From ec8f555ef2b937a314702f75e67f0ab5e4e8eb6c Mon Sep 17 00:00:00 2001 From: florian Date: Sat, 1 May 2021 11:53:06 +0000 Subject: [PATCH] Allow running in single user mode where /var/empty doesn't exist by switching from chroot("/var/empty") to unveil("/", ""). This is just an extra pair of suspenders since these processes pledge(2) to not access the filesystem. OK deraadt --- sbin/slaacd/engine.c | 9 ++++++--- sbin/slaacd/frontend.c | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/sbin/slaacd/engine.c b/sbin/slaacd/engine.c index 07e55b98fbd..c39f50b33b7 100644 --- a/sbin/slaacd/engine.c +++ b/sbin/slaacd/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.71 2021/03/21 18:25:24 florian Exp $ */ +/* $OpenBSD: engine.c,v 1.72 2021/05/01 11:53:06 florian Exp $ */ /* * Copyright (c) 2017 Florian Obser @@ -364,11 +364,14 @@ engine(int debug, int verbose) if ((pw = getpwnam(SLAACD_USER)) == NULL) fatal("getpwnam"); - if (chroot(pw->pw_dir) == -1) - fatal("chroot"); if (chdir("/") == -1) fatal("chdir(\"/\")"); + if (unveil("/", "") == -1) + fatal("unveil(\"/\", \"\")"); + if (unveil(NULL, NULL) == -1) + fatal("unveil(NULL, NULL)"); + setproctitle("%s", "engine"); log_procinit("engine"); diff --git a/sbin/slaacd/frontend.c b/sbin/slaacd/frontend.c index 10fd6b8b9aa..3553595db4c 100644 --- a/sbin/slaacd/frontend.c +++ b/sbin/slaacd/frontend.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frontend.c,v 1.55 2021/03/21 18:25:24 florian Exp $ */ +/* $OpenBSD: frontend.c,v 1.56 2021/05/01 11:53:06 florian Exp $ */ /* * Copyright (c) 2017 Florian Obser @@ -145,11 +145,14 @@ frontend(int debug, int verbose) if ((pw = getpwnam(SLAACD_USER)) == NULL) fatal("getpwnam"); - if (chroot(pw->pw_dir) == -1) - fatal("chroot"); if (chdir("/") == -1) fatal("chdir(\"/\")"); + if (unveil("/", "") == -1) + fatal("unveil(\"/\", \"\")"); + if (unveil(NULL, NULL) == -1) + fatal("unveil(NULL, NULL)"); + setproctitle("%s", "frontend"); log_procinit("frontend"); -- 2.20.1