OpenBSD unveil(2): restrict to ircpath - ii - irc it, simple FIFO based irc client
(HTM) git clone git://git.suckless.org/ii
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit a86198f1fad847ba8797373a4af1a6293819de11
(DIR) parent 0cc277877e1074d9b33ad4971301ef32f4100437
(HTM) Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date: Thu, 20 Nov 2025 16:19:33 +0100
OpenBSD unveil(2): restrict to ircpath
Restrict writing to the filesystem to ircpath.
Note for TLS the certificate files etc are required, but the socket is created
before.
Diffstat:
M ii.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
---
(DIR) diff --git a/ii.c b/ii.c
@@ -904,15 +904,16 @@ main(int argc, char *argv[])
die("%s: tls_connect_socket: %s\n", tls_error(tls));
}
+ r = snprintf(ircpath, sizeof(ircpath), "%s/%s", prefix, host);
+ if (r < 0 || (size_t)r >= sizeof(ircpath))
+ die("%s: path to irc directory too long\n", argv0);
+
#ifdef __OpenBSD__
- /* OpenBSD pledge(2) support */
+ if (unveil(ircpath, "rwc") == 0)
+ die("%s: unveil: %s: %s\n", argv0, ircpath, strerror(errno));
if (pledge("stdio rpath wpath cpath dpath", NULL) == -1)
die("%s: pledge: %s\n", argv0, strerror(errno));
#endif
-
- r = snprintf(ircpath, sizeof(ircpath), "%s/%s", prefix, host);
- if (r < 0 || (size_t)r >= sizeof(ircpath))
- die("%s: path to irc directory too long\n", argv0);
create_dirtree(ircpath);
channelmaster = channel_add(""); /* master channel */