commit - 9465d5226d843990e460238d75dfaa0e52c69062
commit + 63219cd2d49c2964687d675e8ac6e86bc0b70035
blob - 74fa300abb148f521b2bc42cb04ce259732327c3
blob + 50ca600a880b33b0cfc0102681f741baa510622c
--- got/got.c
+++ got/got.c
@@ -39,6 +39,7 @@
 #include "got_diff.h"
 #include "got_commit_graph.h"
 #include "got_blame.h"
+#include "got_privsep.h"
 
 #ifndef nitems
 #define nitems(_a)	(sizeof((_a)) / sizeof((_a)[0]))
@@ -227,8 +228,8 @@ cmd_checkout(int argc, char *argv[])
 	argv += optind;
 
 #ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath flock proc exec sendfd", NULL)
-	    == -1)
+	if (pledge("stdio rpath wpath cpath flock proc exec sendfd unveil",
+	    NULL) == -1)
 		err(1, "pledge");
 #endif
 	if (argc == 1) {
@@ -271,7 +272,22 @@ cmd_checkout(int argc, char *argv[])
 		}
 	} else
 		usage_checkout();
+
+	if (unveil(repo_path, "r") != 0 ||
+	    unveil(worktree_path, "rwc") != 0 ||
+	    unveil("/tmp", "rwc") != 0) {
+		error = got_error_from_errno();
+		goto done;
+	}
+	error = got_privsep_unveil_exec_helpers();
+	if (error != NULL)
+		goto done;
 
+	if (unveil(NULL, NULL) != 0) {
+		error = got_error_from_errno();
+		goto done;
+	}
+
 	error = got_repo_open(&repo, repo_path);
 	if (error != NULL)
 		goto done;
blob - /dev/null
blob + e516bc29a9853bf57eb857d3a3a94a0c349438b9 (mode 644)
--- /dev/null
+++ include/got_privsep.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2019 Stefan Sperling <stsp@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+const struct got_error *got_privsep_unveil_exec_helpers(void);
blob - ebc6a6d31dbb36ba1ebd5b79234c523b8d1b2c7f
blob + 923a10bad969053dcbbfd987f29c08ae6547123e
--- lib/privsep.c
+++ lib/privsep.c
@@ -1134,4 +1134,18 @@ got_privsep_send_packed_obj_req(struct imsgbuf *ibuf, 
 		return got_error_from_errno();
 
 	return flush_imsg(ibuf);
+}
+
+const struct got_error *
+got_privsep_unveil_exec_helpers(void)
+{
+	if (unveil(GOT_PATH_PROG_READ_PACK, "x") != 0 ||
+	    unveil(GOT_PATH_PROG_READ_OBJECT, "x") != 0 ||
+	    unveil(GOT_PATH_PROG_READ_COMMIT, "x") != 0 ||
+	    unveil(GOT_PATH_PROG_READ_TREE, "x") != 0 ||
+	    unveil(GOT_PATH_PROG_READ_BLOB, "x") != 0 ||
+	    unveil(GOT_PATH_PROG_READ_TAG, "x") != 0)
+		return got_error_from_errno();
+
+	return NULL;
 }