pledge(2) all programs

All programs except mshow have a very tight set of promises. mshow
has a broad set of promises and might be a good future candidate
to further restrict using unveil(2).

This patch is based on commit 0300a112 by Alex Holst (dated
2017-12-07), which was proposed in GH PR #79.

* pledged mpick, mflow and mdate so that now all programs are pledged
* removed some unneeded promises and added some missing promises
* move err.h include and OpenBSD ifdef into a new xpledge.h
* cleaned up code aligning and whitespace

Closes: #179 [via git-merge-pr]

1 files changed, 8 insertions, 0 deletions

diff --git a/mshow.c b/mshow.c
index 8ecf157..8d70120 100644
--- a/mshow.c
+++ b/mshow.c
@@ -14,6 +14,7 @@
 #include <unistd.h>
 
 #include "blaze822.h"
+#include "xpledge.h"
 
 static int Bflag;
 static int rflag;
@@ -797,6 +798,8 @@ main(int argc, char *argv[])
 			exit(1);
 		}
 
+	xpledge("stdio rpath wpath cpath proc exec", NULL);
+
 	if (!rflag && !xflag && !Oflag && !Rflag)
 		safe_output = 1;
 
@@ -822,17 +825,22 @@ main(int argc, char *argv[])
 	}
 
 	if (xflag) { // extract
+		xpledge("stdio rpath wpath cpath", NULL);
 		extract(xflag, argc-optind, argv+optind, 0);
 	} else if (Oflag) { // extract to stdout
+		xpledge("stdio rpath", NULL);
 		extract(Oflag, argc-optind, argv+optind, 1);
 	} else if (tflag) { // list
+		xpledge("stdio rpath", NULL);
 		if (argc == optind && isatty(0))
 			blaze822_loop1(".", list);
 		else
 			blaze822_loop(argc-optind, argv+optind, list);
 	} else if (Rflag) { // render for reply
+		xpledge("stdio rpath", NULL);
 		blaze822_loop(argc-optind, argv+optind, reply);
 	} else { // show
+		/* XXX pledge: still r/w on the whole file-system + fork/exec */
 		if (!(qflag || rflag || Fflag)) {
 			char *f = getenv("MAILFILTER");
 			if (!f)