From 7186ffe799c14c775a78eb9b570eaea0cd37800d Mon Sep 17 00:00:00 2001 From: "C. McEnroe" Date: Wed, 3 Mar 2021 13:30:09 -0500 Subject: Sandbox with unveil(2) and pledge(2) on OpenBSD --- archive.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/archive.c b/archive.c index bdf51aa..cc6c182 100644 --- a/archive.c +++ b/archive.c @@ -35,6 +35,7 @@ #include #include #include +#include #include #include "archive.h" @@ -142,8 +143,32 @@ int main(int argc, char *argv[]) { if (!pass) errx(EX_CONFIG, ENV_PASSWORD " unset"); } - struct Resp resp; +#ifdef __OpenBSD__ + struct { + const char *path; + const char *perm; + } paths[] = { + { ".", "rwc" }, + { tls_default_ca_cert_file(), "r" }, + { concatHead, "r" }, + {0}, + }; + for (int i = 0; paths[i].path; ++i) { + int error = unveil(paths[i].path, paths[i].perm); + if (error) err(EX_NOINPUT, "%s", paths[i].path); + } + int error = pledge("stdio rpath wpath cpath inet dns", NULL); + if (error) err(EX_OSERR, "pledge"); +#endif + struct IMAP imap = imapOpen(host, port); + +#ifdef __OpenBSD__ + error = pledge("stdio rpath wpath cpath", NULL); + if (error) err(EX_OSERR, "pledge"); +#endif + + struct Resp resp; respFree(respOk(imapResp(&imap))); enum Atom login = atom("login"); -- cgit 1.4.1