commit 8e56d6adc423e81f47259a50ac5b11a1dd3c9877
from: Omar Polo <op@omarpolo.com>
date: Thu Feb 11 09:07:28 2021 UTC

use fatal instead of err/fprintf+exit

fatal logs to the correct place, err only on stderr.

commit - 2a911637be035476640c5c65e45ff26cb6bf169a
commit + 8e56d6adc423e81f47259a50ac5b11a1dd3c9877
blob - 1d01f66507558f28ace2f3877654457371921ef1
blob + 69ed05386571248590401f64ac197b3e9614e381
--- sandbox.c
+++ sandbox.c
@@ -24,7 +24,7 @@ void
 sandbox()
 {
 	if (cap_enter() == -1)
-		err(1, "cap_enter");
+		fatal("cap_enter");
 }
 
 #elif defined(__linux__)
@@ -113,16 +113,13 @@ sandbox_seccomp_catch_sigsys(void)
 
 	act.sa_sigaction = &sandbox_seccomp_violation;
 	act.sa_flags = SA_SIGINFO;
-	if (sigaction(SIGSYS, &act, NULL) == -1) {
-		fprintf(stderr, "%s: sigaction(SIGSYS): %s\n",
+	if (sigaction(SIGSYS, &act, NULL) == -1)
+		fatal("%s: sigaction(SIGSYS): %s",
 		    __func__, strerror(errno));
-		exit(1);
-	}
-	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1) {
-		fprintf(stderr, "%s: sigprocmask(SIGSYS): %s\n",
+
+	if (sigprocmask(SIG_UNBLOCK, &mask, NULL) == -1)
+		fatal("%s: sigprocmask(SIGSYS): %s\n",
 		    __func__, strerror(errno));
-		exit(1);
-	}
 }
 #endif	/* SC_DEBUG */
 
@@ -235,17 +232,13 @@ sandbox()
 	sandbox_seccomp_catch_sigsys();
 #endif
 
-	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
-		fprintf(stderr, "%s: prctl(PR_SET_NO_NEW_PRIVS): %s\n",
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+		fatal("%s: prctl(PR_SET_NO_NEW_PRIVS): %s",
 		    __func__, strerror(errno));
-		exit(1);
-	}
 
-	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
-		fprintf(stderr, "%s: prctl(PR_SET_SECCOMP): %s\n",
+	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1)
+		fatal("%s: prctl(PR_SET_SECCOMP): %s\n",
 		    __func__, strerror(errno));
-		exit(1);
-	}
 }
 
 #elif defined(__OpenBSD__)
@@ -259,11 +252,11 @@ sandbox()
 
 	for (h = hosts; h->domain != NULL; ++h) {
 		if (unveil(h->dir, "r") == -1)
-			err(1, "unveil %s for domain %s", h->dir, h->domain);
+			fatal("unveil %s for domain %s", h->dir, h->domain);
 	}
 
 	if (pledge("stdio recvfd rpath inet", NULL) == -1)
-		err(1, "pledge");
+		fatal("pledge");
 }
 
 #else