commit b8566646633724af84e9a5b9fd1386c9e17b1c3c
parent 54edf4e9d842131a78ab585308f72f72aa05b3d4
Author: default <nobody@localhost>
Date: Mon, 5 Aug 2024 06:54:47 +0200
Tweaked unveil() / pledge() to deal with UNIX sockets.
Diffstat:
| M | data.c | | | 22 | +++++++++++++++------- |
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/data.c b/data.c
@@ -114,13 +114,12 @@ int srv_open(const char *basedir, int auto_upgrade)
#endif
#ifdef __OpenBSD__
- const char *v = xs_dict_get(srv_config, "disable_openbsd_security");
-
- if (v && xs_type(v) == XSTYPE_TRUE) {
+ if (xs_is_true(xs_dict_get(srv_config, "disable_openbsd_security"))) {
srv_debug(1, xs_dup("OpenBSD security disabled by admin"));
}
else {
- int smail = xs_type(xs_dict_get(srv_config, "disable_email_notifications")) != XSTYPE_TRUE;
+ int smail = !xs_is_true(xs_dict_get(srv_config, "disable_email_notifications"));
+ const char *address = xs_dict_get(srv_config, "address");
srv_debug(1, xs_fmt("Calling unveil()"));
unveil(basedir, "rwc");
@@ -134,13 +133,22 @@ int srv_open(const char *basedir, int auto_upgrade)
if (smail)
unveil("/usr/sbin/sendmail", "x");
+ if (*address == '/')
+ unveil(address, "rwc");
+
unveil(NULL, NULL);
+
srv_debug(1, xs_fmt("Calling pledge()"));
+ xs *p = xs_str_new("stdio rpath wpath cpath flock inet proc dns fattr");
+
if (smail)
- pledge("stdio rpath wpath cpath flock inet proc exec dns fattr", NULL);
- else
- pledge("stdio rpath wpath cpath flock inet proc dns fattr", NULL);
+ p = xs_str_cat(p, " exec");
+
+ if (*address == '/')
+ p = xs_str_cat(p, " unix");
+
+ pledge(p, NULL);
}
#endif /* __OpenBSD__ */
