Use pledge(2) and unveil(2) on OpenBSD

1 files changed, 24 insertions, 1 deletions

diff --git a/daemon.c b/daemon.c
index 785504f..03955bd 100644
--- a/daemon.c
+++ b/daemon.c
@@ -19,6 +19,7 @@
 #include <fcntl.h>
 #include <fnmatch.h>
 #include <grp.h>
+#include <paths.h>
 #include <poll.h>
 #include <pwd.h>
 #include <signal.h>
@@ -189,7 +190,9 @@ static void setTitle(void) {
 }
 
 int main(int argc, char *argv[]) {
+	int error;
 	setprogname(argv[0]);
+	openlog(getprogname(), LOG_NDELAY | LOG_PID | LOG_PERROR, LOG_DAEMON);
 
 	bool daemonize = true;
 	setAdd(&stopExits, EX_USAGE);
@@ -220,8 +223,28 @@ int main(int argc, char *argv[]) {
 			break; default:  return EX_USAGE;
 		}
 	}
+
+#ifdef __OpenBSD__
+	if (pidPath) {
+		error = unveil(pidPath, "cw");
+		if (error) err(EX_OSERR, "unveil");
+	}
+	error = unveil(fifoPath, "crw")
+		|| unveil(configPath, "r")
+		|| unveil("/", "r")
+		|| unveil("/dev/null", "rw")
+		|| unveil(serviceDir, "r")
+		|| unveil(_PATH_BSHELL, "x")
+		|| unveil(NULL, NULL);
+	if (error) err(EX_OSERR, "unveil");
+
+	error = pledge(
+		"stdio cpath dpath rpath wpath flock getpw proc exec id", NULL
+	);
+	if (error) err(EX_OSERR, "pledge");
+#endif
 	
-	int error = access(serviceDir, X_OK);
+	error = access(serviceDir, X_OK);
 	if (error) err(EX_NOINPUT, "%s", serviceDir);
 
 	errno = 0;