pledge/unveil for harec?

Thu, 18 Jul 2024 01:07:46 -0700 

hi,

here's a patch that i've written a while ago which adds pledge/unveil
to harec so it cannot do weird stuff during compilation. thoughts?

-----------------------------------------------
commit 43ca9cc786b4a993a8230d0215a6100d509acd3f (origin/master)
from: Lorenz (xha) <m...@xha.li>
date: Sat Mar 30 11:15:36 2024 UTC
 
 add pledge(2) and unveil(2) to harec
 
diff 9985eb90b7fc9a8991a307c41d09a584d36f255c 
43ca9cc786b4a993a8230d0215a6100d509acd3f
commit - 9985eb90b7fc9a8991a307c41d09a584d36f255c
commit + 43ca9cc786b4a993a8230d0215a6100d509acd3f
blob - 3853849750b616cc0dfe1f328738bfef843dce52
blob + 002654e39bcb9593499d50b91df194d8368437bf
--- configs/openbsd.mk
+++ configs/openbsd.mk
@@ -9,8 +9,8 @@ HARECFLAGS = -N "" -m .main
 QBEFLAGS =
 ASFLAGS =
 LDLINKFLAGS = -z nobtcfi
-CFLAGS = -g -std=c11 -D_XOPEN_SOURCE=700 -Iinclude \
-       -Wall -Wextra -Werror -pedantic -Wno-unused-parameter
+CFLAGS = -g -std=c11 -Iinclude -Wall -Wextra -Werror \
+               -pedantic -Wno-unused-parameter
 LDFLAGS =
 LIBS = -lm
 
blob - 33c097c281d3db123f979be3bef0c52839551106
blob + d099a6ada00413f764eb672012246c8da9b01a37
--- src/main.c
+++ src/main.c
@@ -70,7 +70,7 @@ parse_define(const char *argv_0, const char *in)
 }
 
 int
-main(int argc, char *argv[])
+main(int argc, char *argv[], char *envp[])
 {
        const char *output = NULL, *typedefs = NULL;
        const char *target = DEFAULT_TARGET;
@@ -144,6 +144,48 @@ main(int argc, char *argv[])
                return EXIT_USER;
        }
 
+#ifdef __OpenBSD__
+       for (char **env = envp; *env != NULL; env++) {
+               if (strncmp(*env, "HARE_TD_", 8) == 0) {
+                       char *file = getenv(*env);
+                       assert(file != NULL);
+
+                       if (unveil(file, "r") == -1) {
+                               perror("unveil");
+                               exit(EXIT_ABNORMAL);
+                       }
+               }
+       }
+
+       for (size_t i = 0; i < nsources; i++) {
+               const char *path = argv[optind + i];
+
+               if (unveil(path, "r") == -1) {
+                       perror("unveil");
+                       exit(EXIT_ABNORMAL);
+               }
+       }
+
+       if (typedefs != NULL) {
+               if (unveil(typedefs, "rwc") == -1) {
+                       perror("unveil");
+                       exit(EXIT_ABNORMAL);
+               }
+       }
+
+       if (output != NULL) {
+               if (unveil(output, "rwc") == -1) {
+                       perror("unveil");
+                       exit(EXIT_ABNORMAL);
+               }
+       }
+
+       if (pledge("stdio rpath wpath cpath", NULL) == -1) {
+               perror("pledge");
+               exit(EXIT_ABNORMAL);
+       }
+#endif
+
        struct ast_unit aunit = {0};
        struct ast_subunit *subunit = &aunit.subunits;
        struct ast_subunit **next = &aunit.subunits.next;

Reply via email to