tAdd pledge(2) and unveil(2) on OpenBSD - surf - customized build of surf, the suckless webkit browser
(HTM) git clone git://src.adamsgaard.dk/surf
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 6d08917cf38a120460a7a248ed9678fa8c3a01eb
(DIR) parent 5fddf9515f75b724b90b8bb62eab02f8b93ff128
(HTM) Author: Anders Damsgaard <anders@adamsgaard.dk>
Date: Thu, 2 Jan 2020 21:36:13 +0100
Add pledge(2) and unveil(2) on OpenBSD
Diffstat:
M surf.c | 107 +++++++++++++++++++++++++++++++
1 file changed, 107 insertions(+), 0 deletions(-)
---
(DIR) diff --git a/surf.c b/surf.c
t@@ -29,6 +29,10 @@
#include <X11/Xatom.h>
#include <glib.h>
+#ifdef __OpenBSD__
+#include <err.h>
+#endif
+
#include "arg.h"
#include "common.h"
t@@ -1977,6 +1981,109 @@ main(int argc, char *argv[])
Arg arg;
Client *c;
+#ifdef __OpenBSD__
+ char path[128];
+ const char* home = getcurrentuserhomedir();
+
+ if (snprintf(path, sizeof(path), "%s/.cache", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "rwc") == -1)
+ err(1, "unveil");
+
+ if (snprintf(path, sizeof(path), "%s/.config", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "r") == -1)
+ err(1, "unveil");
+
+ if (snprintf(path, sizeof(path), "%s/.config/surf", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "rwxc") == -1)
+ err(1, "unveil");
+
+ if (snprintf(path, sizeof(path), "%s/.icons", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "r") == -1)
+ err(1, "unveil");
+
+ if (snprintf(path, sizeof(path), "%s/.local", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "rwc") == -1)
+ err(1, "unveil");
+
+ if (snprintf(path, sizeof(path), "%s/.Xauthority", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "r") == -1)
+ err(1, "unveil");
+
+ if (snprintf(path, sizeof(path), "%s/.Xdefaults", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "r") == -1)
+ err(1, "unveil");
+
+ if (snprintf(path, sizeof(path), "%s/tmp", home) < 0)
+ err(1, "snprintf");
+ if (unveil(path, "rwc") == -1)
+ err(1, "unveil");
+
+ if (unveil("/bin", "rx") == -1)
+ err(1, "unveil");
+
+ if (unveil("/dev/urandom", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/etc/fonts", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/etc/gtk-3.0", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/etc/xdg", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/etc/aspell.conf", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/etc/machine-id", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/tmp", "rwc") == -1)
+ err(1, "unveil /tmp");
+
+ if (unveil("/usr/libexec", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/usr/local/bin", "x") == -1)
+ err(1, "unveil");
+
+ if (unveil("/usr/local/lib", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/usr/local/libexec/webkit2gtk-4.0", "x") == -1)
+ err(1, "unveil /usr/local/libexec/webkit2gtk-4.0");
+
+ if (unveil("/usr/local/lib/gdk-pixbuf-2.0", "x") == -1)
+ err(1, "unveil /usr/local/libexec/gdk-pixbuf-2.0");
+
+ if (unveil("/usr/local/share", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/usr/local/share/locale", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/usr/share/locale", "r") == -1)
+ err(1, "unveil");
+
+ if (unveil("/usr/X11R6/lib", "rx") == -1)
+ err(1, "unveil");
+
+ if (unveil("/var/run", "r") == -1)
+ err(1, "unveil");
+
+ if (pledge("stdio rpath wpath cpath dpath tmppath fattr chown flock unix "
+ "sendfd recvfd tty proc exec prot_exec ps", NULL) == -1)
+ err(1, "pledge");
+#endif
+
memset(&arg, 0, sizeof(arg));
/* command line args */