From 695d615225bbd66ffee42f5c073ed45327790512 Mon Sep 17 00:00:00 2001
From: Přemysl Janouch
Date: Wed, 30 Mar 2016 00:50:44 +0200
Subject: ZyklonB, kike: Use pledge(2) in OpenBSD
degesch has something like "stdio wpath cpath inet tty proc exec"
but given that it's user-extensible and very annoying for users to
have it crash, I'm leaving it unrestricted for now.
---
kike.c | 6 ++++++
zyklonb.c | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/kike.c b/kike.c
index ce5bc1f..deff370 100644
--- a/kike.c
+++ b/kike.c
@@ -4076,6 +4076,12 @@ main (int argc, char *argv[])
else if (!irc_lock_pid_file (&ctx, &e))
exit_fatal ("%s", e->message);
+#if OpenBSD >= 201605
+ // This won't be as simple once we decide to implement REHASH
+ if (pledge ("stdio inet dns", NULL))
+ exit_fatal ("%s: %s", "pledge", strerror (errno));
+#endif
+
ctx.polling = true;
while (ctx.polling)
poller_run (&ctx.poller);
diff --git a/zyklonb.c b/zyklonb.c
index 4ab27bc..c7ab8c7 100644
--- a/zyklonb.c
+++ b/zyklonb.c
@@ -2023,6 +2023,12 @@ main (int argc, char *argv[])
ctx.signal_event.user_data = &ctx;
poller_fd_set (&ctx.signal_event, POLLIN);
+#if OpenBSD >= 201605
+ // cpath is for creating the plugin home directory
+ if (pledge ("stdio rpath cpath inet proc exec", NULL))
+ exit_fatal ("%s: %s", "pledge", strerror (errno));
+#endif
+
plugin_load_all_from_config (&ctx);
if (!parse_config (&ctx, &e)
|| !irc_connect (&ctx, &e))
--
cgit v1.2.3-70-g09d2