On Mon, Apr 11, 2022 at 06:01:16PM +0300, Mikhail wrote:
> If got is compiled with PROFILE=1, "got fetch" and "got clone" don't
> work with git:// repositories, it fails with this error:
> 
> Connecting to "origin" git.gameoftrees.org
> got: git.gameoftrees.org: no address associated with name
> 
> After applying inlined patch it starts to work fine. Not sure if
> "/etc/resolv.conf" should have gone in its own #define, because the path
> is pretty standard.

just a general remark about pledge(2) and unveil(2).

both are linked: with PROFILE=1, pledge(2) isn't used (in order to be able to do 
profil(2)), but it introduces subtiles changes: a pledged process has some paths 
whitelisted regarding unveil(2) (like /etc/resolv.conf in this example).

so I think that under PROFILE=1, some paths should be unveiled automatically.

for recall, paths with special treatment when pledged:

- /tmp (with "tmppath", for creating/unlinking files)
- /etc/localtime
- /var/run/ypbind.lock (for "getpw", yp configuration)
- /var/yp/binding
- /dev/null
- /dev/tty
- /etc/{pwd.db,group,netid}
- /etc/{resolv.conf,hosts,services,protocols}
- /usr/share/zoneinfo

Thanks.
-- 
Sebastien Marie