From 968d5d7b886f894d4df08eef09d0fc21539f60fc Mon Sep 17 00:00:00 2001
From: Yuce Tekol <yucetekol@gmail.com>
Date: Fri, 3 May 2019 09:51:18 +0300
Subject: added restrict script

---
 Makefile             |  5 ++++-
 README.md            |  3 +--
 examples/restrict.py | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 examples/restrict.py

diff --git a/Makefile b/Makefile
index ccf1f60..19aef5b 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,10 @@
 all: build
 
 build:
-	python setup.py build
+	python setup.py sdist
+
+release: clean build
+	twine upload dist/*
 
 clean:
 	rm -rf dist build openbsd.egg-info/
diff --git a/README.md b/README.md
index 6896dd2..b8b12a2 100644
--- a/README.md
+++ b/README.md
@@ -46,8 +46,7 @@ print(open("/etc/resolv.conf"))
 
 Try opening `/bin/ksh`.
 
-
-Use `openbsd.unveil()` to stop limiting access to directories.
+Use `openbsd.unveil()` to lock down restrictions.
 
 ## License
 
diff --git a/examples/restrict.py b/examples/restrict.py
new file mode 100644
index 0000000..5fb002b
--- /dev/null
+++ b/examples/restrict.py
@@ -0,0 +1,55 @@
+#! /usr/bin/env python
+
+from __future__ import print_function
+import sys
+import os
+
+from openbsd import pledge, unveil
+
+"""
+A little utilty that pledges and unveils.
+python3 restrict.py rpath stdio /tmp/foo:r /bin/cat:x  -x cat /tmp/foo
+"""
+
+def extract_args(args):
+    promises = set()
+    rviews = []
+    cmd_args = []
+    eop = False
+
+    for arg in args:
+        if eop:
+            cmd_args.append(arg)
+            continue
+        if arg == "-x":
+            eop = True
+            continue
+        if ":" in arg:
+            rviews.append(tuple(arg.split(":", 1)[:2]))
+        else:
+            promises.add(arg)
+
+    promises = None if "ALL" in promises else " ".join(promises)
+    return promises, rviews, eop, cmd_args
+
+
+def print_usage():
+        print("Usage: %s [ALL | promise1 promise2 ...] -x cmd [arg1 arg2 ...]" % sys.argv[0], file=sys.stderr)
+        sys.exit(1)
+
+
+def main():
+    promises, rviews, eop, cmd_args = extract_args(sys.argv[1:])
+    if not eop:
+        print_usage()
+
+    if rviews:
+        for path, perm in rviews:
+            unveil(path, perm)
+
+    pledge("exec stdio rpath", promises)
+    os.execvp(cmd_args[0], cmd_args)
+
+if __name__ == "__main__":
+    main()
+
-- 
cgit 1.4.1-2-gfad0