commit - 9220560796736289a894b8ec9fd5af7ebfb44f1d
commit + cb44a3e566b46742f66f98811c2b3cb9d62eca2a
blob - 6c1082421008e7de4dd03922e5e9a60b84244a59
blob + a2e8fe577030dd581e858b6ae6dfd20d197a17c3
--- regress/repository/repository_test.c
+++ regress/repository/repository_test.c
@@ -32,6 +32,7 @@
 #include "got_repository.h"
 #include "got_diff.h"
 #include "got_opentemp.h"
+#include "got_privsep.h"
 
 #include "got_lib_path.h"
 
@@ -409,6 +410,39 @@ void
 usage(void)
 {
 	fprintf(stderr, "usage: repository_test [-v] [REPO_PATH]\n");
+}
+
+static const struct got_error *
+apply_unveil(const char *repo_path)
+{
+	const struct got_error *error;
+	char *normpath = NULL;
+
+	if (repo_path) {
+		normpath = got_path_normalize(repo_path);
+		if (normpath == NULL)
+			return got_error_from_errno();
+		if (unveil(normpath, "r") != 0) {
+			free(normpath);
+			return got_error_from_errno();
+		}
+		free(normpath);
+	}
+
+	if (unveil("/tmp", "rwc") != 0)
+		return got_error_from_errno();
+
+	if (unveil("/dev/null", "rwc") != 0)
+		return got_error_from_errno();
+
+	error = got_privsep_unveil_exec_helpers();
+	if (error != NULL)
+		return error;
+
+	if (unveil(NULL, NULL) != 0)
+		return got_error_from_errno();
+
+	return NULL;
 }
 
 int
@@ -417,9 +451,11 @@ main(int argc, char *argv[])
 	int test_ok = 0, failure = 0;
 	const char *repo_path;
 	int ch;
+	const struct got_error *error;
 
 #ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath proc exec sendfd", NULL) == -1)
+	if (pledge("stdio rpath wpath cpath proc exec sendfd unveil", NULL)
+	    == -1)
 		err(1, "pledge");
 #endif
 
@@ -445,6 +481,12 @@ main(int argc, char *argv[])
 		return 1;
 	}
 
+	error = apply_unveil(repo_path);
+	if (error) {
+		fprintf(stderr, "unveil: %s", error->msg);
+		return 1;
+	}
+
 	RUN_TEST(repo_read_tree(repo_path), "read_tree");
 	RUN_TEST(repo_read_log(repo_path), "read_log");
 	RUN_TEST(repo_read_blob(repo_path), "read_blob");