pledge(2) all programs

All programs except mshow have a very tight set of promises. mshow
has a broad set of promises and might be a good future candidate
to further restrict using unveil(2).

This patch is based on commit 0300a112 by Alex Holst (dated
2017-12-07), which was proposed in GH PR #79.

* pledged mpick, mflow and mdate so that now all programs are pledged
* removed some unneeded promises and added some missing promises
* move err.h include and OpenBSD ifdef into a new xpledge.h
* cleaned up code aligning and whitespace

Closes: #179 [via git-merge-pr]

21 files changed, 100 insertions, 1 deletions

diff --git a/maddr.c b/maddr.c
index 339acad..0169458 100644
--- a/maddr.c
+++ b/maddr.c
@@ -7,6 +7,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int dflag;
@@ -108,6 +109,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", addr);
 	else
diff --git a/magrep.c b/magrep.c
index 8cb3d1f..6f93a57 100644
--- a/magrep.c
+++ b/magrep.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int aflag;
 static int cflag;
@@ -218,6 +219,8 @@ usage:
 	if (!rx)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	*rx++ = 0;
 	int r = regcomp(&pattern, rx, REG_EXTENDED | iflag);
 	if (r != 0) {
diff --git a/mdate.c b/mdate.c
index fb95d7c..793f65e 100644
--- a/mdate.c
+++ b/mdate.c
@@ -1,11 +1,17 @@
 #include <time.h>
 #include <unistd.h>
 
+#include "xpledge.h"
+
 int
 main()
 {
 	char buf[64];
-	time_t now = time(0);
+	time_t now;
+
+	xpledge("stdio", "");
+
+	now = time(0);
 
 	ssize_t l = strftime(buf, sizeof buf,
 	    "%a, %d %b %Y %T %z\n", localtime(&now));
diff --git a/mdeliver.c b/mdeliver.c
index c599d9d..161cea5 100644
--- a/mdeliver.c
+++ b/mdeliver.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 /*
 design rationale:
@@ -340,6 +341,8 @@ usage2:
 	if (argc != optind+1)
 		goto usage2;
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	targetdir = argv[optind];
 
 	gethost();
diff --git a/mdirs.c b/mdirs.c
index 46b2426..5f49906 100644
--- a/mdirs.c
+++ b/mdirs.c
@@ -9,6 +9,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static char sep = '\n';
 int aflag;
@@ -88,6 +89,8 @@ usage:
 	if (argc == optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	char toplevel[PATH_MAX];
 	if (!getcwd(toplevel, sizeof toplevel)) {
 		perror("mdirs: getcwd");
diff --git a/mexport.c b/mexport.c
index 91fa9a6..d758d0c 100644
--- a/mexport.c
+++ b/mexport.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Sflag;
 
@@ -141,6 +142,8 @@ main(int argc, char *argv[])
 
 	status = 0;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(":", export);
 	else
diff --git a/mflag.c b/mflag.c
index 7708946..ddf633c 100644
--- a/mflag.c
+++ b/mflag.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int8_t flags[255];
 static int vflag = 0;
@@ -134,6 +135,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath cpath", "");
+
 	curfile = blaze822_seq_cur();
 
 	if (vflag) {
diff --git a/mflow.c b/mflow.c
index 41db508..af6755d 100644
--- a/mflow.c
+++ b/mflow.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 int column = 0;
 int maxcolumn = 80;
@@ -107,6 +108,8 @@ main(int argc, char *argv[])
 	int force = 0;
 	int delsp = 0;
 
+	xpledge("stdio rpath tty", "");
+
 	char *ct = getenv("PIPE_CONTENTTYPE");
 	if (ct) {
 		char *s, *se;
@@ -130,6 +133,8 @@ main(int argc, char *argv[])
 		}
 	}
 
+	xpledge("stdio", "");
+
 	char *maxcols = getenv("MAXCOLUMNS");
 	if (maxcols && isdigit(*maxcols)) {
 		int m = atoi(maxcols);
diff --git a/mgenmid.c b/mgenmid.c
index c7d713c..eb161cf 100644
--- a/mgenmid.c
+++ b/mgenmid.c
@@ -13,6 +13,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 void
 printb36(uint64_t x)
@@ -36,6 +37,8 @@ int main()
 	char *f = blaze822_home_file("profile");
 	struct message *config = blaze822(f);
 
+	xpledge("stdio rpath", "");
+
 	if (config) // try FQDN: first
 		host = blaze822_hdr(config, "fqdn");
 
diff --git a/mhdr.c b/mhdr.c
index 18cbc5e..d434d1d 100644
--- a/mhdr.c
+++ b/mhdr.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *hflag;
 static char *pflag;
@@ -245,6 +246,8 @@ main(int argc, char *argv[])
 
 	status = 1;
 
+	xpledge("stdio rpath", "");
+
 	if (argc == optind && isatty(0))
 		blaze822_loop1(".", header);
 	else
diff --git a/minc.c b/minc.c
index f495da1..c1d28fd 100644
--- a/minc.c
+++ b/minc.c
@@ -12,6 +12,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int qflag;
 static int status;
@@ -76,6 +77,8 @@ usage:
 	if (optind == argc)
 		goto usage;
 
+	xpledge("stdio rpath cpath", "");
+
 	status = 0;
 	for (i = optind; i < argc; i++)
 		inc(argv[i]);
diff --git a/mlist.c b/mlist.c
index 3cb082f..5debf99 100644
--- a/mlist.c
+++ b/mlist.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 /*
 
@@ -272,6 +273,8 @@ usage:
 
 	int i;
 
+	xpledge("stdio rpath", "");
+
 	for (i = 0, flagsum = 0, flagset = 0; (size_t)i < sizeof flags; i++) {
 		if (flags[i] != 0)
 			flagset++;
diff --git a/mmime.c b/mmime.c
index 676a4b7..2c5e79e 100644
--- a/mmime.c
+++ b/mmime.c
@@ -16,6 +16,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int cflag;
 static int rflag;
@@ -521,6 +522,8 @@ usage:
 	if (argc != optind)
 		goto usage;
 
+	xpledge("stdio rpath", "");
+
 	if (cflag)
 		return check();
 
diff --git a/mpick.c b/mpick.c
index bff0cc3..93bbafb 100644
--- a/mpick.c
+++ b/mpick.c
@@ -43,6 +43,7 @@
 #include <wchar.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 enum op {
 	EXPR_OR = 1,
@@ -1463,6 +1464,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	void *cb = need_thr ? collect : oneline;
 	if (argc == optind && isatty(0))
 		i = blaze822_loop1(":", cb);
diff --git a/mscan.c b/mscan.c
index 6ae1628..52ba9a4 100644
--- a/mscan.c
+++ b/mscan.c
@@ -2,6 +2,8 @@
 #define _XOPEN_SOURCE 700
 #endif
 
+#include "xpledge.h"
+
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -549,6 +551,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath tty proc exec", NULL);
+
 	if (nflag) {
 		if (argc == optind && isatty(0))
 			blaze822_loop1(":", numline);
@@ -584,6 +588,9 @@ main(int argc, char *argv[])
 	}
 	if (ttyfd >= 0)
 		close(ttyfd);
+
+	xpledge("stdio rpath", "");
+
 	if (getenv("COLUMNS"))
 		cols = atoi(getenv("COLUMNS"));
 	if (cols <= 40)
diff --git a/msed.c b/msed.c
index 4fef8f4..7bb0b82 100644
--- a/msed.c
+++ b/msed.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static char *expr;
 
@@ -323,6 +324,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
+
 	expr = argv[optind];
 	optind++;
 
diff --git a/mseq.c b/mseq.c
index 4bcb89f..f63aaae 100644
--- a/mseq.c
+++ b/mseq.c
@@ -13,6 +13,7 @@
 
 #include "blaze822.h"
 #include "blaze822_priv.h"
+#include "xpledge.h"
 
 static int fflag;
 static int rflag;
@@ -298,6 +299,8 @@ usage:
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath", "");
+
 	if (cflag)
 		blaze822_loop1(cflag, overridecur);
 
diff --git a/mshow.c b/mshow.c
index 8ecf157..8d70120 100644
--- a/mshow.c
+++ b/mshow.c
@@ -14,6 +14,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Bflag;
 static int rflag;
@@ -797,6 +798,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath proc exec", NULL);
+
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
@@ -822,17 +825,22 @@ main(int argc, char *argv[])
 	}
 
 	if (xflag) { // extract
+		xpledge("stdio rpath wpath cpath", NULL);
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
+		xpledge("stdio rpath", NULL);
 		extract(Oflag, argc-optind, argv+optind, 1);
 	} else if (tflag) { // list
+		xpledge("stdio rpath", NULL);
 		if (argc == optind && isatty(0))
 			blaze822_loop1(".", list);
 		else
 			blaze822_loop(argc-optind, argv+optind, list);
 	} else if (Rflag) { // render for reply
+		xpledge("stdio rpath", NULL);
 		blaze822_loop(argc-optind, argv+optind, reply);
 	} else { // show
+		/* XXX pledge: still r/w on the whole file-system + fork/exec */
 		if (!(qflag || rflag || Fflag)) {
 			char *f = getenv("MAILFILTER");
 			if (!f)
diff --git a/msort.c b/msort.c
index e07ac69..5d2d88d 100644
--- a/msort.c
+++ b/msort.c
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 struct mail {
 	char *file;
@@ -316,6 +317,7 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath", "");
 
 	mails = calloc(sizeof (struct mail), mailalloc);
 	if (!mails)
diff --git a/mthread.c b/mthread.c
index 8a7172a..9d718fc 100644
--- a/mthread.c
+++ b/mthread.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int vflag;
 static int pflag;
@@ -419,6 +420,8 @@ main(int argc, char *argv[])
 
 	optional = 1;
 
+	xpledge("stdio rpath", "");
+
 	while ((c = getopt(argc, argv, "S:prv")) != -1)
 		switch (c) {
 		case 'S': blaze822_loop1(optarg, thread); break;
diff --git a/xpledge.h b/xpledge.h
new file mode 100644
index 0000000..a6065a9
--- /dev/null
+++ b/xpledge.h
@@ -0,0 +1,26 @@
+#ifndef PLEDGE_H
+#define PLEDGE_H
+
+#ifdef __OpenBSD__
+
+#ifndef _BSD_SOURCE
+#define _BSD_SOURCE
+#endif
+
+#include <err.h>
+#include <unistd.h>
+
+static void
+xpledge(const char *promises, const char *execpromises)
+{
+	if (pledge(promises, execpromises) == -1)
+		err(1, "pledge");
+}
+
+#else
+
+#define xpledge(promises, execpromises) do { } while(0)
+
+#endif /* __OpenBSD__ */
+
+#endif /* PLEDGE_H */