Add UnveilSet

go.mod

@@ -2,4 +2,4 @@ module suah.dev/protect
 
 go 1.14
 
-require golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
+require golang.org/x/sys v0.0.0-20210917161153-d61c044b1678

go.sum

@@ -1,2 +1,2 @@
-golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w=
+golang.org/x/sys v0.0.0-20210917161153-d61c044b1678 h1:J27LZFQBFoihqXoegpscI10HpjZ7B5WQLLKL2FZXQKw=
-golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

protect.go

@@ -25,6 +25,23 @@ func Unveil(path string, flags string) error {
 	return unveil(path, flags)
 }
 
+// UnveilSet takes a set of Unveils and runs them all, returning the first
+// error encountered. Optionally call UnveilBlock at the end.
+func UnveilSet(set map[string]string, block bool) error {
+	for p, s := range set {
+		err := Unveil(p, s)
+		if err != nil {
+			return err
+		}
+	}
+
+	if block {
+		return UnveilBlock()
+	}
+
+	return nil
+}
+
 // UnveilBlock locks the Unveil'd paths. Preventing further changes to a
 // processes filesystem view.
 //

protect_test.go

@@ -0,0 +1,29 @@
+package protect
+
+import (
+	"testing"
+)
+
+func TestReduce(t *testing.T) {
+	expected := "stdio unix rpath cpath"
+	a := "stdio tty unix unveil rpath cpath wpath"
+	b := "unveil tty wpath"
+
+	n, err := reduce(a, b)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if n != expected {
+		t.Errorf("reduce: expected %q got %q\n", expected, n)
+	}
+
+	c, err := reduce(n, "rpath cpath")
+	if err != nil {
+		t.Error(err)
+	}
+
+	if c != "stdio unix" {
+		t.Errorf("reduce: expected %q got %q\n", "stdio unix", c)
+	}
+}