add OpenBSD unveil support

The unveil() system call first appeared in OpenBSD 6.4. For stagit it has the following properties now: - stagit-index: only read-access to the file-system for the specified directories/repositories. - stagit: read-access to the specified directory/repository. read-write and creation access to the current directory for the output files. read-write and creation access to the specified cache file.
author: Hiltjo Posthuma <[email protected]> 2019-12-01 18:31:07 +0100
committer: Hiltjo Posthuma <[email protected]> 2019-12-01 18:31:07 +0100
commit: edee68f398f5b190f4be0127338956c0a2500662 (patch)
tree: 94788cd2df391b83cc7782a89d690302bd5216f0 /stagit.c
parent: b5607f75afb9c6e6e6ab49128f9760d3538809cd (diff)
download: stagit-edee68f398f5b190f4be0127338956c0a2500662.tar.gz
stagit-edee68f398f5b190f4be0127338956c0a2500662.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/stagit.c b/stagit.c
index a6cfebc..dcac016 100644
--- a/stagit.c
+++ b/stagit.c
@@ -1095,6 +1095,13 @@ main(int argc, char *argv[])
 	git_libgit2_init();
 
 #ifdef __OpenBSD__
+	if (unveil(repodir, "r") == -1)
+		err(1, "unveil: %s", repodir);
+	if (unveil(".", "rwc") == -1)
+		err(1, "unveil: .");
+	if (cachefile && unveil(cachefile, "rwc") == -1)
+		err(1, "unveil: %s", cachefile);
+
 	if (cachefile) {
 		if (pledge("stdio rpath wpath cpath fattr", NULL) == -1)
 			err(1, "pledge");
author	Hiltjo Posthuma <[email protected]>	2019-12-01 18:31:07 +0100
committer	Hiltjo Posthuma <[email protected]>	2019-12-01 18:31:07 +0100
commit	edee68f398f5b190f4be0127338956c0a2500662 (patch)
tree	94788cd2df391b83cc7782a89d690302bd5216f0 /stagit.c
parent	b5607f75afb9c6e6e6ab49128f9760d3538809cd (diff)
download	stagit-edee68f398f5b190f4be0127338956c0a2500662.tar.gz stagit-edee68f398f5b190f4be0127338956c0a2500662.zip