diff options
author | June McEnroe <june@causal.agency> | 2021-02-01 12:36:02 -0500 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2021-02-01 12:36:02 -0500 |
commit | 1f51dfbad6710b28f244a8df6e5489c14e3c295b (patch) | |
tree | 3463d1793c21479d37f05fbb49f2abb1ee647e8a | |
parent | Add Repology links to README (diff) | |
download | pounce-1f51dfbad6710b28f244a8df6e5489c14e3c295b.tar.gz pounce-1f51dfbad6710b28f244a8df6e5489c14e3c295b.zip |
Drop pledge capabilities after binding and connecting
Diffstat (limited to '')
-rw-r--r-- | bounce.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/bounce.c b/bounce.c index 31ca4a6..d0bccfc 100644 --- a/bounce.c +++ b/bounce.c @@ -356,7 +356,7 @@ int main(int argc, char *argv[]) { error = unveil(tls_default_ca_cert_file(), "r"); if (error) err(EX_OSFILE, "%s", tls_default_ca_cert_file()); - error = pledge("stdio rpath wpath cpath inet flock unix dns recvfd", NULL); + error = pledge("stdio rpath wpath cpath flock inet dns unix recvfd", NULL); if (error) err(EX_OSERR, "pledge"); #endif @@ -423,6 +423,16 @@ int main(int argc, char *argv[]) { serverConfig(insecure, trust, clientCert, clientPriv); int server = serverConnect(serverBindHost, host, port); +#ifdef __OpenBSD__ + char promises[64]; + snprintf( + promises, sizeof(promises), "stdio rpath inet%s", + (bindPath[0] ? " cpath unix recvfd" : "") + ); + error = pledge(promises, NULL); + if (error) err(EX_OSERR, "pledge"); +#endif + #ifdef __FreeBSD__ error = cap_enter(); if (error) err(EX_OSERR, "cap_enter"); |