OpenBSD Journal

Theo de Raadt on "unveil(2) usage in base"

Contributed by rueda on from the dance-of-the-seven-unveils dept.

In a message to tech@, Theo de Raadt (deraadt@) discusses the state of development of unveil(2) support in userland (and for a certain port):

This mail includes a large diff of userland which demonstrates how
unveil() will be used in base.

Additionally, some of you have probably noticed that there is an unveil
diff brewing for chrome in ports; others probably heard that unveil was
specifically designed to "also satisfy chrome's requirements".  Since
chrome already does pretty good privsep and is designed for filesystem
containment on other platforms, we considered it's requirements in the
design of the mechanism.

First off, you need this kernel diff to enable unveil():

Index: sys/kern/vfs_syscalls.c
RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.295
diff -u -p -u -r1.295 vfs_syscalls.c
--- sys/kern/vfs_syscalls.c	22 Jul 2018 06:31:17 -0000	1.295
+++ sys/kern/vfs_syscalls.c	25 Jul 2018 17:28:09 -0000
@@ -913,9 +913,6 @@ sys_unveil(struct proc *p, void *v, regi
	if (pathlen < 2)
		return EINVAL;

-	/* XXX unveil is disabled but returns sucess for now */
-	return 0;
	if (pathlen == 2 && pathname[0] == '/')
		    UIO_SYSSPACE, pathname, p);

And here is the userland diff, applying to about 37 programs.  There will
be weaknesses and errors in here.  This is not perfect yet.

I hope we can bring that list to 50 before activating unveil().  A
snapshot release may precede that also, so that we can identify fallout
easier.  In anycase, there are a few known bugs in kernel side of unveil
which need fixing beforehands (nothing serious).

[userland diff omitted - Ed]

(Comments are closed)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]