Use pledge(2) and unveil(2) on OpenBSD

This commit is contained in:
C. McEnroe 2020-08-17 16:38:22 -04:00
parent ebd44fb606
commit 296e40887b

View File

@ -19,6 +19,7 @@
#include <fcntl.h>
#include <fnmatch.h>
#include <grp.h>
#include <paths.h>
#include <poll.h>
#include <pwd.h>
#include <signal.h>
@ -189,7 +190,9 @@ static void setTitle(void) {
}
int main(int argc, char *argv[]) {
int error;
setprogname(argv[0]);
openlog(getprogname(), LOG_NDELAY | LOG_PID | LOG_PERROR, LOG_DAEMON);
bool daemonize = true;
setAdd(&stopExits, EX_USAGE);
@ -221,7 +224,27 @@ int main(int argc, char *argv[]) {
}
}
int error = access(serviceDir, X_OK);
#ifdef __OpenBSD__
if (pidPath) {
error = unveil(pidPath, "cw");
if (error) err(EX_OSERR, "unveil");
}
error = unveil(fifoPath, "crw")
|| unveil(configPath, "r")
|| unveil("/", "r")
|| unveil("/dev/null", "rw")
|| unveil(serviceDir, "r")
|| unveil(_PATH_BSHELL, "x")
|| unveil(NULL, NULL);
if (error) err(EX_OSERR, "unveil");
error = pledge(
"stdio cpath dpath rpath wpath flock getpw proc exec id", NULL
);
if (error) err(EX_OSERR, "pledge");
#endif
error = access(serviceDir, X_OK);
if (error) err(EX_NOINPUT, "%s", serviceDir);
errno = 0;