apply unveil(2) to repository tests
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
diff --git a/regress/repository/repository_test.c b/regress/repository/repository_test.c
index 6c10824..a2e8fe5 100644
--- a/regress/repository/repository_test.c
+++ b/regress/repository/repository_test.c
@@ -32,6 +32,7 @@
#include "got_repository.h"
#include "got_diff.h"
#include "got_opentemp.h"
+#include "got_privsep.h"
#include "got_lib_path.h"
@@ -411,15 +412,50 @@ usage(void)
fprintf(stderr, "usage: repository_test [-v] [REPO_PATH]\n");
}
+static const struct got_error *
+apply_unveil(const char *repo_path)
+{
+ const struct got_error *error;
+ char *normpath = NULL;
+
+ if (repo_path) {
+ normpath = got_path_normalize(repo_path);
+ if (normpath == NULL)
+ return got_error_from_errno();
+ if (unveil(normpath, "r") != 0) {
+ free(normpath);
+ return got_error_from_errno();
+ }
+ free(normpath);
+ }
+
+ if (unveil("/tmp", "rwc") != 0)
+ return got_error_from_errno();
+
+ if (unveil("/dev/null", "rwc") != 0)
+ return got_error_from_errno();
+
+ error = got_privsep_unveil_exec_helpers();
+ if (error != NULL)
+ return error;
+
+ if (unveil(NULL, NULL) != 0)
+ return got_error_from_errno();
+
+ return NULL;
+}
+
int
main(int argc, char *argv[])
{
int test_ok = 0, failure = 0;
const char *repo_path;
int ch;
+ const struct got_error *error;
#ifndef PROFILE
- if (pledge("stdio rpath wpath cpath proc exec sendfd", NULL) == -1)
+ if (pledge("stdio rpath wpath cpath proc exec sendfd unveil", NULL)
+ == -1)
err(1, "pledge");
#endif
@@ -445,6 +481,12 @@ main(int argc, char *argv[])
return 1;
}
+ error = apply_unveil(repo_path);
+ if (error) {
+ fprintf(stderr, "unveil: %s", error->msg);
+ return 1;
+ }
+
RUN_TEST(repo_read_tree(repo_path), "read_tree");
RUN_TEST(repo_read_log(repo_path), "read_log");
RUN_TEST(repo_read_blob(repo_path), "read_blob");