summary refs log tree commit diff
diff options
context:
space:
mode:
authorC. McEnroe <june@causal.agency>2021-09-26 17:25:58 -0400
committerC. McEnroe <june@causal.agency>2021-09-26 17:25:58 -0400
commitbdcb9ab46fa5b2e86c9d7253523dea5f4fd43d38 (patch)
tree7d2091550d8653f4b0a45f53472bb461a005e4b2
parentFix inverted exec prepend logic (diff)
downloadcatsit-bdcb9ab46fa5b2e86c9d7253523dea5f4fd43d38.tar.gz
catsit-bdcb9ab46fa5b2e86c9d7253523dea5f4fd43d38.zip
OpenBSD: Simplify pledge(2) and unveil(2) strategy
-rw-r--r--daemon.c45
1 files changed, 16 insertions, 29 deletions
diff --git a/daemon.c b/daemon.c
index 1bab9ef..88f59b2 100644
--- a/daemon.c
+++ b/daemon.c
@@ -216,30 +216,6 @@ int main(int argc, char *argv[]) {
 		}
 	}
 
-#ifdef __OpenBSD__
-	struct {
-		const char *path;
-		const char *mode;
-	} paths[] = {
-		{ fifoPath, "crw" },
-		{ configPath, "r" },
-		{ "/", "r" },
-		{ "/dev/null", "rw" },
-		{ serviceDir, "r" },
-		{ _PATH_BSHELL, "x" },
-		{ pidPath, "cw" },
-		{ NULL, NULL },
-	};
-	for (size_t i = 0; paths[i].path; ++i) {
-		error = unveil(paths[i].path, paths[i].mode);
-		if (error) err(EX_CANTCREAT, "%s", paths[i].path);
-	}
-	error = pledge(
-		"stdio cpath dpath rpath wpath flock getpw proc exec id", NULL
-	);
-	if (error) err(EX_OSERR, "pledge");
-#endif
-	
 	error = access(serviceDir, X_OK);
 	if (error) err(EX_NOINPUT, "%s", serviceDir);
 
@@ -303,16 +279,27 @@ int main(int argc, char *argv[]) {
 			return EX_OSERR;
 		}
 	}
-	if (pidPath) {
-		int len = dprintf(pidFile, "%ju", (uintmax_t)getpid());
-		if (len < 0) syslog(LOG_WARNING, "%s: %m", pidPath);
-	}
 
 #ifdef __OpenBSD__
-	error = pledge("stdio cpath rpath proc exec id", NULL);
+	error = 0
+		|| unveil(fifoPath, "c")
+		|| unveil(configPath, "r")
+		|| unveil(serviceDir, "r")
+		|| unveil(_PATH_BSHELL, "x");
+	if (error) err(EX_OSERR, "unveil");
+	if (pidPath) {
+		error = unveil(pidPath, "c");
+		if (error) err(EX_OSERR, "unveil");
+	}
+	error = pledge("stdio rpath cpath proc exec id", NULL);
 	if (error) err(EX_OSERR, "pledge");
 #endif
 
+	if (pidPath) {
+		int len = dprintf(pidFile, "%ju", (uintmax_t)getpid());
+		if (len < 0) syslog(LOG_WARNING, "%s: %m", pidPath);
+	}
+
 	signal(SIGHUP, signalHandler);
 	signal(SIGINT, signalHandler);
 	signal(SIGTERM, signalHandler);