diff options
author | Klemens Nanni <kn@openbsd.org> | 2021-01-22 22:02:02 +0100 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2021-01-23 00:48:19 -0500 |
commit | bc3bd956481131a15dcae95eb818b3b3ccc7ed79 (patch) | |
tree | 87b247c8590e9de7ad6eee62717999fb2da701bb | |
parent | Drop exec capability iff restricted (diff) | |
download | catgirl-bc3bd956481131a15dcae95eb818b3b3ccc7ed79.tar.gz catgirl-bc3bd956481131a15dcae95eb818b3b3ccc7ed79.zip |
Drop filesystem access iff possible
Log files and state save/restore both require read/write access to the filesystem, both during start and exit. If neither features are used, catgirl may run with "stdio tty".
-rw-r--r-- | chat.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/chat.c b/chat.c index b36223c..6458925 100644 --- a/chat.c +++ b/chat.c @@ -341,10 +341,12 @@ int main(int argc, char *argv[]) { } #ifdef __OpenBSD__ - if (self.restricted) { - error = pledge("stdio rpath wpath cpath tty", NULL); - if (error) err(EX_OSERR, "pledge"); - } + char promises[64] = "stdio tty"; + struct Cat cat = { promises, sizeof(promises), strlen(promises) }; + if (save || logEnable) catf(&cat, " rpath wpath cpath"); + if (!self.restricted) catf(&cat, " proc exec"); + error = pledge(promises, NULL); + if (error) err(EX_OSERR, "pledge"); #endif struct pollfd fds[] = { |