[hackers] [ii] OpenBSD unveil(2): restrict to ircpath || Hiltjo Posthuma
commit a86198f1fad847ba8797373a4af1a6293819de11
Author: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
AuthorDate: Thu Nov 20 16:19:33 2025 +0100
Commit: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
CommitDate: Thu Nov 20 16:19:33 2025 +0100
OpenBSD unveil(2): restrict to ircpath
Restrict writing to the filesystem to ircpath.
Note for TLS the certificate files etc are required, but the socket is created
before.
diff --git a/ii.c b/ii.c
index b1dfc46..63dc7d7 100644
--- a/ii.c
+++ b/ii.c
_AT_@ -904,15 +904,16 @@ main(int argc, char *argv[])
die("%s: tls_connect_socket: %s\n", tls_error(tls));
}
+ r = snprintf(ircpath, sizeof(ircpath), "%s/%s", prefix, host);
+ if (r < 0 || (size_t)r >= sizeof(ircpath))
+ die("%s: path to irc directory too long\n", argv0);
+
#ifdef __OpenBSD__
- /* OpenBSD pledge(2) support */
+ if (unveil(ircpath, "rwc") == 0)
+ die("%s: unveil: %s: %s\n", argv0, ircpath, strerror(errno));
if (pledge("stdio rpath wpath cpath dpath", NULL) == -1)
die("%s: pledge: %s\n", argv0, strerror(errno));
#endif
-
- r = snprintf(ircpath, sizeof(ircpath), "%s/%s", prefix, host);
- if (r < 0 || (size_t)r >= sizeof(ircpath))
- die("%s: path to irc directory too long\n", argv0);
create_dirtree(ircpath);
channelmaster = channel_add(""); /* master channel */
Received on Thu Nov 20 2025 - 16:22:10 CET
This archive was generated by hypermail 2.3.0
: Thu Nov 20 2025 - 16:24:37 CET