From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: pledge(2) in fc-cache(1)
To: "Anthony J. Bentley" <bentley@openbsd.org>
Cc: tech@openbsd.org
Date: Fri, 23 May 2025 12:44:12 +0200

On Fri, 23 May 2025 11:00:37 +0200,
"Anthony J. Bentley" <bentley@openbsd.org> wrote:
> 
> When pkg_add installs a font, it regenerates the fontconfig cache,
> /var/cache/fontconfig, by running fc-cache(1) as root. pledge(2) would
> be a useful addition to this procedure.
> 
> We have to be careful to call pledge after the optional -c chroot.
> Other than that, I didn't find any operations not allowed by the
> new promises.
> 
> Since pkg_add runs fc-cache as root, even with this patch a fc-cache
> exploit could theoretically allow a malicious font to trigger writes
> anywhere. I believe we should create a new base system user _fontconfig
> who owns /var/cache/fontconfig/, and have pkg_add drop to it when
> running fc-cache. But that would be a future diff.
> 
> unveil(2) may also help here, but the code turned out unattractive and
> needs more testing, so I've left it for later as well.
> 
> This diff survived a full xenocara release and sequential pkg_adds of
> about 100 font packages.
>

I think that the right way is send it to upstream to do not increase burden
of updating xenocara.

Am I wrong?

> ok?
> 
> --- dist/fontconfig/fc-cache/fc-cache.c
> +++ dist/fontconfig/fc-cache/fc-cache.c
> @@ -39,6 +39,7 @@
>  #endif
>  #include <sys/types.h>
>  #include <sys/stat.h>
> +#include <err.h>
>  #include <errno.h>
>  #include <fcntl.h>
>  #ifdef HAVE_DIRENT_H
> @@ -378,6 +379,10 @@ main (int argc, char **argv)
>  	}
>  	systemOnly = FcTrue;
>      }
> +
> +    if (pledge("stdio rpath wpath cpath flock", NULL) == -1)
> +        err(1, "pledge");
> +
>      if (systemOnly)
>  	FcConfigEnableHome (FcFalse);
>      if (sysroot)
> 

-- 
wbr, Kirill