From 82b65d8a180b0d73c9c890695f0173ca9f84b046 Mon Sep 17 00:00:00 2001 From: deraadt Date: Wed, 8 Aug 2018 17:47:44 +0000 Subject: [PATCH] In netproc process, unveil to only expose the CA file. ok florian --- usr.sbin/acme-client/http.c | 4 +--- usr.sbin/acme-client/http.h | 3 ++- usr.sbin/acme-client/netproc.c | 7 ++++++- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c index 599f161437c..423c5e03311 100644 --- a/usr.sbin/acme-client/http.c +++ b/usr.sbin/acme-client/http.c @@ -1,4 +1,4 @@ -/* $Id: http.c,v 1.21 2018/02/06 04:19:56 florian Exp $ */ +/* $Id: http.c,v 1.22 2018/08/08 17:47:44 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons * @@ -35,8 +35,6 @@ #include "http.h" #include "extern.h" -#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" - /* * A buffer for transferring HTTP/S data. */ diff --git a/usr.sbin/acme-client/http.h b/usr.sbin/acme-client/http.h index c648186d16f..df1a601c288 100644 --- a/usr.sbin/acme-client/http.h +++ b/usr.sbin/acme-client/http.h @@ -1,4 +1,4 @@ -/* $Id: http.h,v 1.5 2017/01/25 13:52:53 inoguchi Exp $ */ +/* $Id: http.h,v 1.6 2018/08/08 17:47:44 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons * @@ -61,6 +61,7 @@ struct httpget { size_t bodypartsz; /* size of bodypart */ }; +#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" int http_init(void); /* Convenience functions. */ diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c index dd78580e852..a0f1afab915 100644 --- a/usr.sbin/acme-client/netproc.c +++ b/usr.sbin/acme-client/netproc.c @@ -1,4 +1,4 @@ -/* $Id: netproc.c,v 1.16 2018/03/14 12:28:25 florian Exp $ */ +/* $Id: netproc.c,v 1.17 2018/08/08 17:47:44 deraadt Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons * @@ -612,6 +612,11 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, memset(&paths, 0, sizeof(struct capaths)); memset(&c, 0, sizeof(struct conn)); + if (unveil(DEFAULT_CA_FILE, "r") == -1) { + warn("unveil"); + goto out; + } + if (pledge("stdio inet rpath", NULL) == -1) { warn("pledge"); goto out; -- 2.20.1