commit b24c6fcc1c81fa2a6b71048a9d2fc532402448b7
from: Omar Polo <op@omarpolo.com>
date: Sun Nov 27 10:04:39 2022 UTC

adjust pledge/unveil on OpenBSD

to connect to unix-domain sockets the `unix' pledge is needed and also
unveil "w".  gmid can't mutate files because it doesn't pledge `wpath'
nor `cpath'.

commit - 6130e0eeac9db4fa8e6fe5934ec2d0ab202f979e
commit + b24c6fcc1c81fa2a6b71048a9d2fc532402448b7
blob - f1ca7cba7bea4b3ed467a5dc0caa805e49552584
blob + 076ce3c15da0705398ce67bf34e33c83488e712a
--- sandbox.c
+++ sandbox.c
@@ -611,14 +611,14 @@ sandbox_server_process(int can_open_sockets)
 			if (*l->dir == '\0')
 				continue;
 
-			if (unveil(l->dir, "r") == -1)
+			if (unveil(l->dir, "rw") == -1)
 				fatal("unveil %s for domain %s",
 				    l->dir,
 				    h->domain);
 		}
 	}
 
-	if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
+	if (pledge("stdio recvfd rpath unix inet dns", NULL) == -1)
 		fatal("pledge");
 }