From 9975a9357ef8d6ca0a92dda7682d2ec85b6548cc Mon Sep 17 00:00:00 2001
From: "C. McEnroe" <june@causal.agency>
Date: Thu, 27 Aug 2020 18:36:19 -0400
Subject: Sandbox calico with pledge(2) and unveil(2)

---
 dispatch.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'dispatch.c')

diff --git a/dispatch.c b/dispatch.c
index f52aacd..c0964e4 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -155,6 +155,8 @@ static void alert(int sock) {
 }
 
 int main(int argc, char *argv[]) {
+	int error;
+
 	const char *host = "localhost";
 	const char *port = "6697";
 	const char *path = NULL;
@@ -178,10 +180,18 @@ int main(int argc, char *argv[]) {
 		errx(EX_USAGE, "directory required");
 	}
 
+#ifdef __OpenBSD__
+	error = unveil(path, "r");
+	if (error) err(EX_OSERR, "unveil");
+
+	error = pledge("stdio rpath inet unix dns sendfd", NULL);
+	if (error) err(EX_OSERR, "pledge");
+#endif
+
 	int dir = open(path, O_DIRECTORY);
 	if (dir < 0) err(EX_NOINPUT, "%s", path);
 
-	int error = fchdir(dir);
+	error = fchdir(dir);
 	if (error) err(EX_NOINPUT, "%s", path);
 
 	struct addrinfo *head;
-- 
cgit 1.4.1