Something like this then? If it's too much burden to keep these local patches I can drop it, no problem.
Index: bdftopcf.c =================================================================== RCS file: /cvs/xenocara/app/bdftopcf/bdftopcf.c,v retrieving revision 1.5 diff -u -p -u -r1.5 bdftopcf.c --- bdftopcf.c 29 Mar 2018 20:34:30 -0000 1.5 +++ bdftopcf.c 25 Oct 2018 07:00:50 -0000 @@ -39,6 +39,7 @@ from The Open Group. #include "bdfint.h" #include "pcf.h" #include <stdio.h> +#include <unistd.h> #include <X11/Xos.h> int @@ -158,6 +159,38 @@ main(int argc, char *argv[]) } argv++; } + + if (input_name) { + if (unveil(input_name, "r") == -1) { + fprintf(stderr, "%s: could not unveil %s\n", + program_name, input_name); + exit(1); + } + } + if (output_name) { + if (unveil(output_name, "rwc") == -1) { + fprintf(stderr, "%s: could not unveil %s\n", + program_name, output_name); + exit(1); + } + if (pledge("stdio rpath wpath cpath", NULL) == -1) { + fprintf(stderr, "%s: could not pledge", program_name); + exit(1); + } + } + if (input_name && !output_name) { + if (pledge("stdio rpath", NULL) == -1) { + fprintf(stderr, "%s: could not pledge", program_name); + exit(1); + } + } + if (!input_name && !output_name) { + if (pledge("stdio", NULL) == -1) { + fprintf(stderr, "%s: could not pledge", program_name); + exit(1); + } + } + if (input_name) { input = FontFileOpen(input_name); if (!input) { On 10:41 Wed 24 Oct , Theo de Raadt wrote: > Matthieu Herrb <matth...@herrb.eu> wrote: > > > Generally, I'm not too found of pledging/unveiling random X client > > programs. There are a lot of "hidden" features in X libraries that > > will probably break with too strict pledges and/or unveils. > > Well eventually we want to see if something can be done about xterm. > Especially if the lessons learned (I suspect some hoisting will occur) > can be pushed back upstream, and maybe allow others to apply their > own system call limiter mechanism. Perhaps not possible... > > > Also since this is OpenBSD-specific, it will be difficult to get it > > upstreams, especially if you don't provide the autoconf goo to make > > the code still build/work on Linux. And when not upstreaming it > > creates more burden to merge new versions of the applications. > > Well, I doubt it will create too much burden, generally these unveil > or pledge chunks are a small set of + lines, without changing other > logic. > > Anyways, bdftopcf is not running near a security boundary. >