diff options
author | Klemens Nanni <kn@openbsd.org> | 2021-01-22 22:01:59 +0100 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2021-01-23 00:48:19 -0500 |
commit | a19f48d8400583f72648ce506f6dc0f14d7d9442 (patch) | |
tree | 2cb51622a47a34870c85c4c023265de3d53f8e31 | |
parent | Separate kiosk mode from restrict mode (diff) | |
download | catgirl-a19f48d8400583f72648ce506f6dc0f14d7d9442.tar.gz catgirl-a19f48d8400583f72648ce506f6dc0f14d7d9442.zip |
Call pledge(2) after unveil(2)
Simplify logic, be more idiomatic and finalize by pledging after all unveiling is done by omitting the "unveil" promise and thereby not allowing further calls to it.
Diffstat (limited to '')
-rw-r--r-- | chat.c | 13 |
1 files changed, 4 insertions, 9 deletions
diff --git a/chat.c b/chat.c index f455b35..87daccd 100644 --- a/chat.c +++ b/chat.c @@ -142,13 +142,7 @@ static void unveilData(const char *name) { } } -static void sandbox(const char *trust, const char *cert, const char *priv) { - int error = pledge( - "stdio rpath wpath cpath inet dns tty proc exec unveil", NULL - ); - if (error) err(EX_OSERR, "pledge"); - if (!self.restricted) return; - +static void unveilAll(const char *trust, const char *cert, const char *priv) { dataMkdir(""); unveilData(""); if (trust) unveilConfig(trust); @@ -161,7 +155,6 @@ static void sandbox(const char *trust, const char *cert, const char *priv) { } paths[] = { { "/usr/share/terminfo", "r" }, { tls_default_ca_cert_file(), "r" }, - { NULL, NULL }, }; for (size_t i = 0; i < ARRAY_LEN(paths); ++i) { int error = unveil(paths[i].path, paths[i].perm); @@ -285,7 +278,9 @@ int main(int argc, char *argv[]) { commandCompleteAdd(); #ifdef __OpenBSD__ - sandbox(trust, cert, priv); + if (self.restricted) unveilAll(trust, cert, priv); + int error = pledge("stdio rpath wpath cpath inet dns tty proc exec", NULL); + if (error) err(EX_OSERR, "pledge"); #endif ircConfig(insecure, trust, cert, priv); |