From 3cb1725225567211c85226498bbc038cfe78d4fe Mon Sep 17 00:00:00 2001
From: Andrew Alderwick <andrew@alderwick.co.uk>
Date: Fri, 13 Jan 2023 13:25:14 +0100
Subject: Added OpenBSD's unveil() and pledge() support.

---
 data.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'data.c')

diff --git a/data.c b/data.c
index 18efd92..5e6ce63 100644
--- a/data.c
+++ b/data.c
@@ -86,15 +86,19 @@ int srv_open(char *basedir, int auto_upgrade)
     if (error != NULL)
         srv_log(error);
 
-/* disabled temporarily; messages can't be sent (libcurl issue?) */
-#if 0
 #ifdef __OpenBSD__
     srv_debug(2, xs_fmt("Calling unveil()"));
-    unveil(basedir,     "rwc");
-    unveil("/usr/sbin", "x");
-    unveil(NULL,        NULL);
+    unveil(basedir,                "rwc");
+    unveil("/usr/sbin/sendmail",   "x");
+    unveil("/etc/resolv.conf",     "r");
+    unveil("/etc/hosts",           "r");
+    unveil("/etc/ssl/openssl.cnf", "r");
+    unveil("/etc/ssl/cert.pem",    "r");
+    unveil("/usr/share/zoneinfo",  "r");
+    unveil(NULL,                   NULL);
+    srv_debug(2, xs_fmt("Calling pledge()"));
+    pledge("stdio rpath wpath cpath flock inet proc exec dns", NULL);
 #endif /* __OpenBSD__ */
-#endif
 
     return ret;
 }
-- 
cgit v1.2.3