From c51b37c71d11b9ab42875dfa4cb3fb413940f068 Mon Sep 17 00:00:00 2001 From: Klemens Nanni Date: Sun, 13 Apr 2025 20:35:27 +0300 Subject: [PATCH] OpenBSD: use unveil(2) and pledge(2) to drop privileges On startup, lose the ability to execute any file as uxplay(1) facilitates no such feature and should thus never be allowed to run another program. Further, if video is disabled, promise to only use certain system call subsets (video uses shmget(2), which no pledge(2) promise covers). This is a start to restrict uxplay(1) for it has full network, audio, filesystem and graphical user session access, usually running as your private user instead and not a dedicated one. No change on other systems. However, this may help them understand and implement similar security mechanisms. --- uxplay.cpp | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/uxplay.cpp b/uxplay.cpp index 914c263..d66c34b 100644 --- a/uxplay.cpp +++ b/uxplay.cpp @@ -52,6 +52,9 @@ # include # else # include +# ifdef __OpenBSD__ +# include +# endif # endif #endif @@ -2179,6 +2182,12 @@ int main (int argc, char *argv[]) { std::vector server_hw_addr; std::string config_file = ""; +#ifdef __OpenBSD__ + if (unveil("/", "rwc") == -1 || unveil(NULL, NULL) == -1) { + err(1, "unveil"); + } +#endif + #ifdef SUPPRESS_AVAHI_COMPAT_WARNING // suppress avahi_compat nag message. avahi emits a "nag" warning (once) // if getenv("AVAHI_COMPAT_NOWARN") returns null. @@ -2340,6 +2349,12 @@ int main (int argc, char *argv[]) { video_decoder.c_str(), video_converter.c_str(), videosink.c_str(), videosink_options.c_str(), fullscreen, video_sync, h265_support, playbin_version, NULL); video_renderer_start(); +#ifdef __OpenBSD__ + } else { + if (pledge("stdio rpath wpath cpath inet unix prot_exec", NULL) == -1) { + err(1, "pledge"); + } +#endif } if (udp[0]) {