From 03319b45cc1f3277359a819df3ba0f4199cab101 Mon Sep 17 00:00:00 2001 From: mestre Date: Wed, 15 Dec 2021 11:23:09 +0000 Subject: [PATCH] restrict filesystem access with unveil(2). this one opens the default table file "/usr/share/misc/usb_hid_usages" through hid_start(3) from libusbhid, then `dev' (will be the fd used on the ioctls) and finally `conf' which is the file with the actions to be monitored. `conf' needs to be unveil(2)ed with read perms since usbhidaction(1) can run as daemon and this file will be re-read if a SIGHUP is catched. looks good deraadt@ --- usr.bin/usbhidaction/usbhidaction.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr.bin/usbhidaction/usbhidaction.c b/usr.bin/usbhidaction/usbhidaction.c index 39d43570476..d074651a021 100644 --- a/usr.bin/usbhidaction/usbhidaction.c +++ b/usr.bin/usbhidaction/usbhidaction.c @@ -1,4 +1,4 @@ -/* $OpenBSD: usbhidaction.c,v 1.23 2019/06/28 13:35:05 deraadt Exp $ */ +/* $OpenBSD: usbhidaction.c,v 1.24 2021/12/15 11:23:09 mestre Exp $ */ /* $NetBSD: usbhidaction.c,v 1.7 2002/01/18 14:38:59 augustss Exp $ */ /* @@ -164,6 +164,11 @@ main(int argc, char **argv) isdemon = 1; } + if (unveil(conf, "r") == -1) + err(1, "unveil %s", conf); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + for(;;) { n = read(fd, buf, sz); if (verbose > 2) { -- 2.20.1