commit - 63c080840a7567f67effa9703d7c94b488d22fc1
commit + b6e3f14ebd0601b1604dcb29fba07b6446a140b7
blob - 13f6a87526a8ddefa78fa907d9235b0a35f7deec
blob + 43ce4d21dd5d4cc2c9c63251336f7b6d72fc69a2
--- src/sandbox.rs
+++ src/sandbox.rs
}
/// Valid pledge promises on OpenBSD.
+/// See `pledgereq[]` in `/usr/src/sys/kern/kern_pledge.c`.
const VALID_PROMISES: &[&str] = &[
- "audio", "bpf", "chown", "cpath", "disklabel", "dns", "dpath",
- "error", "exec", "fattr", "flock", "getpw", "id", "inet", "mcast",
- "pf", "proc", "ps", "recvfd", "route", "rpath", "sendfd", "settime",
- "stdio", "tape", "tmppath", "tty", "unix", "unveil", "video",
- "vminfo", "vmm", "wpath", "wroute",
+ "audio",
+ "bpf",
+ "chown",
+ "cpath",
+ "disklabel",
+ "dns",
+ "dpath",
+ "drm",
+ "error",
+ "exec",
+ "fattr",
+ "flock",
+ "getpw",
+ "id",
+ "inet",
+ "mcast",
+ "pf",
+ "proc",
+ "prot_exec",
+ "ps",
+ "recvfd",
+ "route",
+ "rpath",
+ "sendfd",
+ "settime",
+ "stdio",
+ "tape",
+ "tmppath",
+ "tty",
+ "unix",
+ "unveil",
+ "video",
+ "vminfo",
+ "vmm",
+ "wpath",
+ "wroute",
];
/// Valid unveil permission characters.
/// Add a path to the unveil whitelist with the given permissions.
/// Permissions: "r" read, "w" write, "c" create, "x" execute.
pub fn do_unveil(path: &Path, perms: &str) {
- if perms.is_empty() || !perms.as_bytes().iter().all(|b| VALID_PERMS.contains(b)) {
+ if perms.is_empty()
+ || !perms.as_bytes().iter().all(|b| VALID_PERMS.contains(b))
+ {
log::error!("unveil: invalid permissions");
std::process::exit(1);
}
- let p = CString::new(path.as_os_str().as_encoded_bytes()).unwrap_or_else(|_| {
- log::error!("unveil: path contains NUL byte");
- std::process::exit(1);
- });
+ let p = CString::new(path.as_os_str().as_encoded_bytes()).unwrap_or_else(
+ |_| {
+ log::error!("unveil: path contains NUL byte");
+ std::process::exit(1);
+ },
+ );
let f = CString::new(perms).unwrap_or_else(|_| {
log::error!("unveil: permissions contain NUL byte");
std::process::exit(1);
