From 04581dc7e9c35986b7de49e3b45046beb7d6de8f Mon Sep 17 00:00:00 2001 From: yasuoka Date: Mon, 19 Oct 2015 22:07:37 +0000 Subject: [PATCH] Add pledge(2) for radiusctl(8) and radiusd(8). - radiusd: "stdio inet" - radiusd_radius: "stdio inet" - radiusd_bsdauth: - "stdio proc" for the non-priviledged process - "stdio getpw rpath proc exec" for the priviledged process - radiusctl: "stdio dns inet" "go ahead" deraadt --- usr.sbin/radiusctl/radiusctl.c | 4 +++- usr.sbin/radiusd/radiusd.c | 10 +++++++++- usr.sbin/radiusd/radiusd_bsdauth.c | 10 +++++++++- usr.sbin/radiusd/radiusd_radius.c | 4 +++- 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/usr.sbin/radiusctl/radiusctl.c b/usr.sbin/radiusctl/radiusctl.c index 2591e77158e..c0e82354fe0 100644 --- a/usr.sbin/radiusctl/radiusctl.c +++ b/usr.sbin/radiusctl/radiusctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusctl.c,v 1.4 2015/08/25 01:21:57 yasuoka Exp $ */ +/* $OpenBSD: radiusctl.c,v 1.5 2015/10/19 22:07:37 yasuoka Exp $ */ /* * Copyright (c) 2015 YASUOKA Masahiko * @@ -71,6 +71,8 @@ main(int argc, char *argv[]) case NONE: break; case TEST: + if (pledge("stdio dns inet", NULL) == -1) + err(EXIT_FAILURE, "pledge"); radius_test(result); break; } diff --git a/usr.sbin/radiusd/radiusd.c b/usr.sbin/radiusd/radiusd.c index dd8b7785dd0..5f8e0672f98 100644 --- a/usr.sbin/radiusd/radiusd.c +++ b/usr.sbin/radiusd/radiusd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd.c,v 1.8 2015/10/19 06:56:58 yasuoka Exp $ */ +/* $OpenBSD: radiusd.c,v 1.9 2015/10/19 22:07:37 yasuoka Exp $ */ /* * Copyright (c) 2013 Internet Initiative Japan Inc. @@ -175,6 +175,14 @@ main(int argc, char *argv[]) if (radiusd_start(radiusd) != 0) errx(EX_DATAERR, "start failed"); +#ifdef RADIUSD_DEBUG + if (pledge("stdio inet proc abort", NULL) == -1) + err(EXIT_FAILURE, "pledge"); +#else + if (pledge("stdio inet", NULL) == -1) + err(EXIT_FAILURE, "pledge"); +#endif + if (event_loop(0) < 0) radiusd_stop(radiusd); diff --git a/usr.sbin/radiusd/radiusd_bsdauth.c b/usr.sbin/radiusd/radiusd_bsdauth.c index c7f83078f41..02bf77016e8 100644 --- a/usr.sbin/radiusd/radiusd_bsdauth.c +++ b/usr.sbin/radiusd/radiusd_bsdauth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_bsdauth.c,v 1.5 2015/10/19 07:58:28 yasuoka Exp $ */ +/* $OpenBSD: radiusd_bsdauth.c,v 1.6 2015/10/19 22:07:37 yasuoka Exp $ */ /* * Copyright (c) 2015 YASUOKA Masahiko @@ -94,6 +94,10 @@ main(int argc, char *argv[]) openlog(NULL, LOG_PID, LOG_DAEMON); setproctitle("[priv]"); imsg_init(&ibuf, pipe_chld); + + if (pledge("stdio getpw rpath proc exec", NULL) == -1) + err(EXIT_FAILURE, "pledge"); + for (;;) { if ((n = imsg_read(&ibuf)) <= 0) break; @@ -230,6 +234,10 @@ module_bsdauth_main(int pipe_prnt, int pipe_chld) module_load(module_bsdauth.base); imsg_init(&module_bsdauth.ibuf, pipe_prnt); + + if (pledge("stdio proc", NULL) == -1) + err(EXIT_FAILURE, "pledge"); + while (module_run(module_bsdauth.base) == 0) ; diff --git a/usr.sbin/radiusd/radiusd_radius.c b/usr.sbin/radiusd/radiusd_radius.c index 1e8269844f8..88590ff08a3 100644 --- a/usr.sbin/radiusd/radiusd_radius.c +++ b/usr.sbin/radiusd/radiusd_radius.c @@ -1,4 +1,4 @@ -/* $OpenBSD: radiusd_radius.c,v 1.7 2015/08/02 21:27:27 yasuoka Exp $ */ +/* $OpenBSD: radiusd_radius.c,v 1.8 2015/10/19 22:07:37 yasuoka Exp $ */ /* * Copyright (c) 2013 Internet Initiative Japan Inc. @@ -129,6 +129,8 @@ main(int argc, char *argv[]) module_load(module_radius.base); log_init(0); event_init(); + if (pledge("stdio inet", NULL) == -1) + err(EXIT_FAILURE, "pledge"); module_start(module_radius.base); event_loop(0); -- 2.20.1