If input_name is provided we can unveil(2) it with read permissions, if

output_name is provided we need to unveil(2) this one with rwc. Additionally depending on the different combinations of if these files are passed via args or from stdin/to stdout we can also pledge(2) accordingly to the code path. OK deraadt@
2018-10-26 17:12:03 +00:00 · 2018-10-26 17:12:03 +00:00 · 2288d216a5
commit 2288d216a5
parent d9d5fc591a
1 changed files with 33 additions and 0 deletions
--- a/app/bdftopcf/bdftopcf.c
+++ b/app/bdftopcf/bdftopcf.c
@ -39,6 +39,7 @@ from The Open Group.
 #include "bdfint.h"
 #include "pcf.h"
 #include <stdio.h>
+#include <unistd.h>
 #include <X11/Xos.h>

 int
@ -158,6 +159,38 @@ main(int argc, char *argv[])
        }
        argv++;
    }
+
+    if (input_name) {
+        if (unveil(input_name, "r") == -1) {
+            fprintf(stderr, "%s: could not unveil %s\n",
+                    program_name, input_name);
+            exit(1);
+		}
+    }
+    if (output_name) {
+        if (unveil(output_name, "rwc") == -1) {
+            fprintf(stderr, "%s: could not unveil %s\n",
+                    program_name, output_name);
+            exit(1);
+        }
+        if (pledge("stdio rpath wpath cpath", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+    if (input_name && !output_name) {
+        if (pledge("stdio rpath", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+    if (!input_name && !output_name) {
+        if (pledge("stdio", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+
    if (input_name) {
        input = FontFileOpen(input_name);
        if (!input) {