diff options
author | June McEnroe <june@causal.agency> | 2020-08-27 21:49:31 -0400 |
---|---|---|
committer | June McEnroe <june@causal.agency> | 2020-08-27 22:05:31 -0400 |
commit | e464b9fea27bc047f6ed5f08f604eea43acbdfc3 (patch) | |
tree | c202b15cdeb178046f252d9da3522cbfe6ef89d6 | |
parent | Sandbox calico with pledge(2) and unveil(2) (diff) | |
download | pounce-e464b9fea27bc047f6ed5f08f604eea43acbdfc3.tar.gz pounce-e464b9fea27bc047f6ed5f08f604eea43acbdfc3.zip |
Sandbox pounce with pledge(2)
unveil(2) is a bit complicated to apply to this, I'll have to think about it more.
-rw-r--r-- | bounce.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/bounce.c b/bounce.c index 924a01b..1ef3890 100644 --- a/bounce.c +++ b/bounce.c @@ -284,6 +284,8 @@ static void eventRemove(size_t i) { } int main(int argc, char *argv[]) { + int error; + size_t ringSize = 4096; const char *savePath = NULL; @@ -427,6 +429,11 @@ int main(int argc, char *argv[]) { errx(EX_CONFIG, "password must be hashed with -x"); } +#ifdef __OpenBSD__ + error = pledge("stdio rpath wpath cpath inet flock unix dns recvfd", NULL); + if (error) err(EX_OSERR, "pledge"); +#endif + ringAlloc(ringSize); if (savePath) saveLoad(savePath); @@ -453,7 +460,7 @@ int main(int argc, char *argv[]) { int server = serverConnect(serverBindHost, host, port); #ifdef __FreeBSD__ - int error = cap_enter(); + error = cap_enter(); if (error) err(EX_OSERR, "cap_enter"); cap_rights_t saveRights, fileRights, sockRights, bindRights; @@ -489,7 +496,7 @@ int main(int argc, char *argv[]) { signal(SIGUSR1, signalHandler); for (size_t i = 0; i < binds; ++i) { - int error = listen(bind[i], -1); + error = listen(bind[i], -1); if (error) err(EX_IOERR, "listen"); eventAdd(bind[i], NULL); } @@ -525,7 +532,7 @@ int main(int argc, char *argv[]) { continue; } - int error = tls_handshake(tls); + error = tls_handshake(tls); if (error) { warnx("tls_handshake: %s", tls_error(tls)); tls_free(tls); |