tAdd pledge(2) and unveil(2) on OpenBSD - surf - customized build of surf, the … | |
git clone git://src.adamsgaard.dk/surf | |
Log | |
Files | |
Refs | |
README | |
LICENSE | |
--- | |
commit 6d08917cf38a120460a7a248ed9678fa8c3a01eb | |
parent 5fddf9515f75b724b90b8bb62eab02f8b93ff128 | |
Author: Anders Damsgaard <[email protected]> | |
Date: Thu, 2 Jan 2020 21:36:13 +0100 | |
Add pledge(2) and unveil(2) on OpenBSD | |
Diffstat: | |
M surf.c | 107 +++++++++++++++++++++++++++++… | |
1 file changed, 107 insertions(+), 0 deletions(-) | |
--- | |
diff --git a/surf.c b/surf.c | |
t@@ -29,6 +29,10 @@ | |
#include <X11/Xatom.h> | |
#include <glib.h> | |
+#ifdef __OpenBSD__ | |
+#include <err.h> | |
+#endif | |
+ | |
#include "arg.h" | |
#include "common.h" | |
t@@ -1977,6 +1981,109 @@ main(int argc, char *argv[]) | |
Arg arg; | |
Client *c; | |
+#ifdef __OpenBSD__ | |
+ char path[128]; | |
+ const char* home = getcurrentuserhomedir(); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/.cache", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "rwc") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/.config", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/.config/surf", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "rwxc") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/.icons", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/.local", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "rwc") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/.Xauthority", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/.Xdefaults", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (snprintf(path, sizeof(path), "%s/tmp", home) < 0) | |
+ err(1, "snprintf"); | |
+ if (unveil(path, "rwc") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/bin", "rx") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/dev/urandom", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/etc/fonts", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/etc/gtk-3.0", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/etc/xdg", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/etc/aspell.conf", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/etc/machine-id", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/tmp", "rwc") == -1) | |
+ err(1, "unveil /tmp"); | |
+ | |
+ if (unveil("/usr/libexec", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/usr/local/bin", "x") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/usr/local/lib", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/usr/local/libexec/webkit2gtk-4.0", "x") == -1) | |
+ err(1, "unveil /usr/local/libexec/webkit2gtk-4.0"); | |
+ | |
+ if (unveil("/usr/local/lib/gdk-pixbuf-2.0", "x") == -1) | |
+ err(1, "unveil /usr/local/libexec/gdk-pixbuf-2.0"); | |
+ | |
+ if (unveil("/usr/local/share", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/usr/local/share/locale", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/usr/share/locale", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/usr/X11R6/lib", "rx") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (unveil("/var/run", "r") == -1) | |
+ err(1, "unveil"); | |
+ | |
+ if (pledge("stdio rpath wpath cpath dpath tmppath fattr chown flock un… | |
+ "sendfd recvfd tty proc exec prot_exec ps", NULL) =… | |
+ err(1, "pledge"); | |
+#endif | |
+ | |
memset(&arg, 0, sizeof(arg)); | |
/* command line args */ |