On 2025/01/05 15:12, Chaz Kettleson wrote:
>
> Good to commit?
I think so, here it is as a ports diff, with the patch re-generated with
"make patch" and "make update-patches" because there was some offset,
does that look right to you?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/hopm/Makefile,v
diff -u -p -r1.3 Makefile
--- Makefile 4 Sep 2024 13:32:04 -0000 1.3
+++ Makefile 6 Jan 2025 09:32:54 -0000
@@ -1,7 +1,7 @@
COMMENT= open-proxy monitor irc bot
DIST_TUPLE= github ircd-hybrid hopm 1.1.10 .
-REVISION= 1
+REVISION= 2
CATEGORIES= net
Index: patches/patch-src_main_c
===================================================================
RCS file: patches/patch-src_main_c
diff -N patches/patch-src_main_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_main_c 6 Jan 2025 09:32:54 -0000
@@ -0,0 +1,103 @@
+add pledge/unveil
+
+Index: src/main.c
+--- src/main.c.orig
++++ src/main.c
+@@ -30,6 +30,9 @@
+ #include <fcntl.h>
+ #include <stdlib.h>
+ #include <string.h>
++#if defined(__OpenBSD__)
++#include <err.h>
++#endif
+
+ #include "config.h"
+ #include "irc.h"
+@@ -39,6 +42,9 @@
+ #include "options.h"
+ #include "memory.h"
+ #include "main.h"
++#if defined(__OpenBSD__)
++#include "match.h"
++#endif
+
+
+ static int RESTART; /* Flagged to restart on next cycle */
+@@ -70,7 +76,66 @@ setup_corelimit(void)
+ }
+ }
+
++#if defined(__OpenBSD__)
+ static void
++setup_pledge(void) {
++ int needr = 0;
++ int needp = 0;
++
++ if (unveil(HOPM_BINPATH, "x") == -1) {
++ err(1, "unveil");
++ }
++
++ if (IRCItem.tls) {
++ if (unveil("/etc/ssl/cert.pem", "r") == -1) {
++ err(1, "unveil");
++ }
++
++ if (!EmptyString(IRCItem.rsa_private_key_file) &&
++ !EmptyString(IRCItem.tls_certificate_file)) {
++ if (unveil("IRCItem.rsa_private_key", "r") == -1) {
++ err(1, "unveil");
++ }
++
++ if (unveil("IRCItem.tls_certificate_file", "r") == -1) {
++ err(1, "unveil");
++ }
++ }
++
++ needr = 1;
++ }
++
++ if (!EmptyString(OpmItem.dnsbl_to) &&
++ !EmptyString(OpmItem.dnsbl_from) &&
++ !EmptyString(OpmItem.sendmail)) {
++ if (unveil("/bin/sh", "x") == -1) {
++ err(1, "unveil");
++ }
++
++ needp = 1;
++ }
++
++ if (needr && needp) {
++ if (pledge("stdio rpath inet dns proc exec", NULL) == -1) {
++ err(1, "pledge");
++ }
++ } else if (needr) {
++ if (pledge("stdio rpath inet dns exec", NULL) == -1) {
++ err(1, "pledge");
++ }
++ } else if (needp) {
++ if (pledge("stdio inet dns proc exec", NULL) == -1) {
++ err(1, "pledge");
++ }
++ } else {
++ if (pledge("stdio inet dns exec", NULL) == -1) {
++ err(1, "pledge");
++ }
++ }
++}
++#endif
++
++static void
+ do_signal(int signum)
+ {
+ switch (signum)
+@@ -198,6 +263,10 @@ main(int argc, char *argv[])
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
++
++#if defined(__OpenBSD__)
++ setup_pledge();
++#endif
+
+ /* Setup alarm & int handlers. */
+ ALARMACTION.sa_handler = &do_signal;
