switchd(8)'s main proc needs to open the following paths, and which can be

unveiled: / -> read, it will open config files from anywhere in the system /dev -> read/write, in order to open /dev/tap* and /dev/switch* hint and OK akoshibe@
author: mestre <mestre@openbsd.org> 2019-07-22 09:19:52 +0000
committer: mestre <mestre@openbsd.org> 2019-07-22 09:19:52 +0000
commit: 553b2e586e86053cb51c6d5e3e6dfca50990e63f (patch)
tree: 05c604131109982c0d3da0f109e9424f49fe7697 /usr.sbin/switchd
parent: Zap useless globals (diff)
download: wireguard-openbsd-553b2e586e86053cb51c6d5e3e6dfca50990e63f.tar.xz
wireguard-openbsd-553b2e586e86053cb51c6d5e3e6dfca50990e63f.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/switchd/switchd.c b/usr.sbin/switchd/switchd.c
index c42ee62fad8..d2521e0bd0b 100644
--- a/usr.sbin/switchd/switchd.c
+++ b/usr.sbin/switchd/switchd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: switchd.c,v 1.16 2018/09/10 13:21:39 akoshibe Exp $	*/
+/*	$OpenBSD: switchd.c,v 1.17 2019/07/22 09:19:52 mestre Exp $	*/
 
 /*
  * Copyright (c) 2013-2016 Reyk Floeter <reyk@openbsd.org>
@@ -191,6 +191,10 @@ main(int argc, char *argv[])
 
 	log_procinit("parent");
 
+	if (unveil("/", "r") == -1)
+		fatal("unveil");
+	if (unveil("/dev", "rw") == -1)
+		fatal("unveil");
 	/*
 	 * pledge in the parent process:
 	 * stdio - for malloc and basic I/O including events.
author	mestre <mestre@openbsd.org>	2019-07-22 09:19:52 +0000
committer	mestre <mestre@openbsd.org>	2019-07-22 09:19:52 +0000
commit	553b2e586e86053cb51c6d5e3e6dfca50990e63f (patch)
tree	05c604131109982c0d3da0f109e9424f49fe7697 /usr.sbin/switchd
parent	Zap useless globals (diff)
download	wireguard-openbsd-553b2e586e86053cb51c6d5e3e6dfca50990e63f.tar.xz wireguard-openbsd-553b2e586e86053cb51c6d5e3e6dfca50990e63f.zip