From 206a776f64c9163ab597c25a61040c08c012dfd0 Mon Sep 17 00:00:00 2001
From: Andinus <andinus@nand.sh>
Date: Sat, 4 Apr 2020 21:59:01 +0530
Subject: Fix unveil rules

---
 cache/getdir_unix.go      | 18 +++++++++++++-----
 cmd/cetus/main_openbsd.go | 21 ++++++++-------------
 2 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/cache/getdir_unix.go b/cache/getdir_unix.go
index 62dd5ed..a65d389 100644
--- a/cache/getdir_unix.go
+++ b/cache/getdir_unix.go
@@ -12,6 +12,18 @@ import (
 // that is not set then assume it to be the default value which is
 // $HOME/.cache according to XDG Base Directory Specification.
 func GetDir() string {
+	cacheDir := Dir()
+
+	// Cetus cache directory is cacheDir/cetus.
+	cetusCacheDir := fmt.Sprintf("%s/%s", cacheDir,
+		"cetus")
+
+	return cetusCacheDir
+}
+
+// Dir returns the system cache directory, this is useful for unveil
+// in OpenBSD.
+func Dir() string {
 	cacheDir := os.Getenv("CETUS_CACHE_DIR")
 	if len(cacheDir) == 0 {
 		cacheDir = os.Getenv("XDG_CACHE_HOME")
@@ -21,9 +33,5 @@ func GetDir() string {
 			".cache")
 	}
 
-	// Cetus cache directory is cacheDir/cetus.
-	cetusCacheDir := fmt.Sprintf("%s/%s", cacheDir,
-		"cetus")
-
-	return cetusCacheDir
+	return cacheDir
 }
diff --git a/cmd/cetus/main_openbsd.go b/cmd/cetus/main_openbsd.go
index 42aecaf..a140071 100644
--- a/cmd/cetus/main_openbsd.go
+++ b/cmd/cetus/main_openbsd.go
@@ -19,27 +19,22 @@ func main() {
 func unveil() {
 	unveilL := make(map[string]string)
 
-	unveilL[cache.GetDir()] = "rwc"
-	unveilL["/dev/null"] = "rw" // required by feh
+	// We unveil the whole cache directory.
+	err = unix.Unveil(cache.Dir(), "rwc")
+	if err != nil {
+		log.Fatal(err)
+	}
 
+	unveilL["/dev/null"] = "rw" // required by feh
 	unveilL["/etc/resolv.conf"] = "r"
 
 	// ktrace output
 	unveilL["/usr/libexec/ld.so"] = "r"
 	unveilL["/var/run/ld.so.hints"] = "r"
-	unveilL["/usr/lib/libpthread.so.26.1"] = "r"
-	unveilL["/usr/lib/libc.so.95.1"] = "r"
+	unveilL["/usr/lib"] = "r"
 	unveilL["/dev/urandom"] = "r"
-	unveilL["/etc/mdns.allow"] = "r"
 	unveilL["/etc/hosts"] = "r"
-	unveilL["/usr/local/etc/ssl/cert.pem"] = "r"
-	unveilL["/etc/ssl/cert.pem"] = "r"
-	unveilL["/etc/ssl/certs"] = "r"
-	unveilL["/system/etc/security/cacerts"] = "r"
-	unveilL["/usr/local/share/certs"] = "r"
-	unveilL["/etc/pki/tls/certs"] = "r"
-	unveilL["/etc/openssl/certs"] = "r"
-	unveilL["/var/ssl/certs"] = "r"
+	unveilL["/etc/ssl"] = "r"
 
 	for k, v := range unveilL {
 		err = unix.Unveil(k, v)
-- 
cgit 1.4.1-2-gfad0