From 296e40887bea88959cf496221ec8a9e0a665b726 Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Mon, 17 Aug 2020 16:38:22 -0400
Subject: Use pledge(2) and unveil(2) on OpenBSD

---
 daemon.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/daemon.c b/daemon.c
index 785504f..03955bd 100644
--- a/daemon.c
+++ b/daemon.c
@@ -19,6 +19,7 @@
 #include <fcntl.h>
 #include <fnmatch.h>
 #include <grp.h>
+#include <paths.h>
 #include <poll.h>
 #include <pwd.h>
 #include <signal.h>
@@ -189,7 +190,9 @@ static void setTitle(void) {
 }
 
 int main(int argc, char *argv[]) {
+	int error;
 	setprogname(argv[0]);
+	openlog(getprogname(), LOG_NDELAY | LOG_PID | LOG_PERROR, LOG_DAEMON);
 
 	bool daemonize = true;
 	setAdd(&stopExits, EX_USAGE);
@@ -220,8 +223,28 @@ int main(int argc, char *argv[]) {
 			break; default:  return EX_USAGE;
 		}
 	}
+
+#ifdef __OpenBSD__
+	if (pidPath) {
+		error = unveil(pidPath, "cw");
+		if (error) err(EX_OSERR, "unveil");
+	}
+	error = unveil(fifoPath, "crw")
+		|| unveil(configPath, "r")
+		|| unveil("/", "r")
+		|| unveil("/dev/null", "rw")
+		|| unveil(serviceDir, "r")
+		|| unveil(_PATH_BSHELL, "x")
+		|| unveil(NULL, NULL);
+	if (error) err(EX_OSERR, "unveil");
+
+	error = pledge(
+		"stdio cpath dpath rpath wpath flock getpw proc exec id", NULL
+	);
+	if (error) err(EX_OSERR, "pledge");
+#endif
 	
-	int error = access(serviceDir, X_OK);
+	error = access(serviceDir, X_OK);
 	if (error) err(EX_NOINPUT, "%s", serviceDir);
 
 	errno = 0;
-- 
cgit 1.4.1

='right' method='get' action='/scooper/log/configure'>
<input type='hidden' name='id' value='9cc47df0d74d2fff91bd456bea526d04534c4641'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/scooper/log/?id=9cc47df0d74d2fff91bd456bea526d04534c4641&amp;follow=1'>root</a>/<a href='/scooper/log/configure?id=9cc47df0d74d2fff91bd456bea526d04534c4641&amp;follow=1'>configure</a> (<a href='/scooper/log/configure?id=9cc47df0d74d2fff91bd456bea526d04534c4641'>unfollow</a>)</div><div class='content'><table class='list nowrap'><tr class='nohover'><th></th><th class='left'>Commit message (<a href='/scooper/log/configure?id=9cc47df0d74d2fff91bd456bea526d04534c4641&amp;showmsg=1&amp;follow=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2021-09-13 15:05:52 -0400'>2021-09-13</span></td><td><a href='/scooper/commit/configure?id=326030a5fe1c681a4e2436598a53d6ad89cdeff6&amp;follow=1'>Link with -ldl on Linux</a><span class='decoration'> <a class='tag-annotated-deco' href='/scooper/tag/?h=1.3'>1.3</a></span></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-09-13 14:38:07 -0400'>2021-09-13</span></td><td><a href='/scooper/commit/README.7?id=373f3b4b07e8b97825d11cfa4ee44a14297347c1&amp;follow=1'>Document lack of dependency on SQLite</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-09-13 14:38:07 -0400'>2021-09-13</span></td><td><a href='/scooper/commit/server.h?id=66e35b5797803b5b1b5a5a06d02678c324600d16&amp;follow=1'>Build with vendored sqlite3</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-09-12 18:45:02 -0400'>2021-09-12</span></td><td><a href='/scooper/commit/server.c?id=7346609955c63d808eeedd40a28d609a31b651c8&amp;follow=1'>Call sqlite3_initialize explicitly</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-09-12 18:43:58 -0400'>2021-09-12</span></td><td><a href='/scooper/commit/sqlite3.h?id=592756f9a8a195a1a1ede731aec736a7bb5935b7&amp;follow=1'>Vendor SQLite 3.36.0</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-19 18:05:31 -0400'>2021-05-19</span></td><td><a href='/scooper/commit/server.h?id=21b5983bfbebf24da5b62c1dab8ce96e76e07d43&amp;follow=1'>Add -h flag to hide user hostnames</a><span class='decoration'> <a class='tag-annotated-deco' href='/scooper/tag/?h=1.2'>1.2</a></span></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-19 11:43:35 -0400'>2021-05-19</span></td><td><a href='/scooper/commit/scooper.1?id=32e896ff41ec9872c7b1ff9296cddeeab3dc2537&amp;follow=1'>Replace freenode with tilde.chat</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-08 00:20:10 -0400'>2021-05-08</span></td><td><a href='/scooper/commit/scooper.1?id=239efd07e022a9de0a74db265fcbf6e3ae45c6b7&amp;follow=1'>Document the export query parameter</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-07 23:58:38 -0400'>2021-05-07</span></td><td><a href='/scooper/commit/scooper.1?id=12d098b20ecb3ff101957d525ff41a979fe89f68&amp;follow=1'>Create a database with litterbox for test</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-07 19:42:54 -0400'>2021-05-07</span></td><td><a href='/scooper/commit/html.c?id=6de38c89acd25c52d40843ece597c1be912f5fbc&amp;follow=1'>Add missing static declarations in html.c</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-07 19:29:21 -0400'>2021-05-07</span></td><td><a href='/scooper/commit/search.c?id=e5eb22a7d447c923e500ba6e490ea78168b203a9&amp;follow=1'>Reverse order of search results</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-07 19:29:21 -0400'>2021-05-07</span></td><td><a href='/scooper/commit/html.c?id=299c4334ab7f3cabfad2ee74d441ebb2d4e27e80&amp;follow=1'>Try to keep query at end of parameters</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2021-05-07 19:29:21 -0400'>2021-05-07</span></td><td><a href='/scooper/commit/configure?id=5988e1a29ef1d84d6ad169c00be979c71f7f1181&amp;follow=1'>Use LDADD variables, support BINDIR</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-12-13 18:33:39 -0500'>2020-12-13</span></td><td><a href='/scooper/commit/html.c?id=ca9729fe214ee2166659dc4e8ddaf2013358d311&amp;follow=1'>Use nick for color if user is "*"</a><span class='decoration'> <a class='tag-annotated-deco' href='/scooper/tag/?h=1.1'>1.1</a></span></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-08-23 15:24:14 -0400'>2020-08-23</span></td><td><a href='/scooper/commit/Makefile?id=6211dfdae45a3a48d71d2572cd730d838a2bb8bb&amp;follow=1'>Use DESTDIR in install</a><span class='decoration'> <a class='tag-annotated-deco' href='/scooper/tag/?h=1.0'>1.0</a></span></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-08-23 14:41:34 -0400'>2020-08-23</span></td><td><a href='/scooper/commit/README.7?id=e09cc10bdab5267add4f80fe8cd74f943e493ab1&amp;follow=1'>Add catsit example to README</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-08-23 14:15:57 -0400'>2020-08-23</span></td><td><a href='/scooper/commit/README.7?id=1e31b08dc6c1cdfdad0e252a12dfee8ff5aa817a&amp;follow=1'>Update litterbox version range</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-08-19 14:53:53 -0400'>2020-08-19</span></td><td><a href='/scooper/commit/server.c?id=c03e1e99dc7d4bda710eba0f4fc6716e0c165bd2&amp;follow=1'>Set a database busy timeout</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-29 19:14:36 -0400'>2020-07-29</span></td><td><a href='/scooper/commit/configure?id=c70ca4e9e051b7acc86d06ef30925c806576a870&amp;follow=1'>Add Linux support</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-29 18:46:18 -0400'>2020-07-29</span></td><td><a href='/scooper/commit/events.c?id=c54a8b6b8800402dd595ef7c749165b6e00164a5&amp;follow=1'>Remove unused prevEvent</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-23 17:43:54 -0400'>2020-07-23</span></td><td><a href='/scooper/commit/scooper.pc?id=86133bdcaae3358bb4af740d8bfd22a045379ac4&amp;follow=1'>Rewrite configure script</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-21 18:37:45 -0400'>2020-07-21</span></td><td><a href='/scooper/commit/README.7?id=9cd4bdab846b50c8a41dc1fdd89b789338d7c810&amp;follow=1'>Add OpenBSD instructions</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-21 17:49:34 -0400'>2020-07-21</span></td><td><a href='/scooper/commit/scooper.pc?id=3f5ba5cc851829c6d5c8bf4150921c3cf695a73e&amp;follow=1'>Use a .pc file to configure</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-19 16:33:12 -0400'>2020-07-19</span></td><td><a href='/scooper/commit/networks.c?id=236dbaa81740a7c99bb3b07b4428f792b6c85e98&amp;follow=1'>Filter networks with only private contexts from recents as well</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-18 16:31:39 -0400'>2020-07-18</span></td><td><a href='/scooper/commit/README.7?id=5ca4e69620d9282f06c6282c9d6f31a1e08af571&amp;follow=1'>Specify litterbox version in readme</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-18 12:55:23 -0400'>2020-07-18</span></td><td><a href='/scooper/commit/server.h?id=56af4115c72d0ee03d7492390156211b2d18ffcb&amp;follow=1'>Reverse order of X macro parameters for pages and keys</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-18 12:46:11 -0400'>2020-07-18</span></td><td><a href='/scooper/commit/server.h?id=49841c58cd80e8ec6818db2298c35372fd12fd2e&amp;follow=1'>Remove kcgi 0.11 compatibility</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-17 14:08:53 -0400'>2020-07-17</span></td><td><a href='/scooper/commit/networks.c?id=f343150fb4ea1d553fb2220d023648bb670ee8fa&amp;follow=1'>Filter networks with only private contexts</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-17 13:23:21 -0400'>2020-07-17</span></td><td><a href='/scooper/commit/server.h?id=0a054aeb9ce8430a62be05283300ec34e9c2b0af&amp;follow=1'>Add export option</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-17 10:25:41 -0400'>2020-07-17</span></td><td><a href='/scooper/commit/default.css?id=c288379fa06d3d2b8b44b2935be6c7bbf5580975&amp;follow=1'>Add margin to inputs</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-16 23:40:08 -0400'>2020-07-16</span></td><td><a href='/scooper/commit/server.c?id=dac7845cb3aa645c14928ae0b1ec9eb6475d8956&amp;follow=1'>Don't write null terminator in stylesheet response</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-07-16 22:23:36 -0400'>2020-07-16</span></td><td><a href='/scooper/commit/README.7?id=771fb22dfc1c2d750291a6b8fff4935d02b0d777&amp;follow=1'>Remove sudo from make install</a></td><td>June McEnroe
	Commit message (Expand)	Author
2021-09-13	Link with -ldl on Linux 1.3	June McEnroe
2021-09-13	Document lack of dependency on SQLite	June McEnroe
2021-09-13	Build with vendored sqlite3	June McEnroe
2021-09-12	Call sqlite3_initialize explicitly	June McEnroe
2021-09-12	Vendor SQLite 3.36.0	June McEnroe
2021-05-19	Add -h flag to hide user hostnames 1.2	June McEnroe
2021-05-19	Replace freenode with tilde.chat	June McEnroe
2021-05-08	Document the export query parameter	June McEnroe
2021-05-07	Create a database with litterbox for test	June McEnroe
2021-05-07	Add missing static declarations in html.c	June McEnroe
2021-05-07	Reverse order of search results	June McEnroe
2021-05-07	Try to keep query at end of parameters	June McEnroe
2021-05-07	Use LDADD variables, support BINDIR	June McEnroe
2020-12-13	Use nick for color if user is "*" 1.1	June McEnroe
2020-08-23	Use DESTDIR in install 1.0	June McEnroe
2020-08-23	Add catsit example to README	June McEnroe
2020-08-23	Update litterbox version range	June McEnroe
2020-08-19	Set a database busy timeout	June McEnroe
2020-07-29	Add Linux support	June McEnroe
2020-07-29	Remove unused prevEvent	June McEnroe
2020-07-23	Rewrite configure script	June McEnroe
2020-07-21	Add OpenBSD instructions	June McEnroe
2020-07-21	Use a .pc file to configure	June McEnroe
2020-07-19	Filter networks with only private contexts from recents as well	June McEnroe
2020-07-18	Specify litterbox version in readme	June McEnroe
2020-07-18	Reverse order of X macro parameters for pages and keys	June McEnroe
2020-07-18	Remove kcgi 0.11 compatibility	June McEnroe
2020-07-17	Filter networks with only private contexts	June McEnroe
2020-07-17	Add export option	June McEnroe
2020-07-17	Add margin to inputs	June McEnroe
2020-07-16	Don't write null terminator in stylesheet response	June McEnroe
2020-07-16	Remove sudo from make install	June McEnroe