commit - 072028198fd35dfd25c9920dc6b65202ab5fabc7
commit + 79e60db648de07c38759b79dd9acefb3b82e04f2
blob - 75e6580d452ef8fa8398cf9227e51a4b4a8062f0
blob + 3dc5a446de1bee5dea0983da1f90831666467577
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
err(1, "gmon.out");
#endif
- if (unveil(env->httpd_chroot, "rwc") == -1)
- err(1, "unveil");
-
- if (unveil(GOT_TMPDIR_STR, "rw") == -1)
+ if (unveil(env->httpd_chroot, "r") == -1)
err(1, "unveil");
if (unveil(GOTWEBD_CONF, "r") == -1)
blob - 542f9d911ce6be7a94b6c10c2b004417ebaeaeea
blob + 8e96717ed35cc9e91a8fc0c9be56d23fee4d05a8
--- gotwebd/sockets.c
+++ gotwebd/sockets.c
#include "got_opentemp.h"
#include "got_reference.h"
#include "got_repository.h"
+#include "got_privsep.h"
#include "proc.h"
#include "gotwebd.h"
signal_add(&ps->ps_evsigchld, NULL);
#ifndef PROFILE
- if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd",
- NULL) == -1)
+ if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd "
+ "unveil", NULL) == -1)
fatal("pledge");
#endif
}
sockets_launch(void)
{
struct socket *sock;
+ struct server *srv;
+ const struct got_error *error;
TAILQ_FOREACH(sock, &gotwebd_env->sockets, entry) {
log_debug("%s: configuring socket %d (%d)", __func__,
log_debug("%s: running socket listener %d", __func__,
sock->conf.id);
}
+
+ TAILQ_FOREACH(srv, &gotwebd_env->servers, entry) {
+ if (unveil(srv->repos_path, "r") == -1)
+ fatal("unveil %s", srv->repos_path);
+ }
+
+ error = got_privsep_unveil_exec_helpers();
+ if (error)
+ fatal("%s", error->msg);
+
+ if (unveil(NULL, NULL) == -1)
+ fatal("unveil");
}
static void