From 00917a0415629abbf675fd14d8752a0a27ab1ff5 Mon Sep 17 00:00:00 2001
From: Emmanuel Roullit <emmanuel.roullit@cognitix.de>
Date: Fri, 1 Mar 2019 15:21:46 +0100
Subject: [PATCH] init: use pledge(2) after suricata initialization.

pledge(2) can be used on OpenBSD to restrict suricata possible
operation on the system once initialization is completed.
The process promises to only make use of:
- "stdio" to allow read(2) on IPS rules and write(2) on log file
- "rpath wpath cpath" to allow log rotation
- "unix" to operate the control unix socket and log unix sockets
- "dns" to retrieve DNS from recvfrom(2)/sento(2) in IPFW mode
- "bpf" as suricata uses libpcap, which uses the BIOCGSTATS operation

Signed-off-by: Emmanuel Roullit <emmanuel.roullit@cognitix.de>
---
 src/suricata.c   |  1 +
 src/util-error.c |  1 +
 src/util-error.h |  1 +
 src/util-privs.c | 15 +++++++++++++++
 src/util-privs.h |  6 ++++++
 5 files changed, 24 insertions(+)

diff --git a/src/suricata.c b/src/suricata.c
index 97dcdf194b..4f9e49c796 100644
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -3023,6 +3023,7 @@ int main(int argc, char **argv)
 #endif
 #endif
 
+    SCPledge();
     SuricataMainLoop(&suricata);
 
     /* Update the engine stage/status flag */
diff --git a/src/util-error.c b/src/util-error.c
index 4f069d42a0..a77519271b 100644
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -198,6 +198,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_CHANGING_CAPS_FAILED);
         CASE_CODE (SC_ERR_LIBCAP_NG_REQUIRED);
         CASE_CODE (SC_ERR_LIBNET11_INCOMPATIBLE_WITH_LIBCAP_NG);
+        CASE_CODE (SC_ERR_PLEDGE_FAILED);
         CASE_CODE (SC_WARN_FLOW_EMERGENCY);
         CASE_CODE (SC_ERR_SVC);
         CASE_CODE (SC_ERR_ERF_DAG_OPEN_FAILED);
diff --git a/src/util-error.h b/src/util-error.h
index 80b6fbad93..76debeca71 100644
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -349,6 +349,7 @@ typedef enum {
     SC_WARN_RUST_NOT_AVAILABLE,
     SC_WARN_DEFAULT_WILL_CHANGE,
     SC_WARN_EVE_MISSING_EVENTS,
+    SC_ERR_PLEDGE_FAILED,
 
     SC_ERR_MAX,
 } SCError;
diff --git a/src/util-privs.c b/src/util-privs.c
index 1689272f16..64a3c01096 100644
--- a/src/util-privs.c
+++ b/src/util-privs.c
@@ -235,4 +235,19 @@ int SCGetGroupID(const char *group_name, uint32_t *gid)
 
     return 0;
 }
+
+#ifdef __OpenBSD__
+int SCPledge(void)
+{
+    int ret = pledge("stdio rpath wpath cpath unix dns bpf", NULL);
+
+    if (ret != 0) {
+        SCLogError(SC_ERR_PLEDGE_FAILED, "unable to pledge,"
+                " check permissions!! ret=%i errno=%i", ret, errno);
+        exit(EXIT_FAILURE);
+    }
+
+    return 0;
+}
+#endif /* __OpenBSD__ */
 #endif /* OS_WIN32 */
diff --git a/src/util-privs.h b/src/util-privs.h
index a60b755410..1464731a1c 100644
--- a/src/util-privs.h
+++ b/src/util-privs.h
@@ -94,5 +94,11 @@ void SCDropMainThreadCaps(uint32_t , uint32_t );
 int SCGetUserID(const char *, const char *, uint32_t *, uint32_t *);
 int SCGetGroupID(const char *, uint32_t *);
 
+#ifdef __OpenBSD__
+int SCPledge(void);
+#else /* __OpenBSD__ */
+#define SCPledge(...)
+#endif /* __OpenBSD__ */
+
 #endif	/* _UTIL_PRIVS_H */
 
-- 
2.47.2