commit 677d90f7f8a60dc43b6d7be837c5b25b1cde1dbc
from: Omar Polo <op@omarpolo.com>
date: Fri Mar 12 22:15:01 2021 UTC

implement sandboxing for the network process on OpenBSD

commit - 91435a31bbcceda44b16ee11e15a45bd5d972f7d
commit + 677d90f7f8a60dc43b6d7be837c5b25b1cde1dbc
blob - /dev/null
blob + a201c4c33a10a265dbca1a2451c44b8cd807e96a (mode 644)
--- /dev/null
+++ sandbox.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "compat.h"
+
+
+#ifdef __OpenBSD__
+
+# include <stddef.h>
+void
+sandbox_network_process(void)
+{
+	if (pledge("stdio inet dns", NULL) == -1)
+		err(1, "pledge");
+}
+
+#endif