There are three pledges: - at the start - after daemon(3) to drop "proc exec" unless scripts are used - after sio_open(3) to drop "cpath dpath" unless metadata is used
Our port has libdaemon and metadata disabled, so it always ends up with "stdio rpath wpath inet unix dns [proc exec] audio", but the diff does account for them, such that enabling them does the right thing. One might be able to drop more and/or use unveil(2), but that needs careful hoisting and consideration of other features our port currently does not enable. Feedback? Objection? OK? Index: Makefile =================================================================== RCS file: /cvs/ports/audio/shairport-sync/Makefile,v diff -u -p -r1.7 Makefile --- Makefile 31 Jan 2024 08:47:23 -0000 1.7 +++ Makefile 5 Feb 2024 11:45:53 -0000 @@ -1,7 +1,7 @@ COMMENT = AirPlay audio player DIST_TUPLE = github mikebrady shairport-sync 4.3.2 . -REVISION = 0 +REVISION = 1 CATEGORIES = audio net Index: patches/patch-shairport_c =================================================================== RCS file: patches/patch-shairport_c diff -N patches/patch-shairport_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-shairport_c 5 Feb 2024 12:04:21 -0000 @@ -0,0 +1,75 @@ +Index: shairport.c +--- shairport.c.orig ++++ shairport.c +@@ -1929,6 +1929,12 @@ void _display_config(const char *filename, const int l + #define display_config(argc, argv) _display_config(__FILE__, __LINE__, argc, argv) + + int main(int argc, char **argv) { ++#if defined(__OpenBSD__) ++ /* Start with the superset of all potentially required promises. */ ++ if (pledge("stdio rpath wpath cpath dpath inet unix dns proc exec audio", NULL) == -1) ++ die("pledge: %s", strerror(errno)); ++#endif ++ + memset(&config, 0, sizeof(config)); // also clears all strings, BTW + /* Check if we are called with -V or --version parameter */ + if (argc >= 2 && ((strcmp(argv[1], "-V") == 0) || (strcmp(argv[1], "--version") == 0))) { +@@ -2102,6 +2108,16 @@ int main(int argc, char **argv) { + // parse arguments into config -- needed to locate pid_dir + int audio_arg = parse_options(argc, argv); + ++#if defined(__OpenBSD__) ++ /* Any command to be executed at runtime? */ ++ int run_cmds = ++ config.cmd_active_start != NULL || ++ config.cmd_active_stop != NULL || ++ config.cmd_set_volume != NULL || ++ config.cmd_start != NULL || ++ config.cmd_stop != NULL; ++#endif ++ + // mDNS supports maximum of 63-character names (we append 13). + if (strlen(config.service_name) > 50) { + warn("The service name \"%s\" is too long (max 50 characters) and has been truncated.", +@@ -2237,6 +2253,16 @@ int main(int argc, char **argv) { + + #endif + ++#if defined(__OpenBSD__) ++ /* Past daemon(3)'s double fork(2). */ ++ ++ /* Only user-defined commands are executed. */ ++ if (!run_cmds) ++ /* Drop "proc exec". */ ++ if (pledge("stdio rpath wpath cpath dpath inet unix dns audio", NULL) == -1) ++ die("pledge: %s", strerror(errno)); ++#endif ++ + #ifdef CONFIG_AIRPLAY_2 + + if (has_fltp_capable_aac_decoder() == 0) { +@@ -2351,6 +2377,24 @@ int main(int argc, char **argv) { + config.output_name == NULL ? "<unspecified>" : config.output_name); + } + config.output->init(argc - audio_arg, argv + audio_arg); ++ ++#if defined(__OpenBSD__) ++ /* Past first and last sio_open(3), sndio(7) only needs "audio". */ ++ ++# ifdef CONFIG_METADATA ++ /* Only coverart cache is created. ++ * Only metadata pipe is special. */ ++ if (!config.metadata_enabled) ++# endif ++ /* Drop "cpath dpath". */ ++ if (run_cmds) { ++ if (pledge("stdio rpath wpath inet unix dns proc exec audio", NULL) == -1) ++ die("pledge: %s", strerror(errno)); ++ } else { ++ if (pledge("stdio rpath wpath inet unix dns audio", NULL) == -1) ++ die("pledge: %s", strerror(errno)); ++ } ++#endif + + // pthread_cleanup_push(main_cleanup_handler, NULL); +