diff options
author | Klemens Nanni <kn@openbsd.org> | 2023-10-21 09:54:48 +0300 |
---|---|---|
committer | Nico Williams <nico@cryptonector.com> | 2023-10-21 23:30:36 -0500 |
commit | f1bfd0c518473ab439eff4d56441ce165d8bd0ca (patch) | |
tree | 79daf6be1ce5507992825da6f283dcec2509692d /src | |
parent | 9de0e26ce613f7e534b2ff3a92ad0d06d329efab (diff) |
Restrict systems operations on OpenBSD
Use pledge(2)[0] to limit jq(1) to reading files.
It does not change files and only writes to standard output/error.
It never deals with TTY, network, process management or other subsystems.
This is to reduce jq's attack surface and potential damage.
OpenBSD is carrying a local patch[1] in its official jq port/package
since 2016. An improved version:
- drop no longer needed "getpw" promise
f1c4947 "Avoid getpwuid for static linking" removed getpwuid(3) usage
- pledge before jq_init() to simplify the error path
- use perror(3) to print errno(2)
No behaviour change in tests or real world usage observed on
OpenBSD/amd64 7.4.
0: https://man.openbsd.org/pledge.2
1: https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/textproc/jq/patches/patch-main_c
Diffstat (limited to 'src')
-rw-r--r-- | src/main.c | 7 |
1 files changed, 7 insertions, 0 deletions
@@ -324,6 +324,13 @@ int main(int argc, char* argv[]) { (void) setlocale(LC_ALL, ""); #endif +#ifdef __OpenBSD__ + if (pledge("stdio rpath", NULL) == -1) { + perror("pledge"); + exit(JQ_ERROR_SYSTEM); + } +#endif + #ifdef WIN32 jv_tsd_dtoa_ctx_init(); fflush(stdout); |