From ad9a065c467f77a265a5cd11a81a6f208a3e64b3 Mon Sep 17 00:00:00 2001 From: matthieu Date: Mon, 20 Apr 2020 18:17:25 +0000 Subject: [PATCH] Release unused filedescriptors in the privileged X server process. There is no reason to keep /dev/pci* and /dev/ttyC* open in this process. pointed to by deraadt. ok kettenis@ deraadt@ --- xserver/hw/kdrive/ephyr/ephyrinit.c | 7 +++++++ xserver/hw/vfb/InitOutput.c | 7 +++++++ xserver/hw/xfree86/os-support/bsd/bsd_init.c | 11 +++++++++++ xserver/hw/xnest/Init.c | 8 ++++++++ xserver/include/os.h | 2 ++ xserver/os/privsep.c | 3 ++- 6 files changed, 37 insertions(+), 1 deletion(-) diff --git a/xserver/hw/kdrive/ephyr/ephyrinit.c b/xserver/hw/kdrive/ephyr/ephyrinit.c index 47bd97ade..0e741246e 100644 --- a/xserver/hw/kdrive/ephyr/ephyrinit.c +++ b/xserver/hw/kdrive/ephyr/ephyrinit.c @@ -375,6 +375,13 @@ OsVendorInit(void) } } +#ifdef X_PRIVSEP +void +priv_vendor_init(void) +{ +} +#endif + KdCardFuncs ephyrFuncs = { ephyrCardInit, /* cardinit */ ephyrScreenInitialize, /* scrinit */ diff --git a/xserver/hw/vfb/InitOutput.c b/xserver/hw/vfb/InitOutput.c index d9f23f360..38c3758ac 100644 --- a/xserver/hw/vfb/InitOutput.c +++ b/xserver/hw/vfb/InitOutput.c @@ -219,6 +219,13 @@ OsVendorInit(void) { } +#ifdef X_PRIVSEP +void +priv_vendor_init(void) +{ +} +#endif + void OsVendorFatalError(const char *f, va_list args) { diff --git a/xserver/hw/xfree86/os-support/bsd/bsd_init.c b/xserver/hw/xfree86/os-support/bsd/bsd_init.c index 5c1e7d732..8eb65b409 100644 --- a/xserver/hw/xfree86/os-support/bsd/bsd_init.c +++ b/xserver/hw/xfree86/os-support/bsd/bsd_init.c @@ -820,4 +820,15 @@ xf86DropPriv(void) } } } + +/* + * Called in the privileged child + */ +void +priv_vendor_init(void) +{ + /* release resources it won't need */ + pci_system_cleanup(); + close(xf86Info.consoleFd); +} #endif diff --git a/xserver/hw/xnest/Init.c b/xserver/hw/xnest/Init.c index c3afadf8c..5c4596dd9 100644 --- a/xserver/hw/xnest/Init.c +++ b/xserver/hw/xnest/Init.c @@ -156,6 +156,14 @@ OsVendorInit(void) return; } +#ifdef X_PRIVSEP +void +priv_vendor_init(void) +{ + return; +} +#endif + void OsVendorFatalError(const char *f, va_list args) { diff --git a/xserver/include/os.h b/xserver/include/os.h index 0cf9b9fa8..d4f0ba2cd 100644 --- a/xserver/include/os.h +++ b/xserver/include/os.h @@ -314,6 +314,8 @@ extern _X_EXPORT int ChownLock(uid_t, gid_t); extern _X_EXPORT int priv_open_device(const char *); +extern _X_EXPORT void +priv_vendor_init(void); #endif extern _X_EXPORT int diff --git a/xserver/os/privsep.c b/xserver/os/privsep.c index 605dac191..8856f0019 100644 --- a/xserver/os/privsep.c +++ b/xserver/os/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.31 2019/06/11 14:51:34 jcs Exp $ */ +/* $OpenBSD: privsep.c,v 1.32 2020/04/20 18:17:26 matthieu Exp $ */ /* * Copyright 2001 Niels Provos * All rights reserved. @@ -279,6 +279,7 @@ priv_init(uid_t uid, gid_t gid) signal(i, SIG_DFL); setproctitle("[priv]"); close(socks[1]); + priv_vendor_init(); for (dev = allowed_devices; dev->name != NULL; dev++) { if (unveil(dev->name, "rw") == -1)