summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-03-03 13:30:09 -0500
committerJune McEnroe <june@causal.agency>2021-03-03 13:30:09 -0500
commit7186ffe799c14c775a78eb9b570eaea0cd37800d (patch)
tree0d45d54f94ab0991e56d1c60b5038e5c96f43600
parentTarget OpenBSD (diff)
downloadbubger-7186ffe799c14c775a78eb9b570eaea0cd37800d.tar.gz
bubger-7186ffe799c14c775a78eb9b570eaea0cd37800d.zip
Sandbox with unveil(2) and pledge(2) on OpenBSD
-rw-r--r--archive.c27
1 files changed, 26 insertions, 1 deletions
diff --git a/archive.c b/archive.c
index bdf51aa..cc6c182 100644
--- a/archive.c
+++ b/archive.c
@@ -35,6 +35,7 @@
 #include <string.h>
 #include <sys/stat.h>
 #include <sysexits.h>
+#include <tls.h>
 #include <unistd.h>
 
 #include "archive.h"
@@ -142,8 +143,32 @@ int main(int argc, char *argv[]) {
 		if (!pass) errx(EX_CONFIG, ENV_PASSWORD " unset");
 	}
 
-	struct Resp resp;
+#ifdef __OpenBSD__
+	struct {
+		const char *path;
+		const char *perm;
+	} paths[] = {
+		{ ".", "rwc" },
+		{ tls_default_ca_cert_file(), "r" },
+		{ concatHead, "r" },
+		{0},
+	};
+	for (int i = 0; paths[i].path; ++i) {
+		int error = unveil(paths[i].path, paths[i].perm);
+		if (error) err(EX_NOINPUT, "%s", paths[i].path);
+	}
+	int error = pledge("stdio rpath wpath cpath inet dns", NULL);
+	if (error) err(EX_OSERR, "pledge");
+#endif
+
 	struct IMAP imap = imapOpen(host, port);
+
+#ifdef __OpenBSD__
+	error = pledge("stdio rpath wpath cpath", NULL);
+	if (error) err(EX_OSERR, "pledge");
+#endif
+
+	struct Resp resp;
 	respFree(respOk(imapResp(&imap)));
 
 	enum Atom login = atom("login");