adjust pledge/unveil on OpenBSD

to connect to unix-domain sockets the `unix' pledge is needed and also unveil "w". gmid can't mutate files because it doesn't pledge `wpath' nor `cpath'.
author: Omar Polo <op@omarpolo.com> 2022-11-27 10:04:39 +0000
committer: Omar Polo <op@omarpolo.com> 2022-11-27 10:04:39 +0000
commit: b24c6fcc1c81fa2a6b71048a9d2fc532402448b7 (patch)
tree: 6d83bd078557ed35b9d879421ff94df768495a47 /sandbox.c
parent: 6130e0eeac9db4fa8e6fe5934ec2d0ab202f979e (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/sandbox.c b/sandbox.c
index f1ca7cb..076ce3c 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -611,14 +611,14 @@ sandbox_server_process(int can_open_sockets)
 			if (*l->dir == '\0')
 				continue;
 
-			if (unveil(l->dir, "r") == -1)
+			if (unveil(l->dir, "rw") == -1)
 				fatal("unveil %s for domain %s",
 				    l->dir,
 				    h->domain);
 		}
 	}
 
-	if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
+	if (pledge("stdio recvfd rpath unix inet dns", NULL) == -1)
 		fatal("pledge");
 }
author	Omar Polo <op@omarpolo.com>	2022-11-27 10:04:39 +0000
committer	Omar Polo <op@omarpolo.com>	2022-11-27 10:04:39 +0000
commit	b24c6fcc1c81fa2a6b71048a9d2fc532402448b7 (patch)
tree	6d83bd078557ed35b9d879421ff94df768495a47 /sandbox.c
parent	6130e0eeac9db4fa8e6fe5934ec2d0ab202f979e (diff)