thodg/got

Browse

Commit ffb5f621a9d5d1330a020a5da4a75e98c0cf62f0

Stefan Sperling 2020-03-18T16:11:30

pledge got-fetch-pack ("stdio recvfd") 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

diff --git a/libexec/got-fetch-pack/got-fetch-pack.c b/libexec/got-fetch-pack/got-fetch-pack.c
index 30b7714..a045084 100644
--- a/libexec/got-fetch-pack/got-fetch-pack.c
+++ b/libexec/got-fetch-pack/got-fetch-pack.c
@@ -604,6 +604,14 @@ main(int argc, char **argv)
 	}
 
 	imsg_init(&ibuf, GOT_IMSG_FD_CHILD);
+#ifndef PROFILE
+	/* revoke access to most system calls */
+	if (pledge("stdio recvfd", NULL) == -1) {
+		err = got_error_from_errno("pledge");
+		got_privsep_send_error(&ibuf, err);
+		return 1;
+	}
+#endif
 	if ((err = got_privsep_recv_imsg(&imsg, &ibuf, 0)) != 0) {
 		if (err->code == GOT_ERR_PRIVSEP_PIPE)
 			err = NULL;
kmx.io     mail     discord kmxgit v0.4.0