commit 16e4df9de6d20690d5c15ff2fa3066afca1143d9
from: Omar Polo <op@omarpolo.com>
date: Sun Jan 22 15:20:08 2023 UTC

gotsh: move apply_unveil right after the first pledge

and while here drop the second pledge() call since unveil is already
locked by apply_unveil.

ok stsp

commit - 8edf8796238623ad54b0a73abf83cf2c94a1fb83
commit + 16e4df9de6d20690d5c15ff2fa3066afca1143d9
blob - b35ab29a7bf7de38825cb9a4cb6b51c291725f48
blob + 43dacf20c7b2d23ff032cdb48ebbd511772503bf
--- gotsh/gotsh.c
+++ gotsh/gotsh.c
@@ -72,6 +72,15 @@ main(int argc, char *argv[])
 	if (pledge("stdio recvfd unix unveil", NULL) == -1)
 		err(1, "pledge");
 #endif
+
+	unix_socket_path = getenv("GOTD_UNIX_SOCKET");
+	if (unix_socket_path == NULL)
+		unix_socket_path = GOTD_UNIX_SOCKET;
+
+	error = apply_unveil(unix_socket_path);
+	if (error)
+		goto done;
+
 	if (strcmp(argv[0], GOT_SERVE_CMD_SEND) == 0 ||
 	    strcmp(argv[0], GOT_SERVE_CMD_FETCH) == 0) {
 		if (argc != 2)
@@ -89,18 +98,6 @@ main(int argc, char *argv[])
 	if (error)
 		goto done;
 
-	unix_socket_path = getenv("GOTD_UNIX_SOCKET");
-	if (unix_socket_path == NULL)
-		unix_socket_path = GOTD_UNIX_SOCKET;
-
-	error = apply_unveil(unix_socket_path);
-	if (error)
-		goto done;
-
-#ifndef PROFILE
-	if (pledge("stdio recvfd unix", NULL) == -1)
-		err(1, "pledge");
-#endif
 	if ((gotd_sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
 		err(1, "socket");