On Mon, Jul 25, 2022 at 09:05:02PM +0200, Omar Polo wrote:
> i thought it may made sense to pledge early here.
> 
> "rpath wpath cpath" cannot be dropped as we don't know in advance if the
> patch will require us to create a new file, and we need to create some
> temp. files anyway even in nop mode.  in theory maybe we could spawn the
> helpers early and drop "proc exec", but i'm still unsure if it's
> feasible.  ('got patch' requires at least got-read-blob, plus the access
> to the fileindex.  in the future if we add a -c flag to specify a commit
> at which apply the diff it'll require more libexecs)

Yes, fine.

Most commands call pledge after parsing options, but some already do it
before calling getopt() (e.g. cmd_diff). The earlier, the better I guess.

> diff /home/op/w/got
> commit - 595228385f8c74590756ff446d5b84aad0ebfda7
> path + /home/op/w/got
> blob - df883fd1dcb28651677ef268c491f878e506e7fe
> file + got/got.c
> --- got/got.c
> +++ got/got.c
> @@ -7948,6 +7948,12 @@ cmd_patch(int argc, char *argv[])
>  	int patchfd;
>  	int *pack_fds = NULL;
>  
> +#ifndef PROFILE
> +	if (pledge("stdio rpath wpath cpath fattr proc exec sendfd flock "
> +	    "unveil", NULL) == -1)
> +		err(1, "pledge");
> +#endif
> +
>  	while ((ch = getopt(argc, argv, "np:R")) != -1) {
>  		switch (ch) {
>  		case 'n':
> @@ -8015,12 +8021,6 @@ cmd_patch(int argc, char *argv[])
>  	if (error != NULL)
>  		goto done;
>  
> -#ifndef PROFILE
> -	if (pledge("stdio rpath wpath cpath fattr proc exec sendfd flock",
> -	    NULL) == -1)
> -		err(1, "pledge");
> -#endif
> -
>  	error = got_patch(patchfd, worktree, repo, nop, strip, reverse,
>  	    &patch_progress, NULL, check_cancelled, NULL);
>  
> 
>