From 2288d216a546e920c75a5361f20e9cacbbbbb9c3 Mon Sep 17 00:00:00 2001
From: mestre <mestre@openbsd.org>
Date: Fri, 26 Oct 2018 17:12:03 +0000
Subject: [PATCH] If input_name is provided we can unveil(2) it with read
 permissions, if output_name is provided we need to unveil(2) this one with
 rwc. Additionally depending on the different combinations of if these files
 are passed via args or from stdin/to stdout we can also pledge(2) accordingly
 to the code path.

OK deraadt@
---
 app/bdftopcf/bdftopcf.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/app/bdftopcf/bdftopcf.c b/app/bdftopcf/bdftopcf.c
index 6f9e96bb2..0006a6886 100644
--- a/app/bdftopcf/bdftopcf.c
+++ b/app/bdftopcf/bdftopcf.c
@@ -39,6 +39,7 @@ from The Open Group.
 #include "bdfint.h"
 #include "pcf.h"
 #include <stdio.h>
+#include <unistd.h>
 #include <X11/Xos.h>
 
 int
@@ -158,6 +159,38 @@ main(int argc, char *argv[])
         }
         argv++;
     }
+
+    if (input_name) {
+        if (unveil(input_name, "r") == -1) {
+            fprintf(stderr, "%s: could not unveil %s\n",
+                    program_name, input_name);
+            exit(1);
+		}
+    }
+    if (output_name) {
+        if (unveil(output_name, "rwc") == -1) {
+            fprintf(stderr, "%s: could not unveil %s\n",
+                    program_name, output_name);
+            exit(1);
+        }
+        if (pledge("stdio rpath wpath cpath", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+    if (input_name && !output_name) {
+        if (pledge("stdio rpath", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+    if (!input_name && !output_name) {
+        if (pledge("stdio", NULL) == -1) {
+            fprintf(stderr, "%s: could not pledge", program_name);
+            exit(1);
+        }
+    }
+
     if (input_name) {
         input = FontFileOpen(input_name);
         if (!input) {