commit 6e58d3c9404cfe3f05729f28b8478e6b8c2155d2
from: Omar Polo <op@omarpolo.com>
via: Thomas Adam <thomas@xteddy.org>
date: Mon Jan 23 18:21:06 2023 UTC

gotsh: move apply_unveil right after the first pledge

and while here drop the second pledge() call since unveil is already
locked by apply_unveil.

ok stsp

commit - c8fcdde846ed3f6e2694cb0a3f7e6508b32098bf
commit + 6e58d3c9404cfe3f05729f28b8478e6b8c2155d2
blob - b35ab29a7bf7de38825cb9a4cb6b51c291725f48
blob + 43dacf20c7b2d23ff032cdb48ebbd511772503bf
--- gotsh/gotsh.c
+++ gotsh/gotsh.c
@@ -72,6 +72,15 @@ main(int argc, char *argv[])
 	if (pledge("stdio recvfd unix unveil", NULL) == -1)
 		err(1, "pledge");
 #endif
+
+	unix_socket_path = getenv("GOTD_UNIX_SOCKET");
+	if (unix_socket_path == NULL)
+		unix_socket_path = GOTD_UNIX_SOCKET;
+
+	error = apply_unveil(unix_socket_path);
+	if (error)
+		goto done;
+
 	if (strcmp(argv[0], GOT_SERVE_CMD_SEND) == 0 ||
 	    strcmp(argv[0], GOT_SERVE_CMD_FETCH) == 0) {
 		if (argc != 2)
@@ -89,18 +98,6 @@ main(int argc, char *argv[])
 	if (error)
 		goto done;
 
-	unix_socket_path = getenv("GOTD_UNIX_SOCKET");
-	if (unix_socket_path == NULL)
-		unix_socket_path = GOTD_UNIX_SOCKET;
-
-	error = apply_unveil(unix_socket_path);
-	if (error)
-		goto done;
-
-#ifndef PROFILE
-	if (pledge("stdio recvfd unix", NULL) == -1)
-		err(1, "pledge");
-#endif
 	if ((gotd_sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
 		err(1, "socket");