In typical swiss-army style, various modes and options cause

different unveils. Joint work with beck and florian. Let us know if you hit any corner cases.
author: deraadt <> 2018-08-10 17:15:22 +0000
committer: deraadt <> 2018-08-10 17:15:22 +0000
commit: b4a91e458f291c5d14f3d552f7ff69b4a6021672 (patch)
tree: 449d5e2bf3357979933c11d11614e45a4f14bc8c /src/usr.bin/nc/netcat.c
parent: 0ff3e48e08d4a139168e53beaaba5365134eef0b (diff)
download: openbsd-b4a91e458f291c5d14f3d552f7ff69b4a6021672.tar.gz
openbsd-b4a91e458f291c5d14f3d552f7ff69b4a6021672.tar.bz2
openbsd-b4a91e458f291c5d14f3d552f7ff69b4a6021672.zip
1 files changed, 24 insertions, 1 deletions
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index e03199e528..8e7f7e1718 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.191 2018/04/27 15:17:53 beck Exp $ */
+/* $OpenBSD: netcat.c,v 1.192 2018/08/10 17:15:22 deraadt Exp $ */
 /*
 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
 * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -364,6 +364,29 @@ main(int argc, char *argv[])
        } else
                usage(1);
+        if (usetls) {
+                if (Cflag && unveil(Cflag, "r") == -1)
+                        err(1, "unveil");
+                if (unveil(Rflag, "r") == -1)
+                        err(1, "unveil");
+                if (Kflag && unveil(Kflag, "r") == -1)
+                        err(1, "unveil");
+                if (oflag && unveil(oflag, "r") == -1)
+                        err(1, "unveil");
+        } else {
+                if (family == AF_UNIX) {
+                        if (unveil(host, "rwc") == -1)
+                                err(1, "unveil");
+                        if (uflag && !lflag) {
+                                if (unveil(sflag ? sflag : "/tmp", "rwc") == -1)
+                                        err(1, "unveil");
+                        }
+                } else {
+                        if (unveil("/", "") == -1)
+                                err(1, "unveil");
+                }
+        }
        if (family == AF_UNIX) {
                if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
                        err(1, "pledge");
author	deraadt <>	2018-08-10 17:15:22 +0000
committer	deraadt <>	2018-08-10 17:15:22 +0000
commit	b4a91e458f291c5d14f3d552f7ff69b4a6021672 (patch)
tree	449d5e2bf3357979933c11d11614e45a4f14bc8c /src/usr.bin/nc/netcat.c
parent	0ff3e48e08d4a139168e53beaaba5365134eef0b (diff)
download	openbsd-b4a91e458f291c5d14f3d552f7ff69b4a6021672.tar.gz openbsd-b4a91e458f291c5d14f3d552f7ff69b4a6021672.tar.bz2 openbsd-b4a91e458f291c5d14f3d552f7ff69b4a6021672.zip

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index e03199e528..8e7f7e1718 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: netcat.c,v 1.191 2018/04/27 15:17:53 beck Exp $ */	1	/* $OpenBSD: netcat.c,v 1.192 2018/08/10 17:15:22 deraadt Exp $ */
2	/*	2	/*
3	* Copyright (c) 2001 Eric Jackson <ericj@monkey.org>	3	* Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
4	* Copyright (c) 2015 Bob Beck. All rights reserved.	4	* Copyright (c) 2015 Bob Beck. All rights reserved.
@@ -364,6 +364,29 @@ main(int argc, char *argv[])
364	} else	364	} else
365	usage(1);	365	usage(1);
366		366
		367	if (usetls) {
		368	if (Cflag && unveil(Cflag, "r") == -1)
		369	err(1, "unveil");
		370	if (unveil(Rflag, "r") == -1)
		371	err(1, "unveil");
		372	if (Kflag && unveil(Kflag, "r") == -1)
		373	err(1, "unveil");
		374	if (oflag && unveil(oflag, "r") == -1)
		375	err(1, "unveil");
		376	} else {
		377	if (family == AF_UNIX) {
		378	if (unveil(host, "rwc") == -1)
		379	err(1, "unveil");
		380	if (uflag && !lflag) {
		381	if (unveil(sflag ? sflag : "/tmp", "rwc") == -1)
		382	err(1, "unveil");
		383	}
		384	} else {
		385	if (unveil("/", "") == -1)
		386	err(1, "unveil");
		387	}
		388	}
		389
367	if (family == AF_UNIX) {	390	if (family == AF_UNIX) {
368	if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)	391	if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
369	err(1, "pledge");	392	err(1, "pledge");