summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormestre <mestre@openbsd.org>2019-04-24 19:13:49 +0000
committermestre <mestre@openbsd.org>2019-04-24 19:13:49 +0000
commit2c5f7704d45cdbd00da85f289bc5740b890525f3 (patch)
treecbedfd1deecac1113207b3dd60710a7e8362f2df
parentIn unattended mode do a reboot even if things go wrong and (diff)
downloadwireguard-openbsd-2c5f7704d45cdbd00da85f289bc5740b890525f3.tar.xz
wireguard-openbsd-2c5f7704d45cdbd00da85f289bc5740b890525f3.zip
restrict filesystem access to read only on main process via unveil(2)
ok benno@ deraadt@
Diffstat
-rw-r--r--usr.sbin/relayd/relayd.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/relayd/relayd.c b/usr.sbin/relayd/relayd.c
index 5781389f379..9e80bed2d09 100644
--- a/usr.sbin/relayd/relayd.c
+++ b/usr.sbin/relayd/relayd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.c,v 1.174 2018/09/09 21:06:51 bluhm Exp $ */
+/* $OpenBSD: relayd.c,v 1.175 2019/04/24 19:13:49 mestre Exp $ */
/*
* Copyright (c) 2007 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -222,6 +222,11 @@ main(int argc, char *argv[])
if (ps->ps_noaction == 0)
log_info("startup");
+ if (unveil("/", "r") == -1)
+ err(1, "unveil");
+ if (unveil(NULL, NULL) == -1)
+ err(1, "unveil");
+
event_init();
signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.