Hoist control socket handling, restrict runtime on OpenBSD

Use pledge(2) to prevent fork/exec, filesystem access and other
unused subsets of system calls, effectively leaving only shared
memory and networking capabilities at runtime.

(Those might be further reduced, but that warrants further analysis
 and most likely more code shuffling.)

diff --git a/nqptp.c b/nqptp.c
index 88cf9398dff5f8f9354305f5663b38969b051c13..73b0d660e579043d59039d7931c3f1f639a9f442 100644 (file)
--- a/nqptp.c
+++ b/nqptp.c
@@ -131,6 +131,11 @@ void termHandler(__attribute__((unused)) int k) {
 }
 
 int main(int argc, char **argv) {
+#ifdef CONFIG_FOR_OPENBSD
+  if (pledge("stdio rpath tmppath inet dns id", NULL) == -1) {
+    die("pledge: %s", strerror(errno));
+  }
+#endif
 
   int debug_level = 0;
   int i;
@@ -215,6 +220,10 @@ int main(int argc, char **argv) {
       setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) {
     die("cannot drop privileges to %s", shairport_user);
   }
+
+  if (pledge("stdio tmppath inet dns", NULL) == -1) {
+    die("pledge: %s", strerror(errno));
+  }
 #endif
 
   // open the SMI