In netproc process, unveil to only expose the CA file.

ok florian

diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c
index 599f161..423c5e0 100644 (file)
--- a/usr.sbin/acme-client/http.c
+++ b/usr.sbin/acme-client/http.c
@@ -1,4 +1,4 @@
-/*     $Id: http.c,v 1.21 2018/02/06 04:19:56 florian Exp $ */
+/*     $Id: http.c,v 1.22 2018/08/08 17:47:44 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -35,8 +35,6 @@
 #include "http.h"
 #include "extern.h"
 
-#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
-
 /*
  * A buffer for transferring HTTP/S data.
  */

diff --git a/usr.sbin/acme-client/http.h b/usr.sbin/acme-client/http.h
index c648186..df1a601 100644 (file)
--- a/usr.sbin/acme-client/http.h
+++ b/usr.sbin/acme-client/http.h
@@ -1,4 +1,4 @@
-/*     $Id: http.h,v 1.5 2017/01/25 13:52:53 inoguchi Exp $ */
+/*     $Id: http.h,v 1.6 2018/08/08 17:47:44 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -61,6 +61,7 @@ struct        httpget {
        size_t           bodypartsz; /* size of bodypart */
 };
 
+#define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
 int             http_init(void);
 
 /* Convenience functions. */

diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c
index dd78580..a0f1afa 100644 (file)
--- a/usr.sbin/acme-client/netproc.c
+++ b/usr.sbin/acme-client/netproc.c
@@ -1,4 +1,4 @@
-/*     $Id: netproc.c,v 1.16 2018/03/14 12:28:25 florian Exp $ */
+/*     $Id: netproc.c,v 1.17 2018/08/08 17:47:44 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -612,6 +612,11 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd,
        memset(&paths, 0, sizeof(struct capaths));
        memset(&c, 0, sizeof(struct conn));
 
+       if (unveil(DEFAULT_CA_FILE, "r") == -1) {
+               warn("unveil");
+               goto out;
+       }
+
        if (pledge("stdio inet rpath", NULL) == -1) {
                warn("pledge");
                goto out;