stdio, getpw, rpath.
  */
 int
 rsync_sender(struct sess *sess, int fdin,
@@ -370,7 +370,7 @@ rsync_sender(struct sess *sess, int fdin,
        size_t              wbufpos = 0, wbufsz = 0, wbufmax = 0;
        ssize_t             ssz;
 
-       if (pledge("stdio getpw rpath unveil", NULL) == -1) {
+       if (pledge("stdio getpw rpath", NULL) == -1) {
                ERR("pledge");
                return 0;
        }