Add unveil(2) to sdiff(1) to the following files:

filename1 - given via args - read permission filename2 - same as above tmpdir - if TMPDIR env var is changed, or _PATH_TMP by default - read/write/create/delete permissions /usr/bin/diff - the default diff program - execute permission _PATH_BSHELL - to spawn an EDITOR/VISUAL if -o is used - execute permission this diff only applies unveil(2) if -F is not used, meaning that we are not changing the default diff program to be used since that way we would need to find where the binary is whereas by default we are sure that the path is /usr/bin/diff. this will be revisited at a later stage to cover all cases. feedback and OK millert@ deraadt@
2025-01-10 06:47:55 -08:00 · 2018-09-28 18:21:52 +00:00 · 2018-09-28 18:21:52 +00:00 · 32a0d31851
commit 32a0d31851
parent ae4d54d349
1 changed files with 18 additions and 4 deletions
--- a/usr.bin/sdiff/sdiff.c
+++ b/usr.bin/sdiff/sdiff.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: sdiff.c,v 1.36 2015/12/29 19:04:46 gsoares Exp $ */
+/*	$OpenBSD: sdiff.c,v 1.37 2018/09/28 18:21:52 mestre Exp $ */

 /*
 * Written by Raymond Lai <ray@cyth.net>.
@ -163,9 +163,7 @@ main(int argc, char **argv)
 	const char *outfile = NULL;
 	char **diffargv, *diffprog = "diff", *filename1, *filename2,
 	    *tmp1, *tmp2, *s1, *s2;
-
-	if (pledge("stdio rpath wpath cpath proc exec", NULL) == -1)
-		err(2, "pledge");
+	unsigned int Fflag = 0;

 	/*
 	 * Process diff flags.
@ -206,6 +204,7 @@ main(int argc, char **argv)
 			break;
 		case 'F':
 			diffargv[0] = diffprog = optarg;
+			Fflag = 1;
 			break;
 		case 'H':
 			diffargv[diffargc++] = "-H";
@ -262,6 +261,21 @@ main(int argc, char **argv)
 	filename1 = argv[0];
 	filename2 = argv[1];

+	if (!Fflag) {
+		if (unveil(filename1, "r") == -1)
+			err(2, "unveil");
+		if (unveil(filename2, "r") == -1)
+			err(2, "unveil");
+		if (unveil(tmpdir, "rwc") == -1)
+			err(2, "unveil");
+		if (unveil("/usr/bin/diff", "x") == -1)
+			err(2, "unveil");
+		if (unveil(_PATH_BSHELL, "x") == -1)
+			err(2, "unveil");
+	}
+	if (pledge("stdio rpath wpath cpath proc exec", NULL) == -1)
+		err(2, "pledge");
+
 	/*
 	 * Create temporary files for diff and sdiff to share if file1
 	 * or file2 are not regular files.  This allows sdiff and diff