From 7186ffe799c14c775a78eb9b570eaea0cd37800d Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Wed, 3 Mar 2021 13:30:09 -0500
Subject: Sandbox with unveil(2) and pledge(2) on OpenBSD

---
 archive.c | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/archive.c b/archive.c
index bdf51aa..cc6c182 100644
--- a/archive.c
+++ b/archive.c
@@ -35,6 +35,7 @@
 #include <string.h>
 #include <sys/stat.h>
 #include <sysexits.h>
+#include <tls.h>
 #include <unistd.h>
 
 #include "archive.h"
@@ -142,8 +143,32 @@ int main(int argc, char *argv[]) {
 		if (!pass) errx(EX_CONFIG, ENV_PASSWORD " unset");
 	}
 
-	struct Resp resp;
+#ifdef __OpenBSD__
+	struct {
+		const char *path;
+		const char *perm;
+	} paths[] = {
+		{ ".", "rwc" },
+		{ tls_default_ca_cert_file(), "r" },
+		{ concatHead, "r" },
+		{0},
+	};
+	for (int i = 0; paths[i].path; ++i) {
+		int error = unveil(paths[i].path, paths[i].perm);
+		if (error) err(EX_NOINPUT, "%s", paths[i].path);
+	}
+	int error = pledge("stdio rpath wpath cpath inet dns", NULL);
+	if (error) err(EX_OSERR, "pledge");
+#endif
+
 	struct IMAP imap = imapOpen(host, port);
+
+#ifdef __OpenBSD__
+	error = pledge("stdio rpath wpath cpath", NULL);
+	if (error) err(EX_OSERR, "pledge");
+#endif
+
+	struct Resp resp;
 	respFree(respOk(imapResp(&imap)));
 
 	enum Atom login = atom("login");
-- 
cgit 1.4.1