Adjust pledge() and unveil() calls for proc_rsync() a bit. Since the

mkdir was moved to the main process there is no need for access to .
in the rsync process.
OK job@ deraadt@

diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index 19a8fd0..a22e042 100644 (file)
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: main.c,v 1.104 2021/02/22 09:46:05 claudio Exp $ */
+/*     $OpenBSD: main.c,v 1.105 2021/02/23 14:25:29 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -941,8 +941,7 @@ main(int argc, char *argv[])
                        if (fchdir(cachefd) == -1)
                                err(1, "fchdir");
 
-                       if (pledge("stdio rpath cpath proc exec unveil", NULL)
-                           == -1)
+                       if (pledge("stdio rpath proc exec unveil", NULL) == -1)
                                err(1, "pledge");
 
                        proc_rsync(rsync_prog, bind_addr, fd[0]);

diff --git a/usr.sbin/rpki-client/rsync.c b/usr.sbin/rpki-client/rsync.c
index 1f00a6e..2497b50 100644 (file)
--- a/usr.sbin/rpki-client/rsync.c
+++ b/usr.sbin/rpki-client/rsync.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: rsync.c,v 1.18 2021/02/19 08:14:49 claudio Exp $ */
+/*     $OpenBSD: rsync.c,v 1.19 2021/02/23 14:25:29 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -160,13 +160,6 @@ proc_rsync(char *prog, char *bind_addr, int fd)
        } else if (unveil(prog, "x") == -1)
                err(1, "%s: unveil", prog);
 
-       /* Unveil the repository directory and terminate unveiling. */
-
-       if (unveil(".", "c") == -1)
-               err(1, "unveil");
-       if (unveil(NULL, NULL) == -1)
-               err(1, "unveil");
-
        if (pledge("stdio proc exec", NULL) == -1)
                err(1, "pledge");