From 054345a34830a5e34aa722303e07d609c218f36c Mon Sep 17 00:00:00 2001
From: bptato <nincsnevem662@gmail.com>
Date: Tue, 23 Apr 2024 00:18:21 +0200
Subject: sandbox: remove unveil call

We no longer modify the file system inside the sandbox, so this
permission is simply not needed.
---
 src/utils/sandbox.nim | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

(limited to 'src/utils')

diff --git a/src/utils/sandbox.nim b/src/utils/sandbox.nim
index 0a31fc41..9c8bc72a 100644
--- a/src/utils/sandbox.nim
+++ b/src/utils/sandbox.nim
@@ -15,8 +15,8 @@
 # user's system.
 #
 # On OpenBSD, we pledge the minimum amount of promises we need, and
-# unveil the same socket directory as above. It seems to be roughly
-# equivalent to the security we get with FreeBSD Capsicum.
+# do not unveil anything. It seems to be roughly equivalent to the
+# security we get with FreeBSD Capsicum.
 #
 # On Linux, we use libseccomp so that I don't have to manually write
 # BPF filters.
@@ -55,12 +55,9 @@ elif defined(openbsd) and not disableSandbox:
   proc enterBufferSandbox*(sockPath: string) =
     # take whatever we need to
     # * fork
-    # * create/use UNIX domain sockets in sockPath
+    # * connect to UNIX domain sockets
     # * take FDs from the main process
-    # cw is the minimum for being able to make sockets
-    doAssert unveil(cstring(sockPath), "cw") == 0
-    # note: ordering is important; pledge now removes the unveil promise.
-    doAssert pledge("unix stdio sendfd recvfd proc cpath", nil) == 0
+    doAssert pledge("unix stdio sendfd recvfd proc", nil) == 0
 
   proc enterNetworkSandbox*() =
     # we don't need much to write out data from sockets to stdout.
-- 
cgit 1.4.1-2-gfad0