pledge(2) all programs

All programs except mshow have a very tight set of promises. mshow has a broad set of promises and might be a good future candidate to further restrict using unveil(2). This patch is based on commit 0300a112 by Alex Holst (dated 2017-12-07), which was proposed in GH PR #79. * pledged mpick, mflow and mdate so that now all programs are pledged * removed some unneeded promises and added some missing promises * move err.h include and OpenBSD ifdef into a new xpledge.h * cleaned up code aligning and whitespace Closes: #179 [via git-merge-pr]
4 years ago · 4763032430
parent 6bd687bfdc
commit 4763032430
21 changed files with 100 additions and 1 deletions
--- a/maddr.c
+++ b/maddr.c
@ -7,6 +7,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static int aflag;
 static int dflag;
@ -108,6 +109,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}

+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
 	else
--- a/magrep.c
+++ b/magrep.c
@ -10,6 +10,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static int aflag;
 static int cflag;
@ -218,6 +219,8 @@ usage:
 	if (!rx)
 		goto usage;

+	xpledge("stdio rpath", "");
+
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
 	if (r != 0) {
--- a/mdate.c
+++ b/mdate.c
@ -1,11 +1,17 @@
 #include <time.h>
 #include <unistd.h>

+#include "xpledge.h"
+
 int
 main()
 {
 	char buf[64];
-	time_t now = time(0);
+	time_t now;
+
+	xpledge("stdio", "");
+
+	now = time(0);

 	ssize_t l = strftime(buf, sizeof buf,
 	    "%a, %d %b %Y %T %z\n", localtime(&now));
--- a/mdeliver.c
+++ b/mdeliver.c
@ -13,6 +13,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 /*
 design rationale:
@ -340,6 +341,8 @@ usage2:
 	if (argc != optind+1)
 		goto usage2;

+	xpledge("stdio rpath wpath cpath", "");
+
 	targetdir = argv[optind];

 	gethost();
--- a/mdirs.c
+++ b/mdirs.c
@ -9,6 +9,7 @@

 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"

 static char sep = '\n';
 int aflag;
@ -88,6 +89,8 @@ usage:
 	if (argc == optind)
 		goto usage;

+	xpledge("stdio rpath", "");
+
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
 		perror("mdirs: getcwd");
--- a/mexport.c
+++ b/mexport.c
@ -10,6 +10,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static int Sflag;

@ -141,6 +142,8 @@ main(int argc, char *argv[])

 	status = 0;

+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
 	else
--- a/mflag.c
+++ b/mflag.c
@ -13,6 +13,7 @@

 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"

 static int8_t flags[255];
 static int vflag = 0;
@ -134,6 +135,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}

+	xpledge("stdio rpath cpath", "");
+
 	curfile = blaze822_seq_cur();

 	if (vflag) {
--- a/mflow.c
+++ b/mflow.c
@ -10,6 +10,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 int column = 0;
 int maxcolumn = 80;
@ -107,6 +108,8 @@ main(int argc, char *argv[])
 	int force = 0;
 	int delsp = 0;

+	xpledge("stdio rpath tty", "");
+
 	char *ct = getenv("PIPE_CONTENTTYPE");
 	if (ct) {
 		char *s, *se;
@ -130,6 +133,8 @@ main(int argc, char *argv[])
 		}
 	}

+	xpledge("stdio", "");
+
 	char *maxcols = getenv("MAXCOLUMNS");
 	if (maxcols && isdigit(*maxcols)) {
 		int m = atoi(maxcols);
--- a/mgenmid.c
+++ b/mgenmid.c
@ -13,6 +13,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 void
 printb36(uint64_t x)
@ -36,6 +37,8 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);

+	xpledge("stdio rpath", "");
+
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");

--- a/mhdr.c
+++ b/mhdr.c
@ -10,6 +10,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static char *hflag;
 static char *pflag;
@ -245,6 +246,8 @@ main(int argc, char *argv[])

 	status = 1;

+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
 	else
--- a/minc.c
+++ b/minc.c
@ -12,6 +12,7 @@

 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"

 static int qflag;
 static int status;
@ -76,6 +77,8 @@ usage:
 	if (optind == argc)
 		goto usage;

+	xpledge("stdio rpath cpath", "");
+
 	status = 0;
 	for (i = optind; i < argc; i++)
 		inc(argv[i]);
--- a/mlist.c
+++ b/mlist.c
@ -13,6 +13,7 @@

 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"

 /*

@ -272,6 +273,8 @@ usage:

 	int i;

+	xpledge("stdio rpath", "");
+
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)
 			flagset++;
--- a/mmime.c
+++ b/mmime.c
@ -16,6 +16,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static int cflag;
 static int rflag;
@ -521,6 +522,8 @@ usage:
 	if (argc != optind)
 		goto usage;

+	xpledge("stdio rpath", "");
+
 	if (cflag)
 		return check();

--- a/mpick.c
+++ b/mpick.c
@ -43,6 +43,7 @@
 #include <wchar.h>

 #include "blaze822.h"
+#include "xpledge.h"

 enum op {
 	EXPR_OR = 1,
@ -1463,6 +1464,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}

+	xpledge("stdio rpath", "");
+
 	void *cb = need_thr ? collect : oneline;
 	if (argc == optind && isatty(0))
 		i = blaze822_loop1(":", cb);
--- a/mscan.c
+++ b/mscan.c
@ -2,6 +2,8 @@
 #define _XOPEN_SOURCE 700
 #endif

+#include "xpledge.h"
+
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@ -549,6 +551,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}

+	xpledge("stdio rpath tty proc exec", NULL);
+
 	if (nflag) {
 		if (argc == optind && isatty(0))
 			blaze822_loop1(":", numline);
@ -584,6 +588,9 @@ main(int argc, char *argv[])
 	}
 	if (ttyfd >= 0)
 		close(ttyfd);
+
+	xpledge("stdio rpath", "");
+
 	if (getenv("COLUMNS"))
 		cols = atoi(getenv("COLUMNS"));
 	if (cols <= 40)
--- a/msed.c
+++ b/msed.c
@ -11,6 +11,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static char *expr;

@ -323,6 +324,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}

+	xpledge("stdio rpath", "");
+
 	expr = argv[optind];
 	optind++;

--- a/mseq.c
+++ b/mseq.c
@ -13,6 +13,7 @@

 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"

 static int fflag;
 static int rflag;
@ -298,6 +299,8 @@ usage:
 			exit(1);
 		}

+	xpledge("stdio rpath wpath cpath", "");
+
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);

--- a/mshow.c
+++ b/mshow.c
@ -14,6 +14,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static int Bflag;
 static int rflag;
@ -797,6 +798,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}

+	xpledge("stdio rpath wpath cpath proc exec", NULL);
+
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;

@ -822,17 +825,22 @@ main(int argc, char *argv[])
 	}

 	if (xflag) { // extract
+		xpledge("stdio rpath wpath cpath", NULL);
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
+		xpledge("stdio rpath", NULL);
 		extract(Oflag, argc-optind, argv+optind, 1);
 	} else if (tflag) { // list
+		xpledge("stdio rpath", NULL);
 		if (argc == optind && isatty(0))
 			blaze822_loop1(".", list);
 		else
 			blaze822_loop(argc-optind, argv+optind, list);
 	} else if (Rflag) { // render for reply
+		xpledge("stdio rpath", NULL);
 		blaze822_loop(argc-optind, argv+optind, reply);
 	} else { // show
+		/* XXX pledge: still r/w on the whole file-system + fork/exec */
 		if (!(qflag || rflag || Fflag)) {
 			char *f = getenv("MAILFILTER");
 			if (!f)
--- a/msort.c
+++ b/msort.c
@ -10,6 +10,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 struct mail {
 	char *file;
@ -316,6 +317,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}

+	xpledge("stdio rpath", "");

 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
--- a/mthread.c
+++ b/mthread.c
@ -19,6 +19,7 @@
 #include <unistd.h>

 #include "blaze822.h"
+#include "xpledge.h"

 static int vflag;
 static int pflag;
@ -419,6 +420,8 @@ main(int argc, char *argv[])

 	optional = 1;

+	xpledge("stdio rpath", "");
+
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {
 		case 'S': blaze822_loop1(optarg, thread); break;
--- a/xpledge.h
+++ b/xpledge.h
@ -0,0 +1,26 @@
+#ifndef PLEDGE_H
+#define PLEDGE_H
+
+#ifdef __OpenBSD__
+
+#ifndef _BSD_SOURCE
+#define _BSD_SOURCE
+#endif
+
+#include <err.h>
+#include <unistd.h>
+
+static void
+xpledge(const char *promises, const char *execpromises)
+{
+	if (pledge(promises, execpromises) == -1)
+		err(1, "pledge");
+}
+
+#else
+
+#define xpledge(promises, execpromises) do { } while(0)
+
+#endif /* __OpenBSD__ */
+
+#endif /* PLEDGE_H */