commit a9a48d93a276ff55f1ad9902dd84b77c899fd027
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas.adam22@gmail.com>
date: Thu Apr 25 14:57:36 2024 UTC

use unveil to restrict filesystem access of got-fetch-http

With HTTPS we only need to be able to read /etc/ssl/cert.pem.
With plaintext HTTP no filesystem access is needed at all.

commit - e9495ffd168087aa382d316bfd6d75f2082b462e
commit + a9a48d93a276ff55f1ad9902dd84b77c899fd027
blob - f1cf123c468f636b6b2290fd62ca8e6b179ab5ac
blob + 384f347b929513263e880df54a09a6ba700b089e
--- libexec/got-fetch-http/got-fetch-http.c
+++ libexec/got-fetch-http/got-fetch-http.c
@@ -533,7 +533,7 @@ main(int argc, char **argv)
 	int		 ch;
 
 #if !DEBUG_HTTP || defined(PROFILE)
-	if (pledge("stdio rpath inet dns", NULL) == -1)
+	if (pledge("stdio rpath inet dns unveil", NULL) == -1)
 		err(1, "pledge");
 #endif
 
@@ -557,12 +557,21 @@ main(int argc, char **argv)
 
 	https = strcmp(argv[0], "https") == 0;
 #ifndef PROFILE
-	if (!https) {
+	if (https) {
+		if (unveil("/etc/ssl/cert.pem", "r") == -1)
+			err(1, "unveil /etc/ssl/cert.pem");
+	} else {
 		/* drop "rpath" */
-		if (pledge("stdio inet dns", NULL) == -1)
+		if (pledge("stdio inet dns unveil", NULL) == -1)
 			err(1, "pledge");
 	}
+#else
+	if (unveil("gmon.out", "rwc") != 0)
+		err(1, "unveil gmon.out");
 #endif
+	if (unveil(NULL, NULL) == -1)
+		err(1, "unveil NULL");
+
 	host = argv[1];
 	port = argv[2];
 	path = argv[3];