Hi,
This is a first draft to add pledge and unveil to net/irssi.
About the Makefile, I added PORTHOME=${WRKDIST} so "make test" run with
100% of success.
The current implementation of pledge/unveil is under a #ifdef
HAVE_PLEDGE so I defined it there.
I added flags -u / --disable-unveil if you don't want it, but in the net
thread this doesn't prevent pledge to be used (it can't reach the
argument boolean easily from there and it should always work).
Plugins works as far as I can tell, I did try the few I use.
The unveil part require hardcoded paths, like ~/.irssi allowing rwc and
~/.irssi/scripts allowing rx
One problem is with the default logfile directory ~/irclogs
I'm unsure of unveil on this one, when it does not exist, mkdir can
create it but can't create subdirectories in it, I assume it's the
correct behavior but this requires restarting irssi if you want the
logging to work.
My C skill is very rusty, I hope some parts can be saved :)
I run it while connected to a few irc servers and so far it works well.
Index: Makefile
===================================================================
RCS file: /data/cvs/ports/net/irssi/Makefile,v
retrieving revision 1.79
diff -u -p -r1.79 Makefile
--- Makefile 18 Feb 2019 18:35:57 -0000 1.79
+++ Makefile 7 Jun 2019 16:53:15 -0000
@@ -5,6 +5,7 @@ COMMENT = modular IRC client with many f
V = 1.2.0
DISTNAME = irssi-$V
PKGSPEC = irssi-=$V
+REVISION = 0
CATEGORIES = net
@@ -15,6 +16,7 @@ MAINTAINER = Klemens Nanni <[email protected]
# GPLv2+
PERMIT_PACKAGE_CDROM = Yes
+# use pledge()
WANTLIB += c crypto curses gcrypt glib-2.0 gmodule-2.0 gpg-error \
iconv intl m otr pcre perl pthread ssl
@@ -44,6 +46,12 @@ CONFIGURE_ARGS += --with-socks
LIB_DEPENDS += security/dante
WANTLIB += socks
.endif
+
+# required for 100% tests to pass
+PORTHOME= ${WRKDIST}
+
+# required to enable pledge/unveil
+CFLAGS+= -DHAVE_PLEDGE=y
MAKE_FLAGS = scriptdir="${SYSCONFDIR}/irssi/scripts" \
themedir="${SYSCONFDIR}/irssi/themes"
Index: patches/patch-src_core_net-nonblock_c
===================================================================
RCS file: patches/patch-src_core_net-nonblock_c
diff -N patches/patch-src_core_net-nonblock_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_core_net-nonblock_c 7 Jun 2019 16:38:59 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+Index: src/core/net-nonblock.c
+--- src/core/net-nonblock.c.orig
++++ src/core/net-nonblock.c
+@@ -60,6 +60,11 @@ int net_gethostbyname_nonblock(const char *addr, GIOCh
+ "Using blocking resolving");
+ }
+
++#ifdef HAVE_PLEDGE
++ if (pledge("dns inet stdio",NULL) == -1)
++ { printf("Error pledge non-block\n"); exit(1); }
++#endif
++
+ /* child */
+ srand(time(NULL));
+
Index: patches/patch-src_fe-common_core_fe-common-core_c
===================================================================
RCS file: patches/patch-src_fe-common_core_fe-common-core_c
diff -N patches/patch-src_fe-common_core_fe-common-core_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_fe-common_core_fe-common-core_c 7 Jun 2019 16:34:14
-0000
@@ -0,0 +1,96 @@
+$OpenBSD$
+
+Index: src/fe-common/core/fe-common-core.c
+--- src/fe-common/core/fe-common-core.c.orig
++++ src/fe-common/core/fe-common-core.c
+@@ -49,6 +49,9 @@
+ #include "windows-layout.h"
+ #include "fe-recode.h"
+
++#ifdef HAVE_PLEDGE
++#include <pwd.h>
++#endif
+ #include <signal.h>
+
+ static char *autocon_server;
+@@ -58,6 +61,10 @@ static int no_autoconnect;
+ static char *cmdline_nick;
+ static char *cmdline_hostname;
+
++#ifdef HAVE_PLEDGE
++static int no_unveil;
++#endif
++
+ void fe_core_log_init(void);
+ void fe_core_log_deinit(void);
+
+@@ -99,6 +106,53 @@ void window_commands_deinit(void);
+
+ static void sig_setup_changed(void);
+
++#ifdef HAVE_PLEDGE
++void pledge_init()
++{
++ if( ! no_unveil) {
++ struct passwd *pw;
++ int user_id = getuid();
++ char path[200];
++
++ pw = getpwuid(user_id);
++ if (pw == NULL)
++ { printf("can't get pw of current user\n"); exit(1); }
++
++ if( unveil("/etc/ssl","r") == -1 )
++ { printf("error unveil /etc/ssl/\n"); exit(1); }
++
++ if( unveil("/etc/resolv.conf","r") == -1 )
++ { printf("error unveil /etc/resolv.conf\n"); exit(1); }
++
++ if( unveil("/dev/null","rw") == -1 )
++ { printf("error unveil dev/null\n"); exit(1); }
++
++ if( unveil("/usr/local/libdata/perl5/","r") == -1 )
++ { printf("error unveil /usr/local/libdata/perl5/\n"); exit(1); }
++
++ if( unveil("/usr/libdata/perl5/","r") == -1 )
++ { printf("error unveil /usr/libdata/perl5/\n"); exit(1); }
++
++ snprintf(path,sizeof(path), "%s/irclogs",pw->pw_dir);
++ if( unveil(path,"rwc") == -1 )
++ { printf("error unveil %s\n",path); exit(1); }
++
++ snprintf(path,sizeof(path), "%s/.irssi/",pw->pw_dir);
++ if( unveil(path,"rwc") == -1 )
++ { printf("error unveil %s\n",path); exit(1); }
++
++ snprintf(path,sizeof(path), "%s/.irssi/scripts",pw->pw_dir);
++ if( unveil(path,"rx") == -1 )
++ { printf("error unveil %s\n",path); exit(1); }
++
++ if (pledge("dns inet tty flock stdio cpath wpath rpath prot_exec proc
unveil getpw",NULL) == -1)
++ { printf("error pledge\n"); exit(1); }
++
++ }
++
++}
++#endif
++
+ static void sig_connected(SERVER_REC *server)
+ {
+ MODULE_DATA_SET(server, g_new0(MODULE_SERVER_REC, 1));
+@@ -133,6 +187,7 @@ void fe_common_core_register_options(void)
+ { "noconnect", '!', 0, G_OPTION_ARG_NONE, &no_autoconnect,
"Disable autoconnecting", NULL },
+ { "nick", 'n', 0, G_OPTION_ARG_STRING, &cmdline_nick, "Specify
nick to use", NULL },
+ { "hostname", 'h', 0, G_OPTION_ARG_STRING, &cmdline_hostname,
"Specify host name to use", NULL },
++ { "disable-unveil", 'u', 0, G_OPTION_ARG_NONE, &no_unveil, "Disable
unveil and pledge security features", NULL },
+ { NULL }
+ };
+
+@@ -140,6 +195,7 @@ void fe_common_core_register_options(void)
+ autocon_password = NULL;
+ autocon_port = 0;
+ no_autoconnect = FALSE;
++ no_unveil = FALSE;
+ cmdline_nick = NULL;
+ cmdline_hostname = NULL;
+ args_register(options);
