summary refs log tree commit diff
diff options
context:
space:
mode:
authorKlemens Nanni <kn@openbsd.org>2021-01-22 22:01:59 +0100
committerJune McEnroe <june@causal.agency>2021-01-23 00:48:19 -0500
commita19f48d8400583f72648ce506f6dc0f14d7d9442 (patch)
tree2cb51622a47a34870c85c4c023265de3d53f8e31
parentSeparate kiosk mode from restrict mode (diff)
downloadcatgirl-a19f48d8400583f72648ce506f6dc0f14d7d9442.tar.gz
catgirl-a19f48d8400583f72648ce506f6dc0f14d7d9442.zip
Call pledge(2) after unveil(2)
Simplify logic, be more idiomatic and finalize by pledging after
all unveiling is done by omitting the "unveil" promise and thereby
not allowing further calls to it.
-rw-r--r--chat.c13
1 files changed, 4 insertions, 9 deletions
diff --git a/chat.c b/chat.c
index f455b35..87daccd 100644
--- a/chat.c
+++ b/chat.c
@@ -142,13 +142,7 @@ static void unveilData(const char *name) {
 	}
 }
 
-static void sandbox(const char *trust, const char *cert, const char *priv) {
-	int error = pledge(
-		"stdio rpath wpath cpath inet dns tty proc exec unveil", NULL
-	);
-	if (error) err(EX_OSERR, "pledge");
-	if (!self.restricted) return;
-
+static void unveilAll(const char *trust, const char *cert, const char *priv) {
 	dataMkdir("");
 	unveilData("");
 	if (trust) unveilConfig(trust);
@@ -161,7 +155,6 @@ static void sandbox(const char *trust, const char *cert, const char *priv) {
 	} paths[] = {
 		{ "/usr/share/terminfo", "r" },
 		{ tls_default_ca_cert_file(), "r" },
-		{ NULL, NULL },
 	};
 	for (size_t i = 0; i < ARRAY_LEN(paths); ++i) {
 		int error = unveil(paths[i].path, paths[i].perm);
@@ -285,7 +278,9 @@ int main(int argc, char *argv[]) {
 	commandCompleteAdd();
 
 #ifdef __OpenBSD__
-	sandbox(trust, cert, priv);
+	if (self.restricted) unveilAll(trust, cert, priv);
+	int error = pledge("stdio rpath wpath cpath inet dns tty proc exec", NULL);
+	if (error) err(EX_OSERR, "pledge");
 #endif
 
 	ircConfig(insecure, trust, cert, priv);