commit 2d17ff69d90329bbbfadbf258f4a22f26358943b
parent 44e1ef57a375794bea37555ac1bc417d37156caf
Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date: Sun, 22 Dec 2019 12:52:49 +0100
add OpenBSD unveil support
The unveil() system call first appeared in OpenBSD 6.4.
For stagit-gopher it has the following properties now:
- stagit-gopher-index: only read-access to the file-system for the specified
directories/repositories.
- stagit-gopher: read-access to the specified directory/repository.
read-write and creation access to the current directory for the output files.
read-write and creation access to the specified cache file
Diffstat:
2 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/stagit-gopher-index.c b/stagit-gopher-index.c
@@ -219,6 +219,10 @@ main(int argc, char *argv[])
git_libgit2_init();
#ifdef __OpenBSD__
+ for (i = 1; i < argc; i++)
+ if (unveil(argv[i], "r") == -1)
+ err(1, "unveil: %s", argv[i]);
+
if (pledge("stdio rpath", NULL) == -1)
err(1, "pledge");
#endif
diff --git a/stagit-gopher.c b/stagit-gopher.c
@@ -1177,6 +1177,13 @@ main(int argc, char *argv[])
git_libgit2_init();
#ifdef __OpenBSD__
+ if (unveil(repodir, "r") == -1)
+ err(1, "unveil: %s", repodir);
+ if (unveil(".", "rwc") == -1)
+ err(1, "unveil: .");
+ if (cachefile && unveil(cachefile, "rwc") == -1)
+ err(1, "unveil: %s", cachefile);
+
if (cachefile) {
if (pledge("stdio rpath wpath cpath fattr", NULL) == -1)
err(1, "pledge");
