summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2021-02-01 12:36:02 -0500
committerJune McEnroe <june@causal.agency>2021-02-01 12:36:02 -0500
commit1f51dfbad6710b28f244a8df6e5489c14e3c295b (patch)
tree3463d1793c21479d37f05fbb49f2abb1ee647e8a
parentAdd Repology links to README (diff)
downloadpounce-1f51dfbad6710b28f244a8df6e5489c14e3c295b.tar.gz
pounce-1f51dfbad6710b28f244a8df6e5489c14e3c295b.zip
Drop pledge capabilities after binding and connecting
-rw-r--r--bounce.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/bounce.c b/bounce.c
index 31ca4a6..d0bccfc 100644
--- a/bounce.c
+++ b/bounce.c
@@ -356,7 +356,7 @@ int main(int argc, char *argv[]) {
 	error = unveil(tls_default_ca_cert_file(), "r");
 	if (error) err(EX_OSFILE, "%s", tls_default_ca_cert_file());
 
-	error = pledge("stdio rpath wpath cpath inet flock unix dns recvfd", NULL);
+	error = pledge("stdio rpath wpath cpath flock inet dns unix recvfd", NULL);
 	if (error) err(EX_OSERR, "pledge");
 #endif
 
@@ -423,6 +423,16 @@ int main(int argc, char *argv[]) {
 	serverConfig(insecure, trust, clientCert, clientPriv);
 	int server = serverConnect(serverBindHost, host, port);
 
+#ifdef __OpenBSD__
+	char promises[64];
+	snprintf(
+		promises, sizeof(promises), "stdio rpath inet%s",
+		(bindPath[0] ? " cpath unix recvfd" : "")
+	);
+	error = pledge(promises, NULL);
+	if (error) err(EX_OSERR, "pledge");
+#endif
+
 #ifdef __FreeBSD__
 	error = cap_enter();
 	if (error) err(EX_OSERR, "cap_enter");