commit 9cfaa6380d1d5dd7099dc202d5abe01963cea9b8
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Tue Nov 14 12:12:33 2023 UTC

reduce gotwebd pledges to the minimum currently required; with op@

commit - 79e60db648de07c38759b79dd9acefb3b82e04f2
commit + 9cfaa6380d1d5dd7099dc202d5abe01963cea9b8
blob - 3dc5a446de1bee5dea0983da1f90831666467577
blob + acca300ed349f983e8c023dfcc184e7dda9a0b2e
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -258,7 +258,7 @@ main(int argc, char **argv)
 		err(1, "unveil");
 
 #ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath inet unix", NULL) == -1)
+	if (pledge("stdio", NULL) == -1)
 		err(1, "pledge");
 #endif
 
blob - 8e96717ed35cc9e91a8fc0c9be56d23fee4d05a8
blob + 17c797a987157d3e18fd32773d765f8c270c2938
--- gotwebd/sockets.c
+++ gotwebd/sockets.c
@@ -113,8 +113,8 @@ sockets_run(struct privsep *ps, struct privsep_proc *p
 	signal_add(&ps->ps_evsigchld, NULL);
 
 #ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath inet recvfd proc exec sendfd "
-	    "unveil", NULL) == -1)
+	if (pledge("stdio rpath inet recvfd proc exec sendfd unveil",
+	    NULL) == -1)
 		fatal("pledge");
 #endif
 }