Hi people, inspired by someone on Hackernews talking about how hard it would be to properly pledge an editor, here's a patch to pledge Vi and Ex.
I'd like to go a bit deeper than this patch though: In addition to the -S option which enables "secure mode", Vi and Ex have a -R switch, which enables read-only mode. Currently, read-only mode can be overridden with the `:w!` command or with `:set noro`, so it's more of a "set the initial mode to be read-only" switch. I'd like to make this switch a permanent "never ever write a file that's not in /tmp or /var/tmp"-mode. Would a patch that does this get accepted? Related: - pledge("tmppath") currently allows writing and what not to files in /tmp. Would it make sense to expand this to /var/tmp? On normal OpenBSD systems, these are the same directory anyway and Vi for example stores its recovery files in /var/tmp. - If you pledge("tmppath"), you can only open(2) files in /tmp if you supply the O_CREAT flag. Is this intentional? Opening existing files (even reopening files I've just created with O_CREAT) without the O_CREAT flag for writing requires pledge("wpath"), which I'd like to avoid for the hypothetical "Don't write anywhere" mode. Would a patch removing this restriction be accepted? -- Gregor Index: common/main.c =================================================================== RCS file: /mnt/media/cvs/src/usr.bin/vi/common/main.c,v retrieving revision 1.26 diff -u -p -u -r1.26 main.c --- common/main.c 20 Nov 2014 08:50:53 -0000 1.26 +++ common/main.c 11 Nov 2015 13:01:34 -0000 @@ -17,6 +17,7 @@ #include <sys/time.h> #include <bitstring.h> +#include <err.h> #include <errno.h> #include <fcntl.h> #include <limits.h> @@ -229,6 +230,14 @@ editor(GS *gp, int argc, char *argv[]) } if (LF_ISSET(SC_EX) && F_ISSET(gp, G_SCRIPTED)) silent = 1; + + if (secure) { + if (pledge("stdio rpath wpath cpath fattr flock tty", NULL)) + err(1, "pledge"); + } else { + if (pledge("stdio rpath wpath cpath fattr flock tty proc exec", NULL)) + err(1, "pledge"); + } /* * Build and initialize the first/current screen. This is a bit