Edit

IABSD.fr/src/usr.sbin/ldpd

Branch :

  • Show log

    Commit

  • Author : mestre
    Date : 2019-08-10 01:30:53
    Hash : 44e5c375
    Message : Like we did on other daemons that cannot be pledged due to forbidden ioctls the main process can be unveiled to restrict filesystem access. In this case we can restrict it to only read, although it must be the entire / since the daemon is able to include config files from anywhere. Additionally the ldpe process currently has cpath promise to unlink the socket, nevertheless the socket is actually unlinked from the main proc so this permission can be removed. As we discussed before, leaving the socket behind doesn't do any harm that's why I didn't unveil it in the main proc. OK deraadt@