From: Florian Obser <florian@openbsd.org>
Subject: Re: rpcinfo(8): add pledge & unveil.
To: tech@openbsd.org
Date: Wed, 14 Aug 2024 19:42:13 +0200

Any rpcinfo(8) users around?

On 2024-08-11 14:04 +02, Florian Obser <florian@openbsd.org> wrote:
> Not an rpcinfo(8) user, but I think I tested all code paths.
>
> The rpc library needs read access to the rpc database in
> /etc/rpc. Other than that rpcinfo(8) only uses AF_INET sockets.
>
> With -b, rpcinfo(8) uses gethostbyaddr(3) to report hosts that responded
> so add "dns" pledge as well.
>
> I couldn't really test -b though, nothing answered, maybe that's normal
> in this day and age?
>
> Tests, OKs?
>
> diff --git rpcinfo.c rpcinfo.c
> index 91d99144c2c..489f45716fa 100644
> --- rpcinfo.c
> +++ rpcinfo.c
> @@ -50,6 +50,7 @@
>  #include <errno.h>
>  #include <limits.h>
>  #include <arpa/inet.h>
> +#include <err.h>
>  
>  #define MAXHOSTLEN 256
>  
> @@ -94,6 +95,15 @@ main(int argc, char *argv[])
>  	function = NONE;
>  	portnum = 0;
>  	errflg = 0;
> +
> +	if (unveil("/etc/rpc", "r") == -1)
> +		err(1, "unveil /");
> +	if (unveil(NULL, NULL) == -1)
> +		err(1, "unveil");
> +
> +	if (pledge("stdio inet dns rpath", NULL) == -1)
> +		err(1, "pledge");
> +
>  	while ((c = getopt(argc, argv, "ptubdsn:")) != -1) {
>  		switch (c) {
>  
>
> -- 
>
> In my defence, I have been left unsupervised.
>

-- 
In my defence, I have been left unsupervised.