util/nvmutil: call unveil earlier, and harden
The mentality behind pledge and unveil is that you should think ahead, so that large parts of code can run under extremely tight restrictions. The pledge calls have been adjusted accordingly, also. Disallow all unveil calls after the gbe file and the file /dev/urandom have been unveiled. Signed-off-by: Leah Rowe <leah@libreboot.org>fsdg20230625
parent
db63fcffb5
commit
94aa43d857
|
@ -7,12 +7,19 @@ int
|
|||
main(int argc, char *argv[])
|
||||
{
|
||||
xpledge("stdio rpath wpath unveil", NULL);
|
||||
xunveil("/dev/urandom", "r");
|
||||
err_if((errno = argc < 3 ? EINVAL : errno));
|
||||
if ((flags = (strcmp(COMMAND, "dump") == 0) ? O_RDONLY : flags)
|
||||
== O_RDONLY)
|
||||
xpledge("stdio rpath unveil", NULL);
|
||||
== O_RDONLY) {
|
||||
xunveil(FILENAME, "r");
|
||||
xpledge("stdio rpath", NULL);
|
||||
} else {
|
||||
xunveil(FILENAME, "rw");
|
||||
xpledge("stdio rpath wpath", NULL);
|
||||
}
|
||||
openFiles(FILENAME);
|
||||
xpledge("stdio", NULL);
|
||||
|
||||
for (int i = 0; i < 6; i++)
|
||||
if (strcmp(COMMAND, op[i].str) == 0)
|
||||
if ((cmd = argc >= op[i].args ? op[i].cmd : NULL))
|
||||
|
@ -23,9 +30,10 @@ main(int argc, char *argv[])
|
|||
err_if((errno = (!((part = PARTNUM[0] - '0') == 0 || part == 1))
|
||||
|| PARTNUM[1] ? EINVAL : errno));
|
||||
err_if((errno = (cmd == NULL) ? EINVAL : errno));
|
||||
readGbeFile(FILENAME);
|
||||
|
||||
readGbeFile(FILENAME);
|
||||
(*cmd)();
|
||||
|
||||
if ((gbeFileModified) && (flags != O_RDONLY))
|
||||
writeGbeFile(FILENAME);
|
||||
err_if((errno != 0) && (cmd != &cmd_dump));
|
||||
|
@ -41,9 +49,6 @@ openFiles(const char *path)
|
|||
err(errno = ECANCELED, "File `%s` not 8KiB", path);
|
||||
xopen(rfd, "/dev/urandom", O_RDONLY);
|
||||
errno = errno != ENOTDIR ? errno : 0;
|
||||
xunveil("/dev/urandom", "r");
|
||||
if (flags != O_RDONLY)
|
||||
xunveil(path, "w");
|
||||
}
|
||||
|
||||
void
|
||||
|
|
Loading…
Reference in New Issue