This service seems like a common dependency for desktop environments
and runs as root speaking D-Bus without any activesecurity mechanisms.
ioctl(2) for cd(4) and sysctl(2) hw.disknames usage currently prevents
using pledge(2).
Use unveil("/", "rwc") for starters to strip x bits as, by design, this
daemon is not executing anything (it spawns a thread, though).
Perhaps "c" could be dropped as well, but I haven't looked that far into
its Qt and D-Bus tentacles to check whether it does indeed never tries
to create any files.
This works for me under Xfce.
Feedback? Objection? OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/sysutils/openbsdisks2/Makefile,v
diff -u -p -r1.8 Makefile
--- Makefile 27 Sep 2023 17:16:32 -0000 1.8
+++ Makefile 8 Nov 2023 10:27:38 -0000
@@ -2,6 +2,7 @@ COMMENT = UDisks2 service implementation
V = 0.3.1
DISTNAME = openbsdisks2-${V}
+REVISION = 0
CATEGORIES = sysutils
@@ -15,6 +16,7 @@ PERMIT_PACKAGE = Yes
# C++
COMPILER = base-clang ports-gcc
+# uses unveil()
WANTLIB += ${COMPILER_LIBCXX} Qt5Core Qt5DBus c m util
SITES = https://github.com/sizeofvoid/openbsdisks2/releases/download/v${V}/
Index: patches/patch-src_main_cpp
===================================================================
RCS file: patches/patch-src_main_cpp
diff -N patches/patch-src_main_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_main_cpp 8 Nov 2023 10:56:01 -0000
@@ -0,0 +1,28 @@
+Uncovered sysctl(2) and ioctl(2) prevents pledge(2) usage.
+unveil(2) all files read-write-create to prevent execution.
+Index: src/main.cpp
+--- src/main.cpp.orig
++++ src/main.cpp
+@@ -34,8 +34,10 @@
+ #include "manageradaptor.h"
+ #include "objectmanager.h"
+
++#include <err.h>
+ #include <iostream>
+ #include <syslog.h>
++#include <unistd.h>
+
+ #include <QSet>
+
+@@ -84,6 +86,11 @@ static void msg_handler(QtMsgType type, const QMessage
+
+ int main(int argc, char** argv)
+ {
++ if (unveil("/", "rwc") == -1)
++ err(1, "unveil /");
++ if (unveil(NULL, NULL) == -1)
++ err(1, "unveil NULL");
++
+ qInstallMessageHandler(msg_handler);
+
+ qRegisterMetaType<Configuration>();
No comments:
Post a Comment