Github messages for mblaze
 help / color / mirror / Atom feed
* Re: pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
@ 2020-08-03 17:43 ` leahneukirchen
  2020-08-08 14:12 ` [PR PATCH] [Updated] " timkuijsten
                   ` (7 subsequent siblings)
  8 siblings, 0 replies; 9+ messages in thread
From: leahneukirchen @ 2020-08-03 17:43 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 229 bytes --]

New comment by leahneukirchen on mblaze repository

https://github.com/leahneukirchen/mblaze/pull/179#issuecomment-668153364

Comment:
Instead of changing _XOPEN_SOURCE, please define _BSD_SOURCE where needed (i.e. in xpledge.h)

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PR PATCH] [Updated] pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
  2020-08-03 17:43 ` pledge(2) all programs leahneukirchen
@ 2020-08-08 14:12 ` timkuijsten
  2020-08-08 14:18 ` timkuijsten
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 9+ messages in thread
From: timkuijsten @ 2020-08-08 14:12 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 867 bytes --]

There is an updated pull request by timkuijsten against master on the mblaze repository

https://github.com/timkuijsten/mblaze renewpledge
https://github.com/leahneukirchen/mblaze/pull/179

pledge(2) all programs
I have checked all pledge calls and added some to ensure all main() functions are pledged as tight as possible.

The only program remaining with a broad pledge is mshow (full filesystem access plus fork/exec). I think the most important improvement there would be to use unveil(2), but I consider adding support for unveil a separate endeavour.

I've been running this code without problems since December (with the exception of mdate which I just pledged), although I have only just rebased my work on all changes that happended in 2020 on master.

/cc @holsta

A patch file from https://github.com/leahneukirchen/mblaze/pull/179.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-renewpledge-179.patch --]
[-- Type: text/x-diff, Size: 44965 bytes --]

From 516c8286d4ab25dd43fe568d71bfc27c9b7707d5 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 02:15:41 +0100
Subject: [PATCH 01/21] pledge(2) based on the work by by Alex Holst

The original repository that contained these patches does not exist
anymore. Grabbed commit 0300a112 from 2017-12-07 from GH PR #79.

* cleaned up aligning and whitespace
* added missing ifdef guards and err.h includes
---
 maddr.c    |  6 ++++++
 magrep.c   |  6 ++++++
 mdeliver.c |  6 ++++++
 mdirs.c    |  6 ++++++
 mexport.c  |  6 ++++++
 mflag.c    |  6 ++++++
 mgenmid.c  |  6 ++++++
 mhdr.c     |  6 ++++++
 minc.c     |  6 ++++++
 mlist.c    |  6 ++++++
 mmime.c    |  6 ++++++
 mscan.c    |  6 ++++++
 msed.c     |  6 ++++++
 mseq.c     |  6 ++++++
 mshow.c    | 11 +++++++++++
 msort.c    |  5 +++++
 mthread.c  |  5 +++++
 17 files changed, 105 insertions(+)

diff --git a/maddr.c b/maddr.c
index 339acad..95d20b0 100644
--- a/maddr.c
+++ b/maddr.c
@@ -1,5 +1,6 @@
 #include <sys/types.h>
 
+#include <err.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -108,6 +109,11 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
 	else
diff --git a/magrep.c b/magrep.c
index 8cb3d1f..02b77a8 100644
--- a/magrep.c
+++ b/magrep.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <err.h>
 #include <errno.h>
 #include <regex.h>
 #include <stdio.h>
@@ -218,6 +219,11 @@ main(int argc, char *argv[])
 	if (!rx)
 		goto usage;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
 	if (r != 0) {
diff --git a/mdeliver.c b/mdeliver.c
index c599d9d..e9286c4 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -3,6 +3,7 @@
 #include <sys/types.h>
 
 #include <dirent.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
@@ -340,6 +341,11 @@ main(int argc, char *argv[])
 	if (argc != optind+1)
 		goto usage2;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio wpath", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	targetdir = argv[optind];
 
 	gethost();
diff --git a/mdirs.c b/mdirs.c
index 46b2426..8576634 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <dirent.h>
+#include <err.h>
 #include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -88,6 +89,11 @@ main(int argc, char *argv[])
 	if (argc == optind)
 		goto usage;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
 		perror("mdirs: getcwd");
diff --git a/mexport.c b/mexport.c
index 91fa9a6..685263c 100644
--- a/mexport.c
+++ b/mexport.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -141,6 +142,11 @@ main(int argc, char *argv[])
 
 	status = 0;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
 	else
diff --git a/mflag.c b/mflag.c
index 7708946..991c070 100644
--- a/mflag.c
+++ b/mflag.c
@@ -1,6 +1,7 @@
 #include <sys/types.h>
 
 #include <dirent.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
@@ -134,6 +135,11 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	curfile = blaze822_seq_cur();
 
 	if (vflag) {
diff --git a/mgenmid.c b/mgenmid.c
index c7d713c..b214337 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -3,6 +3,7 @@
 #include <sys/time.h>
 #include <sys/types.h>
 
+#include <err.h>
 #include <fcntl.h>
 #include <netdb.h>
 #include <stdint.h>
@@ -36,6 +37,11 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
 
diff --git a/mhdr.c b/mhdr.c
index 18cbc5e..f957bed 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -245,6 +246,11 @@ main(int argc, char *argv[])
 
 	status = 1;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
 	else
diff --git a/minc.c b/minc.c
index f495da1..66eef10 100644
--- a/minc.c
+++ b/minc.c
@@ -1,6 +1,7 @@
 #include <sys/types.h>
 
 #include <dirent.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
@@ -76,6 +77,11 @@ main(int argc, char *argv[])
 	if (optind == argc)
 		goto usage;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	status = 0;
 	for (i = optind; i < argc; i++)
 		inc(argv[i]);
diff --git a/mlist.c b/mlist.c
index 3cb082f..1080c4e 100644
--- a/mlist.c
+++ b/mlist.c
@@ -3,6 +3,7 @@
 #include <sys/stat.h>
 
 #include <dirent.h>
+#include <err.h>
 #include <fcntl.h>
 #include <limits.h>
 #include <stdint.h>
@@ -272,6 +273,11 @@ main(int argc, char *argv[])
 
 	int i;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)
 			flagset++;
diff --git a/mmime.c b/mmime.c
index 79e1ef0..c8cd803 100644
--- a/mmime.c
+++ b/mmime.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <dirent.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
@@ -503,6 +504,11 @@ main(int argc, char *argv[])
 	if (argc != optind)
 		goto usage;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (cflag)
 		return check();
 
diff --git a/mscan.c b/mscan.c
index 6ae1628..f23f0cb 100644
--- a/mscan.c
+++ b/mscan.c
@@ -7,6 +7,7 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <locale.h>
@@ -549,6 +550,11 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (nflag) {
 		if (argc == optind && isatty(0))
 			blaze822_loop1(":", numline);
diff --git a/msed.c b/msed.c
index 4fef8f4..1687c52 100644
--- a/msed.c
+++ b/msed.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <regex.h>
@@ -323,6 +324,11 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	expr = argv[optind];
 	optind++;
 
diff --git a/mseq.c b/mseq.c
index b8ebcfe..0707416 100644
--- a/mseq.c
+++ b/mseq.c
@@ -2,6 +2,7 @@
 #include <sys/stat.h>
 
 #include <dirent.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
@@ -298,6 +299,11 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
 
diff --git a/mshow.c b/mshow.c
index 3a7fdce..517376d 100644
--- a/mshow.c
+++ b/mshow.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <fnmatch.h>
@@ -794,6 +795,11 @@ main(int argc, char *argv[])
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty cpath proc", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (safe_output && isatty(1)) {
 		char *pg;
 		pg = getenv("MBLAZE_PAGER");
@@ -815,6 +821,11 @@ main(int argc, char *argv[])
 		}
 	}
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath cpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	if (xflag) { // extract
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
diff --git a/msort.c b/msort.c
index cdb7d4b..03f730a 100644
--- a/msort.c
+++ b/msort.c
@@ -2,6 +2,7 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <err.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -316,6 +317,10 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
diff --git a/mthread.c b/mthread.c
index 8a7172a..64e86d2 100644
--- a/mthread.c
+++ b/mthread.c
@@ -8,6 +8,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <search.h>
@@ -419,6 +420,10 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
+#if defined(__OpenBSD__)
+	if (pledge("stdio rpath tty", NULL) == -1)
+		err(1, "pledge");
+#endif
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {
 		case 'S': blaze822_loop1(optarg, thread); break;

From ddda73d8a33b8f34a50b4f94651a246036763e6e Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 02:36:05 +0100
Subject: [PATCH 02/21] mscan: replace _XOPEN_SOURCE 700 with _GNU_SOURCE

Otherwise pledge(2) is not included via unistd.h.

Tested on OpenBSD 6.6.
---
 mscan.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/mscan.c b/mscan.c
index f23f0cb..f22d0b8 100644
--- a/mscan.c
+++ b/mscan.c
@@ -1,6 +1,4 @@
-#ifndef _XOPEN_SOURCE
-#define _XOPEN_SOURCE 700
-#endif
+#define _GNU_SOURCE
 
 #include <sys/ioctl.h>
 #include <sys/stat.h>

From 63c9e698a2a778327f44b99cac838ac0348b29f4 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 02:49:48 +0100
Subject: [PATCH 03/21] pledge: minc needs cpath

---
 minc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/minc.c b/minc.c
index 66eef10..c8ab63f 100644
--- a/minc.c
+++ b/minc.c
@@ -78,7 +78,7 @@ main(int argc, char *argv[])
 		goto usage;
 
 #if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
+	if (pledge("stdio rpath cpath tty", NULL) == -1)
 		err(1, "pledge");
 #endif
 

From 92635d98f54366d8841e281de9ce5fbc6edbd645 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 03:10:23 +0100
Subject: [PATCH 04/21] pledge: mflag needs cpath

---
 mflag.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mflag.c b/mflag.c
index 991c070..c00c887 100644
--- a/mflag.c
+++ b/mflag.c
@@ -136,7 +136,7 @@ main(int argc, char *argv[])
 		}
 
 #if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
+	if (pledge("stdio rpath cpath tty", NULL) == -1)
 		err(1, "pledge");
 #endif
 

From 89690a6a9f813961df8de1dd923ba021fb42f44f Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 11:25:45 +0100
Subject: [PATCH 05/21] pledge: mdeliver needs rpath cpath

---
 mdeliver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdeliver.c b/mdeliver.c
index e9286c4..f123d01 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -342,7 +342,7 @@ main(int argc, char *argv[])
 		goto usage2;
 
 #if defined(__OpenBSD__)
-	if (pledge("stdio wpath", NULL) == -1)
+	if (pledge("stdio rpath wpath cpath", NULL) == -1)
 		err(1, "pledge");
 #endif
 

From 3947521b9fa778ffc3c861f473bb146d1fe93756 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 16:10:52 +0100
Subject: [PATCH 06/21] pledge: mshow needs fork and exec

---
 mshow.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/mshow.c b/mshow.c
index 517376d..79c3492 100644
--- a/mshow.c
+++ b/mshow.c
@@ -796,7 +796,7 @@ main(int argc, char *argv[])
 		safe_output = 1;
 
 #if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty cpath proc", NULL) == -1)
+	if (pledge("stdio rpath tty cpath proc exec", NULL) == -1)
 		err(1, "pledge");
 #endif
 
@@ -821,11 +821,6 @@ main(int argc, char *argv[])
 		}
 	}
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath cpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
-
 	if (xflag) { // extract
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout

From b8bb7e9bb98075c1d3d9a30c92300c450f43392f Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Fri, 22 Nov 2019 10:27:48 +0100
Subject: [PATCH 07/21] pledge: mshow needs wpath

---
 mshow.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mshow.c b/mshow.c
index 79c3492..45bb2cf 100644
--- a/mshow.c
+++ b/mshow.c
@@ -796,7 +796,7 @@ main(int argc, char *argv[])
 		safe_output = 1;
 
 #if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty cpath proc exec", NULL) == -1)
+	if (pledge("stdio rpath wpath cpath tty proc exec", NULL) == -1)
 		err(1, "pledge");
 #endif
 

From 7cef953d502900dbe2f458a6f2a959aad48c7f9d Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Fri, 22 Nov 2019 21:30:09 +0100
Subject: [PATCH 08/21] new xpledge.h

---
 xpledge.h | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 xpledge.h

diff --git a/xpledge.h b/xpledge.h
new file mode 100644
index 0000000..0e472e0
--- /dev/null
+++ b/xpledge.h
@@ -0,0 +1,22 @@
+#ifndef PLEDGE_H
+#define PLEDGE_H
+
+#ifdef __OpenBSD__
+
+#include <err.h>
+#include <unistd.h>
+
+void
+xpledge(const char *promises, const char *execpromises)
+{
+	if (pledge(promises, execpromises) == -1)
+		err(1, "pledge");
+}
+
+#endif /* __OpenBSD__ */
+
+#elif
+
+#define xpledge(promises, execpromises)) 0
+
+#endif /* PLEDGE_H */

From b3c61d26ca8da5b3e64f52686100d3e2135b3f31 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Fri, 22 Nov 2019 21:48:40 +0100
Subject: [PATCH 09/21] replace ifdef OpenBSD with new xpledge()

ed(1) rocks!
---
 maddr.c    | 6 ++----
 magrep.c   | 6 ++----
 mdeliver.c | 6 ++----
 mdirs.c    | 6 ++----
 mexport.c  | 6 ++----
 mflag.c    | 6 ++----
 mgenmid.c  | 6 ++----
 mhdr.c     | 6 ++----
 minc.c     | 6 ++----
 mlist.c    | 6 ++----
 mmime.c    | 6 ++----
 mscan.c    | 6 ++----
 msed.c     | 6 ++----
 mseq.c     | 6 ++----
 mshow.c    | 6 ++----
 msort.c    | 6 ++----
 mthread.c  | 7 +++----
 17 files changed, 35 insertions(+), 68 deletions(-)

diff --git a/maddr.c b/maddr.c
index 95d20b0..e8784d9 100644
--- a/maddr.c
+++ b/maddr.c
@@ -8,6 +8,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int dflag;
@@ -109,10 +110,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
diff --git a/magrep.c b/magrep.c
index 02b77a8..bcd488d 100644
--- a/magrep.c
+++ b/magrep.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int cflag;
@@ -219,10 +220,7 @@ main(int argc, char *argv[])
 	if (!rx)
 		goto usage;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
diff --git a/mdeliver.c b/mdeliver.c
index f123d01..6853fa7 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -14,6 +14,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 /*
 design rationale:
@@ -341,10 +342,7 @@ main(int argc, char *argv[])
 	if (argc != optind+1)
 		goto usage2;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath wpath cpath", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath wpath cpath", NULL);
 
 	targetdir = argv[optind];
 
diff --git a/mdirs.c b/mdirs.c
index 8576634..ba57f90 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -10,6 +10,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static char sep = '\n';
 int aflag;
@@ -89,10 +90,7 @@ main(int argc, char *argv[])
 	if (argc == optind)
 		goto usage;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
diff --git a/mexport.c b/mexport.c
index 685263c..7152251 100644
--- a/mexport.c
+++ b/mexport.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Sflag;
 
@@ -142,10 +143,7 @@ main(int argc, char *argv[])
 
 	status = 0;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
diff --git a/mflag.c b/mflag.c
index c00c887..6a01b74 100644
--- a/mflag.c
+++ b/mflag.c
@@ -14,6 +14,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int8_t flags[255];
 static int vflag = 0;
@@ -135,10 +136,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath cpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath cpath tty", NULL);
 
 	curfile = blaze822_seq_cur();
 
diff --git a/mgenmid.c b/mgenmid.c
index b214337..7642e5f 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -14,6 +14,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 void
 printb36(uint64_t x)
@@ -37,10 +38,7 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
diff --git a/mhdr.c b/mhdr.c
index f957bed..1babffe 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *hflag;
 static char *pflag;
@@ -246,10 +247,7 @@ main(int argc, char *argv[])
 
 	status = 1;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
diff --git a/minc.c b/minc.c
index c8ab63f..0a80749 100644
--- a/minc.c
+++ b/minc.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int qflag;
 static int status;
@@ -77,10 +78,7 @@ main(int argc, char *argv[])
 	if (optind == argc)
 		goto usage;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath cpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath cpath tty", NULL);
 
 	status = 0;
 	for (i = optind; i < argc; i++)
diff --git a/mlist.c b/mlist.c
index 1080c4e..bbc41de 100644
--- a/mlist.c
+++ b/mlist.c
@@ -14,6 +14,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 /*
 
@@ -273,10 +274,7 @@ main(int argc, char *argv[])
 
 	int i;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)
diff --git a/mmime.c b/mmime.c
index c8cd803..95ffb3e 100644
--- a/mmime.c
+++ b/mmime.c
@@ -16,6 +16,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int cflag;
 static int rflag;
@@ -504,10 +505,7 @@ main(int argc, char *argv[])
 	if (argc != optind)
 		goto usage;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	if (cflag)
 		return check();
diff --git a/mscan.c b/mscan.c
index f22d0b8..44ff9bf 100644
--- a/mscan.c
+++ b/mscan.c
@@ -18,6 +18,7 @@
 #include <wchar.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 #include "u8decode.h"
 
 static int cols;
@@ -548,10 +549,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	if (nflag) {
 		if (argc == optind && isatty(0))
diff --git a/msed.c b/msed.c
index 1687c52..98a32c3 100644
--- a/msed.c
+++ b/msed.c
@@ -12,6 +12,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *expr;
 
@@ -324,10 +325,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	expr = argv[optind];
 	optind++;
diff --git a/mseq.c b/mseq.c
index 0707416..86846ec 100644
--- a/mseq.c
+++ b/mseq.c
@@ -14,6 +14,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int fflag;
 static int rflag;
@@ -299,10 +300,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath wpath cpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath wpath cpath tty", NULL);
 
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
diff --git a/mshow.c b/mshow.c
index 45bb2cf..4162b7e 100644
--- a/mshow.c
+++ b/mshow.c
@@ -15,6 +15,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Bflag;
 static int rflag;
@@ -795,10 +796,7 @@ main(int argc, char *argv[])
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath wpath cpath tty proc exec", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath wpath cpath tty proc exec", NULL);
 
 	if (safe_output && isatty(1)) {
 		char *pg;
diff --git a/msort.c b/msort.c
index 03f730a..18a6969 100644
--- a/msort.c
+++ b/msort.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 struct mail {
 	char *file;
@@ -317,10 +318,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
diff --git a/mthread.c b/mthread.c
index 64e86d2..9b0013e 100644
--- a/mthread.c
+++ b/mthread.c
@@ -20,6 +20,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int vflag;
 static int pflag;
@@ -420,10 +421,8 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
-#if defined(__OpenBSD__)
-	if (pledge("stdio rpath tty", NULL) == -1)
-		err(1, "pledge");
-#endif
+	xpledge("stdio rpath tty", NULL);
+
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {
 		case 'S': blaze822_loop1(optarg, thread); break;

From 56a3892feaf549fb8c08696511cd3b58df587eb7 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Fri, 22 Nov 2019 22:54:34 +0100
Subject: [PATCH 10/21] mshow: more strict pledges

* drop tty
* drop proc,  exec  when using -x -O -t -R
* drop wpath, cpath when using    -O -t -R

Normal operation without any option still retains the original set of
pledges.
---
 mshow.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/mshow.c b/mshow.c
index 4162b7e..fa9d9d1 100644
--- a/mshow.c
+++ b/mshow.c
@@ -793,11 +793,11 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath proc exec", NULL);
+
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
-	xpledge("stdio rpath wpath cpath tty proc exec", NULL);
-
 	if (safe_output && isatty(1)) {
 		char *pg;
 		pg = getenv("MBLAZE_PAGER");
@@ -820,17 +820,22 @@ main(int argc, char *argv[])
 	}
 
 	if (xflag) { // extract
+		xpledge("stdio rpath wpath cpath", NULL);
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
+		xpledge("stdio rpath", NULL);
 		extract(Oflag, argc-optind, argv+optind, 1);
 	} else if (tflag) { // list
+		xpledge("stdio rpath", NULL);
 		if (argc == optind && isatty(0))
 			blaze822_loop1(".", list);
 		else
 			blaze822_loop(argc-optind, argv+optind, list);
 	} else if (Rflag) { // render for reply
+		xpledge("stdio rpath", NULL);
 		blaze822_loop(argc-optind, argv+optind, reply);
 	} else { // show
+		/* XXX pledge: still r/w on the whole file-system + fork/exec */
 		if (!(qflag || rflag || Fflag)) {
 			char *f = getenv("MAILFILTER");
 			if (!f)

From cc6c4001a5d500028b4c550d3759ada0ddc8cfca Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 12 Dec 2019 01:50:17 +0100
Subject: [PATCH 11/21] mpick: pledge "stdio rpath"

---
 mpick.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mpick.c b/mpick.c
index bff0cc3..93bbafb 100644
--- a/mpick.c
+++ b/mpick.c
@@ -43,6 +43,7 @@
 #include <wchar.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 enum op {
 	EXPR_OR = 1,
@@ -1463,6 +1464,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	void *cb = need_thr ? collect : oneline;
 	if (argc == optind && isatty(0))
 		i = blaze822_loop1(":", cb);

From 578831ce287f18c32b119faddb451ac597cfe523 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 12 Dec 2019 01:59:01 +0100
Subject: [PATCH 12/21] mlist: more strict pledge

* drop tty
* disable execpromises
---
 mlist.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mlist.c b/mlist.c
index bbc41de..5f4535d 100644
--- a/mlist.c
+++ b/mlist.c
@@ -274,7 +274,7 @@ main(int argc, char *argv[])
 
 	int i;
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath", "");
 
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)

From 7fdab22d8994af8b7898bec64d660351bfd74448 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 14 Dec 2019 14:38:33 +0100
Subject: [PATCH 13/21] disable all execpromises where exec is not promised

---
 maddr.c    | 2 +-
 magrep.c   | 2 +-
 mdeliver.c | 2 +-
 mdirs.c    | 2 +-
 mexport.c  | 2 +-
 mflag.c    | 2 +-
 mgenmid.c  | 2 +-
 mhdr.c     | 2 +-
 minc.c     | 2 +-
 mmime.c    | 2 +-
 mscan.c    | 2 +-
 msed.c     | 2 +-
 mseq.c     | 2 +-
 msort.c    | 2 +-
 mthread.c  | 2 +-
 15 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/maddr.c b/maddr.c
index e8784d9..fbe2f9b 100644
--- a/maddr.c
+++ b/maddr.c
@@ -110,7 +110,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
diff --git a/magrep.c b/magrep.c
index bcd488d..9c78078 100644
--- a/magrep.c
+++ b/magrep.c
@@ -220,7 +220,7 @@ main(int argc, char *argv[])
 	if (!rx)
 		goto usage;
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
diff --git a/mdeliver.c b/mdeliver.c
index 6853fa7..e66aa7a 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -342,7 +342,7 @@ main(int argc, char *argv[])
 	if (argc != optind+1)
 		goto usage2;
 
-	xpledge("stdio rpath wpath cpath", NULL);
+	xpledge("stdio rpath wpath cpath", "");
 
 	targetdir = argv[optind];
 
diff --git a/mdirs.c b/mdirs.c
index ba57f90..7946372 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -90,7 +90,7 @@ main(int argc, char *argv[])
 	if (argc == optind)
 		goto usage;
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
diff --git a/mexport.c b/mexport.c
index 7152251..4fc0ea3 100644
--- a/mexport.c
+++ b/mexport.c
@@ -143,7 +143,7 @@ main(int argc, char *argv[])
 
 	status = 0;
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
diff --git a/mflag.c b/mflag.c
index 6a01b74..c25b91c 100644
--- a/mflag.c
+++ b/mflag.c
@@ -136,7 +136,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath cpath tty", NULL);
+	xpledge("stdio rpath cpath tty", "");
 
 	curfile = blaze822_seq_cur();
 
diff --git a/mgenmid.c b/mgenmid.c
index 7642e5f..ec68898 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -38,7 +38,7 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
diff --git a/mhdr.c b/mhdr.c
index 1babffe..1701262 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -247,7 +247,7 @@ main(int argc, char *argv[])
 
 	status = 1;
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
diff --git a/minc.c b/minc.c
index 0a80749..53b9421 100644
--- a/minc.c
+++ b/minc.c
@@ -78,7 +78,7 @@ main(int argc, char *argv[])
 	if (optind == argc)
 		goto usage;
 
-	xpledge("stdio rpath cpath tty", NULL);
+	xpledge("stdio rpath cpath tty", "");
 
 	status = 0;
 	for (i = optind; i < argc; i++)
diff --git a/mmime.c b/mmime.c
index 95ffb3e..18b0209 100644
--- a/mmime.c
+++ b/mmime.c
@@ -505,7 +505,7 @@ main(int argc, char *argv[])
 	if (argc != optind)
 		goto usage;
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	if (cflag)
 		return check();
diff --git a/mscan.c b/mscan.c
index 44ff9bf..fe5d089 100644
--- a/mscan.c
+++ b/mscan.c
@@ -549,7 +549,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	if (nflag) {
 		if (argc == optind && isatty(0))
diff --git a/msed.c b/msed.c
index 98a32c3..dca2c61 100644
--- a/msed.c
+++ b/msed.c
@@ -325,7 +325,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	expr = argv[optind];
 	optind++;
diff --git a/mseq.c b/mseq.c
index 86846ec..c685962 100644
--- a/mseq.c
+++ b/mseq.c
@@ -300,7 +300,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath wpath cpath tty", NULL);
+	xpledge("stdio rpath wpath cpath tty", "");
 
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
diff --git a/msort.c b/msort.c
index 18a6969..0f40da7 100644
--- a/msort.c
+++ b/msort.c
@@ -318,7 +318,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
diff --git a/mthread.c b/mthread.c
index 9b0013e..ade118f 100644
--- a/mthread.c
+++ b/mthread.c
@@ -421,7 +421,7 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
-	xpledge("stdio rpath tty", NULL);
+	xpledge("stdio rpath tty", "");
 
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {

From a24680201853d364f7c29dc976bd27574ff88bf4 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 14 Dec 2019 22:26:27 +0100
Subject: [PATCH 14/21] remove tty promise from most programs

Anything that does not working with /dev/tty probably does not need to
promise tty.

Only mscan and mflow open /dev/tty. mflow is not yet pledged, and mscan
now drops tty as soon as it's done issuing it's TIOCGWINSZ.
---
 maddr.c   | 2 +-
 magrep.c  | 2 +-
 mdirs.c   | 2 +-
 mexport.c | 2 +-
 mflag.c   | 2 +-
 mgenmid.c | 2 +-
 mhdr.c    | 2 +-
 minc.c    | 2 +-
 mmime.c   | 2 +-
 mscan.c   | 3 +++
 msed.c    | 2 +-
 mseq.c    | 2 +-
 msort.c   | 2 +-
 mthread.c | 2 +-
 14 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/maddr.c b/maddr.c
index fbe2f9b..27b3245 100644
--- a/maddr.c
+++ b/maddr.c
@@ -110,7 +110,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
diff --git a/magrep.c b/magrep.c
index 9c78078..2547eb1 100644
--- a/magrep.c
+++ b/magrep.c
@@ -220,7 +220,7 @@ main(int argc, char *argv[])
 	if (!rx)
 		goto usage;
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
diff --git a/mdirs.c b/mdirs.c
index 7946372..23d7792 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -90,7 +90,7 @@ main(int argc, char *argv[])
 	if (argc == optind)
 		goto usage;
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
diff --git a/mexport.c b/mexport.c
index 4fc0ea3..8df8fec 100644
--- a/mexport.c
+++ b/mexport.c
@@ -143,7 +143,7 @@ main(int argc, char *argv[])
 
 	status = 0;
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
diff --git a/mflag.c b/mflag.c
index c25b91c..86fccae 100644
--- a/mflag.c
+++ b/mflag.c
@@ -136,7 +136,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath cpath tty", "");
+	xpledge("stdio rpath cpath", "");
 
 	curfile = blaze822_seq_cur();
 
diff --git a/mgenmid.c b/mgenmid.c
index ec68898..fde69c3 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -38,7 +38,7 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
diff --git a/mhdr.c b/mhdr.c
index 1701262..b17adb1 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -247,7 +247,7 @@ main(int argc, char *argv[])
 
 	status = 1;
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
diff --git a/minc.c b/minc.c
index 53b9421..6a05d59 100644
--- a/minc.c
+++ b/minc.c
@@ -78,7 +78,7 @@ main(int argc, char *argv[])
 	if (optind == argc)
 		goto usage;
 
-	xpledge("stdio rpath cpath tty", "");
+	xpledge("stdio rpath cpath", "");
 
 	status = 0;
 	for (i = optind; i < argc; i++)
diff --git a/mmime.c b/mmime.c
index 18b0209..bad656c 100644
--- a/mmime.c
+++ b/mmime.c
@@ -505,7 +505,7 @@ main(int argc, char *argv[])
 	if (argc != optind)
 		goto usage;
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	if (cflag)
 		return check();
diff --git a/mscan.c b/mscan.c
index fe5d089..693cb81 100644
--- a/mscan.c
+++ b/mscan.c
@@ -586,6 +586,9 @@ main(int argc, char *argv[])
 	}
 	if (ttyfd >= 0)
 		close(ttyfd);
+
+	xpledge("stdio rpath", "");
+
 	if (getenv("COLUMNS"))
 		cols = atoi(getenv("COLUMNS"));
 	if (cols <= 40)
diff --git a/msed.c b/msed.c
index dca2c61..e5fc06e 100644
--- a/msed.c
+++ b/msed.c
@@ -325,7 +325,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	expr = argv[optind];
 	optind++;
diff --git a/mseq.c b/mseq.c
index c685962..14f50fb 100644
--- a/mseq.c
+++ b/mseq.c
@@ -300,7 +300,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath wpath cpath tty", "");
+	xpledge("stdio rpath wpath cpath", "");
 
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
diff --git a/msort.c b/msort.c
index 0f40da7..68efd46 100644
--- a/msort.c
+++ b/msort.c
@@ -318,7 +318,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
diff --git a/mthread.c b/mthread.c
index ade118f..cb8ebf5 100644
--- a/mthread.c
+++ b/mthread.c
@@ -421,7 +421,7 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath", "");
 
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {

From 81d69d730518d220fa806b2af61535b3bd81e2e2 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 14 Dec 2019 22:43:33 +0100
Subject: [PATCH 15/21] mflow: pledge "stdio rpath tty"

After determining the window size drop rpath and tty promises.
---
 mflow.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mflow.c b/mflow.c
index 41db508..af6755d 100644
--- a/mflow.c
+++ b/mflow.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 int column = 0;
 int maxcolumn = 80;
@@ -107,6 +108,8 @@ main(int argc, char *argv[])
 	int force = 0;
 	int delsp = 0;
 
+	xpledge("stdio rpath tty", "");
+
 	char *ct = getenv("PIPE_CONTENTTYPE");
 	if (ct) {
 		char *s, *se;
@@ -130,6 +133,8 @@ main(int argc, char *argv[])
 		}
 	}
 
+	xpledge("stdio", "");
+
 	char *maxcols = getenv("MAXCOLUMNS");
 	if (maxcols && isdigit(*maxcols)) {
 		int m = atoi(maxcols);

From b8f27ecd43bb63cced30cfbaa7b0ba20b1626544 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 1 Aug 2020 18:18:58 +0200
Subject: [PATCH 16/21] mdate: pledge "stdio"

---
 mdate.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/mdate.c b/mdate.c
index fb95d7c..793f65e 100644
--- a/mdate.c
+++ b/mdate.c
@@ -1,11 +1,17 @@
 #include <time.h>
 #include <unistd.h>
 
+#include "xpledge.h"
+
 int
 main()
 {
 	char buf[64];
-	time_t now = time(0);
+	time_t now;
+
+	xpledge("stdio", "");
+
+	now = time(0);
 
 	ssize_t l = strftime(buf, sizeof buf,
 	    "%a, %d %b %Y %T %z\n", localtime(&now));

From 455ff28c33b45c1d806b5187c8bb4db4169af788 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 1 Aug 2020 18:42:05 +0200
Subject: [PATCH 17/21] mscan: add pledge proc exec in case a pager is used

---
 mscan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mscan.c b/mscan.c
index 693cb81..272522e 100644
--- a/mscan.c
+++ b/mscan.c
@@ -549,7 +549,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
-	xpledge("stdio rpath tty", "");
+	xpledge("stdio rpath tty proc exec", NULL);
 
 	if (nflag) {
 		if (argc == optind && isatty(0))

From 52b6df2cf86ff81d04ec9eed54e51fbdad95b181 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 8 Aug 2020 14:38:01 +0200
Subject: [PATCH 18/21] remove err.h includes

This is a BSDism that is now only included in xpledge.h which is
guarded by an __OpenBSD__ ifdef.
---
 maddr.c    | 1 -
 magrep.c   | 1 -
 mdeliver.c | 1 -
 mdirs.c    | 1 -
 mexport.c  | 1 -
 mflag.c    | 1 -
 mgenmid.c  | 1 -
 mhdr.c     | 1 -
 minc.c     | 1 -
 mlist.c    | 1 -
 mmime.c    | 1 -
 mscan.c    | 1 -
 msed.c     | 1 -
 mseq.c     | 1 -
 mshow.c    | 1 -
 msort.c    | 1 -
 mthread.c  | 1 -
 17 files changed, 17 deletions(-)

diff --git a/maddr.c b/maddr.c
index 27b3245..0169458 100644
--- a/maddr.c
+++ b/maddr.c
@@ -1,6 +1,5 @@
 #include <sys/types.h>
 
-#include <err.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/magrep.c b/magrep.c
index 2547eb1..6f93a57 100644
--- a/magrep.c
+++ b/magrep.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <ctype.h>
-#include <err.h>
 #include <errno.h>
 #include <regex.h>
 #include <stdio.h>
diff --git a/mdeliver.c b/mdeliver.c
index e66aa7a..161cea5 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -3,7 +3,6 @@
 #include <sys/types.h>
 
 #include <dirent.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
diff --git a/mdirs.c b/mdirs.c
index 23d7792..5f49906 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <dirent.h>
-#include <err.h>
 #include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
diff --git a/mexport.c b/mexport.c
index 8df8fec..d758d0c 100644
--- a/mexport.c
+++ b/mexport.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <ctype.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
diff --git a/mflag.c b/mflag.c
index 86fccae..ddf633c 100644
--- a/mflag.c
+++ b/mflag.c
@@ -1,7 +1,6 @@
 #include <sys/types.h>
 
 #include <dirent.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
diff --git a/mgenmid.c b/mgenmid.c
index fde69c3..eb161cf 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -3,7 +3,6 @@
 #include <sys/time.h>
 #include <sys/types.h>
 
-#include <err.h>
 #include <fcntl.h>
 #include <netdb.h>
 #include <stdint.h>
diff --git a/mhdr.c b/mhdr.c
index b17adb1..d434d1d 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <ctype.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
diff --git a/minc.c b/minc.c
index 6a05d59..c1d28fd 100644
--- a/minc.c
+++ b/minc.c
@@ -1,7 +1,6 @@
 #include <sys/types.h>
 
 #include <dirent.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
diff --git a/mlist.c b/mlist.c
index 5f4535d..5debf99 100644
--- a/mlist.c
+++ b/mlist.c
@@ -3,7 +3,6 @@
 #include <sys/stat.h>
 
 #include <dirent.h>
-#include <err.h>
 #include <fcntl.h>
 #include <limits.h>
 #include <stdint.h>
diff --git a/mmime.c b/mmime.c
index bad656c..8064b10 100644
--- a/mmime.c
+++ b/mmime.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <dirent.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
diff --git a/mscan.c b/mscan.c
index 272522e..deda213 100644
--- a/mscan.c
+++ b/mscan.c
@@ -5,7 +5,6 @@
 #include <sys/types.h>
 
 #include <ctype.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <locale.h>
diff --git a/msed.c b/msed.c
index e5fc06e..7bb0b82 100644
--- a/msed.c
+++ b/msed.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <ctype.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <regex.h>
diff --git a/mseq.c b/mseq.c
index 14f50fb..befbdda 100644
--- a/mseq.c
+++ b/mseq.c
@@ -2,7 +2,6 @@
 #include <sys/stat.h>
 
 #include <dirent.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
diff --git a/mshow.c b/mshow.c
index fa9d9d1..140b1ed 100644
--- a/mshow.c
+++ b/mshow.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <ctype.h>
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <fnmatch.h>
diff --git a/msort.c b/msort.c
index 68efd46..2a83789 100644
--- a/msort.c
+++ b/msort.c
@@ -2,7 +2,6 @@
 #include <sys/types.h>
 
 #include <ctype.h>
-#include <err.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/mthread.c b/mthread.c
index cb8ebf5..9d718fc 100644
--- a/mthread.c
+++ b/mthread.c
@@ -8,7 +8,6 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
-#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <search.h>

From b0fa2602fd9c9e81860ba3cd71021b02cad9ba7b Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 8 Aug 2020 14:39:40 +0200
Subject: [PATCH 19/21] make xpledge() static

---
 xpledge.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xpledge.h b/xpledge.h
index 0e472e0..41681df 100644
--- a/xpledge.h
+++ b/xpledge.h
@@ -6,7 +6,7 @@
 #include <err.h>
 #include <unistd.h>
 
-void
+static void
 xpledge(const char *promises, const char *execpromises)
 {
 	if (pledge(promises, execpromises) == -1)

From 7fca1fe2cee995cca5a310fe44146199d415d06e Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 8 Aug 2020 15:58:41 +0200
Subject: [PATCH 20/21] Revert "mscan: replace _XOPEN_SOURCE 700 with
 _GNU_SOURCE"

This reverts commit ddda73d8a33b8f34a50b4f94651a246036763e6e.
---
 mscan.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mscan.c b/mscan.c
index deda213..f7ad227 100644
--- a/mscan.c
+++ b/mscan.c
@@ -1,4 +1,6 @@
-#define _GNU_SOURCE
+#ifndef _XOPEN_SOURCE
+#define _XOPEN_SOURCE 700
+#endif
 
 #include <sys/ioctl.h>
 #include <sys/stat.h>

From c693e5f6e33f21f784f56983581039fd434d98e8 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Sat, 8 Aug 2020 16:10:23 +0200
Subject: [PATCH 21/21] mscan: make sure pledge is defined

This fixes the following compiler warning:

./xpledge.h:12:6: warning: implicit declaration of function 'pledge' is invalid
in C99 [-Wimplicit-function-declaration]
---
 mscan.c   | 3 ++-
 xpledge.h | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/mscan.c b/mscan.c
index f7ad227..52ba9a4 100644
--- a/mscan.c
+++ b/mscan.c
@@ -2,6 +2,8 @@
 #define _XOPEN_SOURCE 700
 #endif
 
+#include "xpledge.h"
+
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -19,7 +21,6 @@
 #include <wchar.h>
 
 #include "blaze822.h"
-#include "xpledge.h"
 #include "u8decode.h"
 
 static int cols;
diff --git a/xpledge.h b/xpledge.h
index 41681df..f0fb9a0 100644
--- a/xpledge.h
+++ b/xpledge.h
@@ -3,6 +3,10 @@
 
 #ifdef __OpenBSD__
 
+#ifndef _BSD_SOURCE
+#define _BSD_SOURCE
+#endif
+
 #include <err.h>
 #include <unistd.h>
 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
  2020-08-03 17:43 ` pledge(2) all programs leahneukirchen
  2020-08-08 14:12 ` [PR PATCH] [Updated] " timkuijsten
@ 2020-08-08 14:18 ` timkuijsten
  2020-08-12  8:43 ` leahneukirchen
                   ` (5 subsequent siblings)
  8 siblings, 0 replies; 9+ messages in thread
From: timkuijsten @ 2020-08-08 14:18 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 701 bytes --]

New comment by timkuijsten on mblaze repository

https://github.com/leahneukirchen/mblaze/pull/179#issuecomment-670934343

Comment:
Thanks for looking at the PR.

> xpledge should be static. Why is including err.h everywhere required?

Both fixed now.

> Instead of changing _XOPEN_SOURCE, please define _BSD_SOURCE where needed (i.e. in xpledge.h)

I've restored the _XOPEN_SOURCE definition in mscan.h and defined _BSD_SOURCE in xpledge.h. I did have to hoist the xpledge.h include in mscan to make sure pledge(3) is defined. This fixes the issue. (I'm not quite sure why the same warning isn't triggered in mpick.c where _XOPEN_SOURCE is also set and unistd.h is included before xpledge.h)

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
                   ` (2 preceding siblings ...)
  2020-08-08 14:18 ` timkuijsten
@ 2020-08-12  8:43 ` leahneukirchen
  2020-08-13 13:55 ` [PR PATCH] [Updated] " timkuijsten
                   ` (4 subsequent siblings)
  8 siblings, 0 replies; 9+ messages in thread
From: leahneukirchen @ 2020-08-12  8:43 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 187 bytes --]

New comment by leahneukirchen on mblaze repository

https://github.com/leahneukirchen/mblaze/pull/179#issuecomment-672739207

Comment:
I would like to merge this. Can you squash it down?

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PR PATCH] [Updated] pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
                   ` (3 preceding siblings ...)
  2020-08-12  8:43 ` leahneukirchen
@ 2020-08-13 13:55 ` timkuijsten
  2020-08-13 14:03 ` timkuijsten
                   ` (3 subsequent siblings)
  8 siblings, 0 replies; 9+ messages in thread
From: timkuijsten @ 2020-08-13 13:55 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 867 bytes --]

There is an updated pull request by timkuijsten against master on the mblaze repository

https://github.com/timkuijsten/mblaze renewpledge
https://github.com/leahneukirchen/mblaze/pull/179

pledge(2) all programs
I have checked all pledge calls and added some to ensure all main() functions are pledged as tight as possible.

The only program remaining with a broad pledge is mshow (full filesystem access plus fork/exec). I think the most important improvement there would be to use unveil(2), but I consider adding support for unveil a separate endeavour.

I've been running this code without problems since December (with the exception of mdate which I just pledged), although I have only just rebased my work on all changes that happended in 2020 on master.

/cc @holsta

A patch file from https://github.com/leahneukirchen/mblaze/pull/179.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-renewpledge-179.patch --]
[-- Type: text/x-diff, Size: 10973 bytes --]

From fdc3d7fa490fd1d6e49b4f5d29cd49ceb74862a5 Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 02:15:41 +0100
Subject: [PATCH] pledge(2) based on the work by by Alex Holst

All programs except mshow have a tight pledge. mshow has a broad
set of promises and might be a good future candidate for unveil(2).

* pledged mpick, mflow and mdate so that now all programs are pledged
* removed some unneeded promises and added some missing promises
* move err.h include and OpenBSD ifdef into xpledge.h that defines
  xpledge()
* cleaned up code aligning and whitespace

The original repository that contained these patches does not exist
anymore. Grabbed commit 0300a112 (dated 2017-12-07) from GH PR #79.
---
 maddr.c    |  3 +++
 magrep.c   |  3 +++
 mdate.c    |  8 +++++++-
 mdeliver.c |  3 +++
 mdirs.c    |  3 +++
 mexport.c  |  3 +++
 mflag.c    |  3 +++
 mflow.c    |  5 +++++
 mgenmid.c  |  3 +++
 mhdr.c     |  3 +++
 minc.c     |  3 +++
 mlist.c    |  3 +++
 mmime.c    |  3 +++
 mpick.c    |  3 +++
 mscan.c    |  7 +++++++
 msed.c     |  3 +++
 mseq.c     |  3 +++
 mshow.c    |  8 ++++++++
 msort.c    |  2 ++
 mthread.c  |  3 +++
 xpledge.h  | 26 ++++++++++++++++++++++++++
 21 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 xpledge.h

diff --git a/maddr.c b/maddr.c
index 339acad..0169458 100644
--- a/maddr.c
+++ b/maddr.c
@@ -7,6 +7,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int dflag;
@@ -108,6 +109,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
 	else
diff --git a/magrep.c b/magrep.c
index 8cb3d1f..6f93a57 100644
--- a/magrep.c
+++ b/magrep.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int cflag;
@@ -218,6 +219,8 @@ main(int argc, char *argv[])
 	if (!rx)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
 	if (r != 0) {
diff --git a/mdate.c b/mdate.c
index fb95d7c..793f65e 100644
--- a/mdate.c
+++ b/mdate.c
@@ -1,11 +1,17 @@
 #include <time.h>
 #include <unistd.h>
 
+#include "xpledge.h"
+
 int
 main()
 {
 	char buf[64];
-	time_t now = time(0);
+	time_t now;
+
+	xpledge("stdio", "");
+
+	now = time(0);
 
 	ssize_t l = strftime(buf, sizeof buf,
 	    "%a, %d %b %Y %T %z\n", localtime(&now));
diff --git a/mdeliver.c b/mdeliver.c
index c599d9d..161cea5 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 /*
 design rationale:
@@ -340,6 +341,8 @@ main(int argc, char *argv[])
 	if (argc != optind+1)
 		goto usage2;
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	targetdir = argv[optind];
 
 	gethost();
diff --git a/mdirs.c b/mdirs.c
index 46b2426..5f49906 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -9,6 +9,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static char sep = '\n';
 int aflag;
@@ -88,6 +89,8 @@ main(int argc, char *argv[])
 	if (argc == optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
 		perror("mdirs: getcwd");
diff --git a/mexport.c b/mexport.c
index 91fa9a6..d758d0c 100644
--- a/mexport.c
+++ b/mexport.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Sflag;
 
@@ -141,6 +142,8 @@ main(int argc, char *argv[])
 
 	status = 0;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
 	else
diff --git a/mflag.c b/mflag.c
index 7708946..ddf633c 100644
--- a/mflag.c
+++ b/mflag.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int8_t flags[255];
 static int vflag = 0;
@@ -134,6 +135,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath cpath", "");
+
 	curfile = blaze822_seq_cur();
 
 	if (vflag) {
diff --git a/mflow.c b/mflow.c
index 41db508..af6755d 100644
--- a/mflow.c
+++ b/mflow.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 int column = 0;
 int maxcolumn = 80;
@@ -107,6 +108,8 @@ main(int argc, char *argv[])
 	int force = 0;
 	int delsp = 0;
 
+	xpledge("stdio rpath tty", "");
+
 	char *ct = getenv("PIPE_CONTENTTYPE");
 	if (ct) {
 		char *s, *se;
@@ -130,6 +133,8 @@ main(int argc, char *argv[])
 		}
 	}
 
+	xpledge("stdio", "");
+
 	char *maxcols = getenv("MAXCOLUMNS");
 	if (maxcols && isdigit(*maxcols)) {
 		int m = atoi(maxcols);
diff --git a/mgenmid.c b/mgenmid.c
index c7d713c..eb161cf 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 void
 printb36(uint64_t x)
@@ -36,6 +37,8 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
+	xpledge("stdio rpath", "");
+
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
 
diff --git a/mhdr.c b/mhdr.c
index 18cbc5e..d434d1d 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *hflag;
 static char *pflag;
@@ -245,6 +246,8 @@ main(int argc, char *argv[])
 
 	status = 1;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
 	else
diff --git a/minc.c b/minc.c
index f495da1..c1d28fd 100644
--- a/minc.c
+++ b/minc.c
@@ -12,6 +12,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int qflag;
 static int status;
@@ -76,6 +77,8 @@ main(int argc, char *argv[])
 	if (optind == argc)
 		goto usage;
 
+	xpledge("stdio rpath cpath", "");
+
 	status = 0;
 	for (i = optind; i < argc; i++)
 		inc(argv[i]);
diff --git a/mlist.c b/mlist.c
index 3cb082f..5debf99 100644
--- a/mlist.c
+++ b/mlist.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 /*
 
@@ -272,6 +273,8 @@ main(int argc, char *argv[])
 
 	int i;
 
+	xpledge("stdio rpath", "");
+
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)
 			flagset++;
diff --git a/mmime.c b/mmime.c
index da7f179..e27a6a8 100644
--- a/mmime.c
+++ b/mmime.c
@@ -16,6 +16,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int cflag;
 static int rflag;
@@ -520,6 +521,8 @@ main(int argc, char *argv[])
 	if (argc != optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	if (cflag)
 		return check();
 
diff --git a/mpick.c b/mpick.c
index bff0cc3..93bbafb 100644
--- a/mpick.c
+++ b/mpick.c
@@ -43,6 +43,7 @@
 #include <wchar.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 enum op {
 	EXPR_OR = 1,
@@ -1463,6 +1464,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	void *cb = need_thr ? collect : oneline;
 	if (argc == optind && isatty(0))
 		i = blaze822_loop1(":", cb);
diff --git a/mscan.c b/mscan.c
index 6ae1628..52ba9a4 100644
--- a/mscan.c
+++ b/mscan.c
@@ -2,6 +2,8 @@
 #define _XOPEN_SOURCE 700
 #endif
 
+#include "xpledge.h"
+
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -549,6 +551,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath tty proc exec", NULL);
+
 	if (nflag) {
 		if (argc == optind && isatty(0))
 			blaze822_loop1(":", numline);
@@ -584,6 +588,9 @@ main(int argc, char *argv[])
 	}
 	if (ttyfd >= 0)
 		close(ttyfd);
+
+	xpledge("stdio rpath", "");
+
 	if (getenv("COLUMNS"))
 		cols = atoi(getenv("COLUMNS"));
 	if (cols <= 40)
diff --git a/msed.c b/msed.c
index 4fef8f4..7bb0b82 100644
--- a/msed.c
+++ b/msed.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *expr;
 
@@ -323,6 +324,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	expr = argv[optind];
 	optind++;
 
diff --git a/mseq.c b/mseq.c
index 4bcb89f..f63aaae 100644
--- a/mseq.c
+++ b/mseq.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int fflag;
 static int rflag;
@@ -298,6 +299,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
 
diff --git a/mshow.c b/mshow.c
index 8ecf157..8d70120 100644
--- a/mshow.c
+++ b/mshow.c
@@ -14,6 +14,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Bflag;
 static int rflag;
@@ -797,6 +798,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath proc exec", NULL);
+
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
@@ -822,17 +825,22 @@ main(int argc, char *argv[])
 	}
 
 	if (xflag) { // extract
+		xpledge("stdio rpath wpath cpath", NULL);
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
+		xpledge("stdio rpath", NULL);
 		extract(Oflag, argc-optind, argv+optind, 1);
 	} else if (tflag) { // list
+		xpledge("stdio rpath", NULL);
 		if (argc == optind && isatty(0))
 			blaze822_loop1(".", list);
 		else
 			blaze822_loop(argc-optind, argv+optind, list);
 	} else if (Rflag) { // render for reply
+		xpledge("stdio rpath", NULL);
 		blaze822_loop(argc-optind, argv+optind, reply);
 	} else { // show
+		/* XXX pledge: still r/w on the whole file-system + fork/exec */
 		if (!(qflag || rflag || Fflag)) {
 			char *f = getenv("MAILFILTER");
 			if (!f)
diff --git a/msort.c b/msort.c
index e07ac69..5d2d88d 100644
--- a/msort.c
+++ b/msort.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 struct mail {
 	char *file;
@@ -316,6 +317,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
diff --git a/mthread.c b/mthread.c
index 8a7172a..9d718fc 100644
--- a/mthread.c
+++ b/mthread.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int vflag;
 static int pflag;
@@ -419,6 +420,8 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
+	xpledge("stdio rpath", "");
+
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {
 		case 'S': blaze822_loop1(optarg, thread); break;
diff --git a/xpledge.h b/xpledge.h
new file mode 100644
index 0000000..f0fb9a0
--- /dev/null
+++ b/xpledge.h
@@ -0,0 +1,26 @@
+#ifndef PLEDGE_H
+#define PLEDGE_H
+
+#ifdef __OpenBSD__
+
+#ifndef _BSD_SOURCE
+#define _BSD_SOURCE
+#endif
+
+#include <err.h>
+#include <unistd.h>
+
+static void
+xpledge(const char *promises, const char *execpromises)
+{
+	if (pledge(promises, execpromises) == -1)
+		err(1, "pledge");
+}
+
+#endif /* __OpenBSD__ */
+
+#elif
+
+#define xpledge(promises, execpromises)) 0
+
+#endif /* PLEDGE_H */

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PR PATCH] [Updated] pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
                   ` (4 preceding siblings ...)
  2020-08-13 13:55 ` [PR PATCH] [Updated] " timkuijsten
@ 2020-08-13 14:03 ` timkuijsten
  2020-09-06 14:35 ` [PR PATCH] [Closed]: " leahneukirchen
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 9+ messages in thread
From: timkuijsten @ 2020-08-13 14:03 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 867 bytes --]

There is an updated pull request by timkuijsten against master on the mblaze repository

https://github.com/timkuijsten/mblaze renewpledge
https://github.com/leahneukirchen/mblaze/pull/179

pledge(2) all programs
I have checked all pledge calls and added some to ensure all main() functions are pledged as tight as possible.

The only program remaining with a broad pledge is mshow (full filesystem access plus fork/exec). I think the most important improvement there would be to use unveil(2), but I consider adding support for unveil a separate endeavour.

I've been running this code without problems since December (with the exception of mdate which I just pledged), although I have only just rebased my work on all changes that happended in 2020 on master.

/cc @holsta

A patch file from https://github.com/leahneukirchen/mblaze/pull/179.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-renewpledge-179.patch --]
[-- Type: text/x-diff, Size: 10938 bytes --]

From 59137944e4e8f24c1498429826d6c84bb8e7275e Mon Sep 17 00:00:00 2001
From: Tim Kuijsten <info+git@netsend.nl>
Date: Thu, 21 Nov 2019 02:15:41 +0100
Subject: [PATCH] pledge(2) all programs

All programs except mshow have a very tight set of promises. mshow
has a broad set of promises and might be a good future candidate
to further restrict using unveil(2).

This patch is based on commit 0300a112 by Alex Holst (dated
2017-12-07), which was proposed in GH PR #79.

* pledged mpick, mflow and mdate so that now all programs are pledged
* removed some unneeded promises and added some missing promises
* move err.h include and OpenBSD ifdef into a new xpledge.h
* cleaned up code aligning and whitespace
---
 maddr.c    |  3 +++
 magrep.c   |  3 +++
 mdate.c    |  8 +++++++-
 mdeliver.c |  3 +++
 mdirs.c    |  3 +++
 mexport.c  |  3 +++
 mflag.c    |  3 +++
 mflow.c    |  5 +++++
 mgenmid.c  |  3 +++
 mhdr.c     |  3 +++
 minc.c     |  3 +++
 mlist.c    |  3 +++
 mmime.c    |  3 +++
 mpick.c    |  3 +++
 mscan.c    |  7 +++++++
 msed.c     |  3 +++
 mseq.c     |  3 +++
 mshow.c    |  8 ++++++++
 msort.c    |  2 ++
 mthread.c  |  3 +++
 xpledge.h  | 26 ++++++++++++++++++++++++++
 21 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 xpledge.h

diff --git a/maddr.c b/maddr.c
index 339acad..0169458 100644
--- a/maddr.c
+++ b/maddr.c
@@ -7,6 +7,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int dflag;
@@ -108,6 +109,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
 	else
diff --git a/magrep.c b/magrep.c
index 8cb3d1f..6f93a57 100644
--- a/magrep.c
+++ b/magrep.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int cflag;
@@ -218,6 +219,8 @@ main(int argc, char *argv[])
 	if (!rx)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
 	if (r != 0) {
diff --git a/mdate.c b/mdate.c
index fb95d7c..793f65e 100644
--- a/mdate.c
+++ b/mdate.c
@@ -1,11 +1,17 @@
 #include <time.h>
 #include <unistd.h>
 
+#include "xpledge.h"
+
 int
 main()
 {
 	char buf[64];
-	time_t now = time(0);
+	time_t now;
+
+	xpledge("stdio", "");
+
+	now = time(0);
 
 	ssize_t l = strftime(buf, sizeof buf,
 	    "%a, %d %b %Y %T %z\n", localtime(&now));
diff --git a/mdeliver.c b/mdeliver.c
index c599d9d..161cea5 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 /*
 design rationale:
@@ -340,6 +341,8 @@ main(int argc, char *argv[])
 	if (argc != optind+1)
 		goto usage2;
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	targetdir = argv[optind];
 
 	gethost();
diff --git a/mdirs.c b/mdirs.c
index 46b2426..5f49906 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -9,6 +9,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static char sep = '\n';
 int aflag;
@@ -88,6 +89,8 @@ main(int argc, char *argv[])
 	if (argc == optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
 		perror("mdirs: getcwd");
diff --git a/mexport.c b/mexport.c
index 91fa9a6..d758d0c 100644
--- a/mexport.c
+++ b/mexport.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Sflag;
 
@@ -141,6 +142,8 @@ main(int argc, char *argv[])
 
 	status = 0;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
 	else
diff --git a/mflag.c b/mflag.c
index 7708946..ddf633c 100644
--- a/mflag.c
+++ b/mflag.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int8_t flags[255];
 static int vflag = 0;
@@ -134,6 +135,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath cpath", "");
+
 	curfile = blaze822_seq_cur();
 
 	if (vflag) {
diff --git a/mflow.c b/mflow.c
index 41db508..af6755d 100644
--- a/mflow.c
+++ b/mflow.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 int column = 0;
 int maxcolumn = 80;
@@ -107,6 +108,8 @@ main(int argc, char *argv[])
 	int force = 0;
 	int delsp = 0;
 
+	xpledge("stdio rpath tty", "");
+
 	char *ct = getenv("PIPE_CONTENTTYPE");
 	if (ct) {
 		char *s, *se;
@@ -130,6 +133,8 @@ main(int argc, char *argv[])
 		}
 	}
 
+	xpledge("stdio", "");
+
 	char *maxcols = getenv("MAXCOLUMNS");
 	if (maxcols && isdigit(*maxcols)) {
 		int m = atoi(maxcols);
diff --git a/mgenmid.c b/mgenmid.c
index c7d713c..eb161cf 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 void
 printb36(uint64_t x)
@@ -36,6 +37,8 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
+	xpledge("stdio rpath", "");
+
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
 
diff --git a/mhdr.c b/mhdr.c
index 18cbc5e..d434d1d 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *hflag;
 static char *pflag;
@@ -245,6 +246,8 @@ main(int argc, char *argv[])
 
 	status = 1;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
 	else
diff --git a/minc.c b/minc.c
index f495da1..c1d28fd 100644
--- a/minc.c
+++ b/minc.c
@@ -12,6 +12,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int qflag;
 static int status;
@@ -76,6 +77,8 @@ main(int argc, char *argv[])
 	if (optind == argc)
 		goto usage;
 
+	xpledge("stdio rpath cpath", "");
+
 	status = 0;
 	for (i = optind; i < argc; i++)
 		inc(argv[i]);
diff --git a/mlist.c b/mlist.c
index 3cb082f..5debf99 100644
--- a/mlist.c
+++ b/mlist.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 /*
 
@@ -272,6 +273,8 @@ main(int argc, char *argv[])
 
 	int i;
 
+	xpledge("stdio rpath", "");
+
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)
 			flagset++;
diff --git a/mmime.c b/mmime.c
index da7f179..e27a6a8 100644
--- a/mmime.c
+++ b/mmime.c
@@ -16,6 +16,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int cflag;
 static int rflag;
@@ -520,6 +521,8 @@ main(int argc, char *argv[])
 	if (argc != optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	if (cflag)
 		return check();
 
diff --git a/mpick.c b/mpick.c
index bff0cc3..93bbafb 100644
--- a/mpick.c
+++ b/mpick.c
@@ -43,6 +43,7 @@
 #include <wchar.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 enum op {
 	EXPR_OR = 1,
@@ -1463,6 +1464,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	void *cb = need_thr ? collect : oneline;
 	if (argc == optind && isatty(0))
 		i = blaze822_loop1(":", cb);
diff --git a/mscan.c b/mscan.c
index 6ae1628..52ba9a4 100644
--- a/mscan.c
+++ b/mscan.c
@@ -2,6 +2,8 @@
 #define _XOPEN_SOURCE 700
 #endif
 
+#include "xpledge.h"
+
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -549,6 +551,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath tty proc exec", NULL);
+
 	if (nflag) {
 		if (argc == optind && isatty(0))
 			blaze822_loop1(":", numline);
@@ -584,6 +588,9 @@ main(int argc, char *argv[])
 	}
 	if (ttyfd >= 0)
 		close(ttyfd);
+
+	xpledge("stdio rpath", "");
+
 	if (getenv("COLUMNS"))
 		cols = atoi(getenv("COLUMNS"));
 	if (cols <= 40)
diff --git a/msed.c b/msed.c
index 4fef8f4..7bb0b82 100644
--- a/msed.c
+++ b/msed.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *expr;
 
@@ -323,6 +324,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	expr = argv[optind];
 	optind++;
 
diff --git a/mseq.c b/mseq.c
index 4bcb89f..f63aaae 100644
--- a/mseq.c
+++ b/mseq.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int fflag;
 static int rflag;
@@ -298,6 +299,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
 
diff --git a/mshow.c b/mshow.c
index 8ecf157..8d70120 100644
--- a/mshow.c
+++ b/mshow.c
@@ -14,6 +14,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Bflag;
 static int rflag;
@@ -797,6 +798,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath proc exec", NULL);
+
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
@@ -822,17 +825,22 @@ main(int argc, char *argv[])
 	}
 
 	if (xflag) { // extract
+		xpledge("stdio rpath wpath cpath", NULL);
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
+		xpledge("stdio rpath", NULL);
 		extract(Oflag, argc-optind, argv+optind, 1);
 	} else if (tflag) { // list
+		xpledge("stdio rpath", NULL);
 		if (argc == optind && isatty(0))
 			blaze822_loop1(".", list);
 		else
 			blaze822_loop(argc-optind, argv+optind, list);
 	} else if (Rflag) { // render for reply
+		xpledge("stdio rpath", NULL);
 		blaze822_loop(argc-optind, argv+optind, reply);
 	} else { // show
+		/* XXX pledge: still r/w on the whole file-system + fork/exec */
 		if (!(qflag || rflag || Fflag)) {
 			char *f = getenv("MAILFILTER");
 			if (!f)
diff --git a/msort.c b/msort.c
index e07ac69..5d2d88d 100644
--- a/msort.c
+++ b/msort.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 struct mail {
 	char *file;
@@ -316,6 +317,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
diff --git a/mthread.c b/mthread.c
index 8a7172a..9d718fc 100644
--- a/mthread.c
+++ b/mthread.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int vflag;
 static int pflag;
@@ -419,6 +420,8 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
+	xpledge("stdio rpath", "");
+
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {
 		case 'S': blaze822_loop1(optarg, thread); break;
diff --git a/xpledge.h b/xpledge.h
new file mode 100644
index 0000000..f0fb9a0
--- /dev/null
+++ b/xpledge.h
@@ -0,0 +1,26 @@
+#ifndef PLEDGE_H
+#define PLEDGE_H
+
+#ifdef __OpenBSD__
+
+#ifndef _BSD_SOURCE
+#define _BSD_SOURCE
+#endif
+
+#include <err.h>
+#include <unistd.h>
+
+static void
+xpledge(const char *promises, const char *execpromises)
+{
+	if (pledge(promises, execpromises) == -1)
+		err(1, "pledge");
+}
+
+#endif /* __OpenBSD__ */
+
+#elif
+
+#define xpledge(promises, execpromises)) 0
+
+#endif /* PLEDGE_H */

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PR PATCH] [Closed]: pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
                   ` (5 preceding siblings ...)
  2020-08-13 14:03 ` timkuijsten
@ 2020-09-06 14:35 ` leahneukirchen
  2020-09-06 14:35 ` leahneukirchen
  2020-09-10 17:46 ` timkuijsten
  8 siblings, 0 replies; 9+ messages in thread
From: leahneukirchen @ 2020-09-06 14:35 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 711 bytes --]

There's a closed pull request on the mblaze repository

pledge(2) all programs
https://github.com/leahneukirchen/mblaze/pull/179

Description:
I have checked all pledge calls and added some to ensure all main() functions are pledged as tight as possible.

The only program remaining with a broad pledge is mshow (full filesystem access plus fork/exec). I think the most important improvement there would be to use unveil(2), but I consider adding support for unveil a separate endeavour.

I've been running this code without problems since December (with the exception of mdate which I just pledged), although I have only just rebased my work on all changes that happended in 2020 on master.

/cc @holsta

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
                   ` (6 preceding siblings ...)
  2020-09-06 14:35 ` [PR PATCH] [Closed]: " leahneukirchen
@ 2020-09-06 14:35 ` leahneukirchen
  2020-09-10 17:46 ` timkuijsten
  8 siblings, 0 replies; 9+ messages in thread
From: leahneukirchen @ 2020-09-06 14:35 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 160 bytes --]

New comment by leahneukirchen on mblaze repository

https://github.com/leahneukirchen/mblaze/pull/179#issuecomment-687806265

Comment:
Merged with small fixes.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: pledge(2) all programs
       [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
                   ` (7 preceding siblings ...)
  2020-09-06 14:35 ` leahneukirchen
@ 2020-09-10 17:46 ` timkuijsten
  8 siblings, 0 replies; 9+ messages in thread
From: timkuijsten @ 2020-09-10 17:46 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 150 bytes --]

New comment by timkuijsten on mblaze repository

https://github.com/leahneukirchen/mblaze/pull/179#issuecomment-690568866

Comment:
super! thanks! :)

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2020-09-10 17:46 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <gh-mailinglist-notifications-fa6558a0-26e0-48f6-803f-f5a8af34f6a8-mblaze-179@inbox.vuxu.org>
2020-08-03 17:43 ` pledge(2) all programs leahneukirchen
2020-08-08 14:12 ` [PR PATCH] [Updated] " timkuijsten
2020-08-08 14:18 ` timkuijsten
2020-08-12  8:43 ` leahneukirchen
2020-08-13 13:55 ` [PR PATCH] [Updated] " timkuijsten
2020-08-13 14:03 ` timkuijsten
2020-09-06 14:35 ` [PR PATCH] [Closed]: " leahneukirchen
2020-09-06 14:35 ` leahneukirchen
2020-09-10 17:46 ` timkuijsten

Github messages for mblaze

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/mblaze-github

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 mblaze-github mblaze-github/ http://inbox.vuxu.org/mblaze-github \
		mblaze-github@inbox.vuxu.org
	public-inbox-index mblaze-github

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.github.mblaze


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git