commit cb44a3e566b46742f66f98811c2b3cb9d62eca2a from: Stefan Sperling date: Fri Jan 04 16:57:16 2019 UTC apply unveil(2) to repository tests commit - 9220560796736289a894b8ec9fd5af7ebfb44f1d commit + cb44a3e566b46742f66f98811c2b3cb9d62eca2a blob - 6c1082421008e7de4dd03922e5e9a60b84244a59 blob + a2e8fe577030dd581e858b6ae6dfd20d197a17c3 --- regress/repository/repository_test.c +++ regress/repository/repository_test.c @@ -32,6 +32,7 @@ #include "got_repository.h" #include "got_diff.h" #include "got_opentemp.h" +#include "got_privsep.h" #include "got_lib_path.h" @@ -409,6 +410,39 @@ void usage(void) { fprintf(stderr, "usage: repository_test [-v] [REPO_PATH]\n"); +} + +static const struct got_error * +apply_unveil(const char *repo_path) +{ + const struct got_error *error; + char *normpath = NULL; + + if (repo_path) { + normpath = got_path_normalize(repo_path); + if (normpath == NULL) + return got_error_from_errno(); + if (unveil(normpath, "r") != 0) { + free(normpath); + return got_error_from_errno(); + } + free(normpath); + } + + if (unveil("/tmp", "rwc") != 0) + return got_error_from_errno(); + + if (unveil("/dev/null", "rwc") != 0) + return got_error_from_errno(); + + error = got_privsep_unveil_exec_helpers(); + if (error != NULL) + return error; + + if (unveil(NULL, NULL) != 0) + return got_error_from_errno(); + + return NULL; } int @@ -417,9 +451,11 @@ main(int argc, char *argv[]) int test_ok = 0, failure = 0; const char *repo_path; int ch; + const struct got_error *error; #ifndef PROFILE - if (pledge("stdio rpath wpath cpath proc exec sendfd", NULL) == -1) + if (pledge("stdio rpath wpath cpath proc exec sendfd unveil", NULL) + == -1) err(1, "pledge"); #endif @@ -445,6 +481,12 @@ main(int argc, char *argv[]) return 1; } + error = apply_unveil(repo_path); + if (error) { + fprintf(stderr, "unveil: %s", error->msg); + return 1; + } + RUN_TEST(repo_read_tree(repo_path), "read_tree"); RUN_TEST(repo_read_log(repo_path), "read_log"); RUN_TEST(repo_read_blob(repo_path), "read_blob");