pledge(2) all programs

All programs except mshow have a very tight set of promises. mshow has a broad set of promises and might be a good future candidate to further restrict using unveil(2). This patch is based on commit 0300a11 by Alex Holst (dated 2017-12-07), which was proposed in GH PR leahneukirchen#79. * pledged mpick, mflow and mdate so that now all programs are pledged * removed some unneeded promises and added some missing promises * move err.h include and OpenBSD ifdef into a new xpledge.h * cleaned up code aligning and whitespace Closes: leahneukirchen#179 [via git-merge-pr]
salewski · Sep 6, 2020 · 4763032 · 4763032
1 parent 6bd687b
commit 4763032
Show file tree

Hide file tree

Showing 21 changed files with 100 additions and 1 deletion.
diff --git a/maddr.c b/maddr.c
@@ -7,6 +7,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int dflag;
@@ -108,6 +109,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
 	else

diff --git a/magrep.c b/magrep.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int cflag;
@@ -218,6 +219,8 @@ main(int argc, char *argv[])
 	if (!rx)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
 	if (r != 0) {

diff --git a/mdate.c b/mdate.c
@@ -1,11 +1,17 @@
 #include <time.h>
 #include <unistd.h>
 
+#include "xpledge.h"
+
 int
 main()
 {
 	char buf[64];
-	time_t now = time(0);
+	time_t now;
+
+	xpledge("stdio", "");
+
+	now = time(0);
 
 	ssize_t l = strftime(buf, sizeof buf,
 	    "%a, %d %b %Y %T %z\n", localtime(&now));

diff --git a/mdeliver.c b/mdeliver.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 /*
 design rationale:
@@ -340,6 +341,8 @@ main(int argc, char *argv[])
 	if (argc != optind+1)
 		goto usage2;
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	targetdir = argv[optind];
 
 	gethost();

diff --git a/mdirs.c b/mdirs.c
@@ -9,6 +9,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static char sep = '\n';
 int aflag;
@@ -88,6 +89,8 @@ main(int argc, char *argv[])
 	if (argc == optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
 		perror("mdirs: getcwd");

diff --git a/mexport.c b/mexport.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Sflag;
 
@@ -141,6 +142,8 @@ main(int argc, char *argv[])
 
 	status = 0;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
 	else

diff --git a/mflag.c b/mflag.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int8_t flags[255];
 static int vflag = 0;
@@ -134,6 +135,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath cpath", "");
+
 	curfile = blaze822_seq_cur();
 
 	if (vflag) {

diff --git a/mflow.c b/mflow.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 int column = 0;
 int maxcolumn = 80;
@@ -107,6 +108,8 @@ main(int argc, char *argv[])
 	int force = 0;
 	int delsp = 0;
 
+	xpledge("stdio rpath tty", "");
+
 	char *ct = getenv("PIPE_CONTENTTYPE");
 	if (ct) {
 		char *s, *se;
@@ -130,6 +133,8 @@ main(int argc, char *argv[])
 		}
 	}
 
+	xpledge("stdio", "");
+
 	char *maxcols = getenv("MAXCOLUMNS");
 	if (maxcols && isdigit(*maxcols)) {
 		int m = atoi(maxcols);

diff --git a/mgenmid.c b/mgenmid.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 void
 printb36(uint64_t x)
@@ -36,6 +37,8 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
+	xpledge("stdio rpath", "");
+
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
 

diff --git a/mhdr.c b/mhdr.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *hflag;
 static char *pflag;
@@ -245,6 +246,8 @@ main(int argc, char *argv[])
 
 	status = 1;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
 	else

diff --git a/minc.c b/minc.c
@@ -12,6 +12,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int qflag;
 static int status;
@@ -76,6 +77,8 @@ main(int argc, char *argv[])
 	if (optind == argc)
 		goto usage;
 
+	xpledge("stdio rpath cpath", "");
+
 	status = 0;
 	for (i = optind; i < argc; i++)
 		inc(argv[i]);

diff --git a/mlist.c b/mlist.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 /*
 
@@ -272,6 +273,8 @@ main(int argc, char *argv[])
 
 	int i;
 
+	xpledge("stdio rpath", "");
+
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)
 			flagset++;

diff --git a/mmime.c b/mmime.c
@@ -16,6 +16,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int cflag;
 static int rflag;
@@ -521,6 +522,8 @@ main(int argc, char *argv[])
 	if (argc != optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	if (cflag)
 		return check();
 

diff --git a/mpick.c b/mpick.c
@@ -43,6 +43,7 @@
 #include <wchar.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 enum op {
 	EXPR_OR = 1,
@@ -1463,6 +1464,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	void *cb = need_thr ? collect : oneline;
 	if (argc == optind && isatty(0))
 		i = blaze822_loop1(":", cb);

diff --git a/mscan.c b/mscan.c
@@ -2,6 +2,8 @@
 #define _XOPEN_SOURCE 700
 #endif
 
+#include "xpledge.h"
+
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -549,6 +551,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath tty proc exec", NULL);
+
 	if (nflag) {
 		if (argc == optind && isatty(0))
 			blaze822_loop1(":", numline);
@@ -584,6 +588,9 @@ main(int argc, char *argv[])
 	}
 	if (ttyfd >= 0)
 		close(ttyfd);
+
+	xpledge("stdio rpath", "");
+
 	if (getenv("COLUMNS"))
 		cols = atoi(getenv("COLUMNS"));
 	if (cols <= 40)

diff --git a/msed.c b/msed.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *expr;
 
@@ -323,6 +324,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	expr = argv[optind];
 	optind++;
 

diff --git a/mseq.c b/mseq.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int fflag;
 static int rflag;
@@ -298,6 +299,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
 

diff --git a/mshow.c b/mshow.c
@@ -14,6 +14,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Bflag;
 static int rflag;
@@ -797,6 +798,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath proc exec", NULL);
+
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
@@ -822,17 +825,22 @@ main(int argc, char *argv[])
 	}
 
 	if (xflag) { // extract
+		xpledge("stdio rpath wpath cpath", NULL);
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
+		xpledge("stdio rpath", NULL);
 		extract(Oflag, argc-optind, argv+optind, 1);
 	} else if (tflag) { // list
+		xpledge("stdio rpath", NULL);
 		if (argc == optind && isatty(0))
 			blaze822_loop1(".", list);
 		else
 			blaze822_loop(argc-optind, argv+optind, list);
 	} else if (Rflag) { // render for reply
+		xpledge("stdio rpath", NULL);
 		blaze822_loop(argc-optind, argv+optind, reply);
 	} else { // show
+		/* XXX pledge: still r/w on the whole file-system + fork/exec */
 		if (!(qflag || rflag || Fflag)) {
 			char *f = getenv("MAILFILTER");
 			if (!f)

diff --git a/msort.c b/msort.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 struct mail {
 	char *file;
@@ -316,6 +317,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)

diff --git a/mthread.c b/mthread.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int vflag;
 static int pflag;
@@ -419,6 +420,8 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
+	xpledge("stdio rpath", "");
+
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {
 		case 'S': blaze822_loop1(optarg, thread); break;