From b00f338989dc039b32121c9fd6c7d64b6b69bd13 Mon Sep 17 00:00:00 2001 From: mestre Date: Wed, 15 Dec 2021 11:21:35 +0000 Subject: [PATCH] restrict all filesystem access with unveil(2). hid_start(3) opens `table' through libusbhid, then usbhidctl(1) itself opens `dev', after that it's just performing ioctls on the fd left opened by the latter so all fs access can be disabled. --- usr.bin/usbhidctl/usbhid.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr.bin/usbhidctl/usbhid.c b/usr.bin/usbhidctl/usbhid.c index 25cc61bdf93..1560bb365d4 100644 --- a/usr.bin/usbhidctl/usbhid.c +++ b/usr.bin/usbhidctl/usbhid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: usbhid.c,v 1.17 2021/05/31 18:30:11 jcs Exp $ */ +/* $OpenBSD: usbhid.c,v 1.18 2021/12/15 11:21:35 mestre Exp $ */ /* $NetBSD: usbhid.c,v 1.22 2002/02/20 20:30:42 christos Exp $ */ /* @@ -941,6 +941,11 @@ main(int argc, char **argv) if (hidfd == -1) err(1, "%s", dev); + if (unveil("/", "") == -1) + err(1, "unveil /"); + if (unveil(NULL, NULL) == -1) + err(1, "unveil"); + if (ioctl(hidfd, USB_GET_REPORT_ID, &reportid) == -1) reportid = -1; if (verbose > 1) -- 2.20.1