From: mestre <mestre@openbsd.org>
Date: Wed, 15 Dec 2021 11:23:09 +0000 (+0000)
Subject: restrict filesystem access with unveil(2).
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=03319b45cc1f3277359a819df3ba0f4199cab101;p=openbsd

restrict filesystem access with unveil(2).

this one opens the default table file "/usr/share/misc/usb_hid_usages" through
hid_start(3) from libusbhid, then `dev' (will be the fd used on the ioctls)
and finally `conf' which is the file with the actions to be monitored. `conf'
needs to be unveil(2)ed with read perms since usbhidaction(1) can run as daemon
and this file will be re-read if a SIGHUP is catched.

looks good deraadt@
---

diff --git a/usr.bin/usbhidaction/usbhidaction.c b/usr.bin/usbhidaction/usbhidaction.c
index 39d43570476..d074651a021 100644
--- a/usr.bin/usbhidaction/usbhidaction.c
+++ b/usr.bin/usbhidaction/usbhidaction.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: usbhidaction.c,v 1.23 2019/06/28 13:35:05 deraadt Exp $ */
+/*	$OpenBSD: usbhidaction.c,v 1.24 2021/12/15 11:23:09 mestre Exp $ */
 /*      $NetBSD: usbhidaction.c,v 1.7 2002/01/18 14:38:59 augustss Exp $ */
 
 /*
@@ -164,6 +164,11 @@ main(int argc, char **argv)
 		isdemon = 1;
 	}
 
+	if (unveil(conf, "r") == -1)
+		err(1, "unveil %s", conf);
+	if (unveil(NULL, NULL) == -1)
+		err(1, "unveil");
+
 	for(;;) {
 		n = read(fd, buf, sz);
 		if (verbose > 2) {