Sandbox calico with pledge(2) and unveil(2)

author: June McEnroe <june@causal.agency> 2020-08-27 18:36:19 -0400
committer: June McEnroe <june@causal.agency> 2020-08-27 18:47:01 -0400
commit: 9975a9357ef8d6ca0a92dda7682d2ec85b6548cc (patch)
tree: 3a49925007509c57e3a71a23e65130a73ff1f1f0
parent: Add support for OpenBSD (diff)
download: pounce-9975a9357ef8d6ca0a92dda7682d2ec85b6548cc.tar.gz
pounce-9975a9357ef8d6ca0a92dda7682d2ec85b6548cc.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/dispatch.c b/dispatch.c
index f52aacd..c0964e4 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -155,6 +155,8 @@ static void alert(int sock) {
 }
 
 int main(int argc, char *argv[]) {
+	int error;
+
 	const char *host = "localhost";
 	const char *port = "6697";
 	const char *path = NULL;
@@ -178,10 +180,18 @@ int main(int argc, char *argv[]) {
 		errx(EX_USAGE, "directory required");
 	}
 
+#ifdef __OpenBSD__
+	error = unveil(path, "r");
+	if (error) err(EX_OSERR, "unveil");
+
+	error = pledge("stdio rpath inet unix dns sendfd", NULL);
+	if (error) err(EX_OSERR, "pledge");
+#endif
+
 	int dir = open(path, O_DIRECTORY);
 	if (dir < 0) err(EX_NOINPUT, "%s", path);
 
-	int error = fchdir(dir);
+	error = fchdir(dir);
 	if (error) err(EX_NOINPUT, "%s", path);
 
 	struct addrinfo *head;
author	June McEnroe <june@causal.agency>	2020-08-27 18:36:19 -0400
committer	June McEnroe <june@causal.agency>	2020-08-27 18:47:01 -0400
commit	9975a9357ef8d6ca0a92dda7682d2ec85b6548cc (patch)
tree	3a49925007509c57e3a71a23e65130a73ff1f1f0
parent	Add support for OpenBSD (diff)
download	pounce-9975a9357ef8d6ca0a92dda7682d2ec85b6548cc.tar.gz pounce-9975a9357ef8d6ca0a92dda7682d2ec85b6548cc.zip