commit 79e60db648de07c38759b79dd9acefb3b82e04f2
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Tue Nov 14 12:12:33 2023 UTC

fix gotwebd unveil permissions

The main process doesn't need write access anywhere and /tmp is not needed.
The sockets process didn't use unveil at all so far, but is happy with
just "x" for libexec helpers and "r" for each server's repository path.

Input from op@
Tested by myself and Kyle Ackerman who also reviewed the diffs.

Prompted by questions from mlarkin@
ok mlarkin@, op@

commit - 072028198fd35dfd25c9920dc6b65202ab5fabc7
commit + 79e60db648de07c38759b79dd9acefb3b82e04f2
blob - 75e6580d452ef8fa8398cf9227e51a4b4a8062f0
blob + 3dc5a446de1bee5dea0983da1f90831666467577
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -248,10 +248,7 @@ main(int argc, char **argv)
 		err(1, "gmon.out");
 #endif
 
-	if (unveil(env->httpd_chroot, "rwc") == -1)
-		err(1, "unveil");
-
-	if (unveil(GOT_TMPDIR_STR, "rw") == -1)
+	if (unveil(env->httpd_chroot, "r") == -1)
 		err(1, "unveil");
 
 	if (unveil(GOTWEBD_CONF, "r") == -1)
blob - 542f9d911ce6be7a94b6c10c2b004417ebaeaeea
blob + 8e96717ed35cc9e91a8fc0c9be56d23fee4d05a8
--- gotwebd/sockets.c
+++ gotwebd/sockets.c
@@ -53,6 +53,7 @@
 #include "got_opentemp.h"
 #include "got_reference.h"
 #include "got_repository.h"
+#include "got_privsep.h"
 
 #include "proc.h"
 #include "gotwebd.h"
@@ -112,8 +113,8 @@ sockets_run(struct privsep *ps, struct privsep_proc *p
 	signal_add(&ps->ps_evsigchld, NULL);
 
 #ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd",
-	    NULL) == -1)
+	if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd "
+	    "unveil", NULL) == -1)
 		fatal("pledge");
 #endif
 }
@@ -246,6 +247,8 @@ static void
 sockets_launch(void)
 {
 	struct socket *sock;
+	struct server *srv;
+	const struct got_error *error;
 
 	TAILQ_FOREACH(sock, &gotwebd_env->sockets, entry) {
 		log_debug("%s: configuring socket %d (%d)", __func__,
@@ -262,6 +265,18 @@ sockets_launch(void)
 		log_debug("%s: running socket listener %d", __func__,
 		    sock->conf.id);
 	}
+
+	TAILQ_FOREACH(srv, &gotwebd_env->servers, entry) {
+		if (unveil(srv->repos_path, "r") == -1)
+			fatal("unveil %s", srv->repos_path);
+	}
+
+	error = got_privsep_unveil_exec_helpers();
+	if (error)
+		fatal("%s", error->msg);
+
+	if (unveil(NULL, NULL) == -1)
+		fatal("unveil");
 }
 
 static void