On Sun, Feb 22, 2026 at 12:48:48PM +0100, Omar Polo wrote:
> Hello,
> 
> tmppath seems that is going to go away, so let's follow suit.
> got-notify-http seems to be the only place where we have the tmppath
> pledge, so luckily it's not too complex ;-)
> 
> diff belows trades tmppath for wpath+cpath and a unveil(/tmp, rwc), and
> while here it does what nc does too, which is to unveil the ca cert file.
> 
> This is basically removing rpath from / and instead keeping it only for
> /tmp and /etc/ssl/cert.pem.  I don't think we can drop rpath on /tmp
> after we've created the temp file, which is a bit of a bummer, but it's
> better than rpath on /.
> 
> regress passes, and i've manually tested this in the TLS code-path by
> (ab)using nc -c.
> 
> okay?

looks good, ok.

> diff /home/op/w/got
> path + /home/op/w/got
> commit - 9456c7974d487ec39d90e4fd16887cf464d3841e
> blob - 74f54056a42dc99629d4ed9705ac6f149ab935ad
> file + gotd/libexec/got-notify-http/got-notify-http.c
> --- gotd/libexec/got-notify-http/got-notify-http.c
> +++ gotd/libexec/got-notify-http/got-notify-http.c
> @@ -33,6 +33,7 @@
>  #include <string.h>
>  #include <syslog.h>
>  #include <time.h>
> +#include <tls.h>
>  #include <unistd.h>
>  
>  #include <openssl/evp.h>
> @@ -928,7 +929,14 @@ main(int argc, char **argv)
>  	int		 ch, flags, ret, nonstd = 0;
>  
>  #ifndef PROFILE
> -	if (pledge("stdio rpath tmppath dns inet", NULL) == -1)
> +	const char *root_ca;
> +	root_ca = tls_default_ca_cert_file();
> +
> +	if (unveil(root_ca, "r") == -1)
> +		err(1, "unveil %s", root_ca);
> +	if (unveil("/tmp/", "rwc") == -1)
> +		err(1, "unveil /tmp");
> +	if (pledge("stdio rpath wpath cpath dns inet", NULL) == -1)
>  		err(1, "pledge");
>  #endif
>  
> @@ -997,7 +1005,7 @@ main(int argc, char **argv)
>  		fatal("fseeko");
>  
>  #ifndef PROFILE
> -	/* drop tmppath */
> +	/* drop wpath cpath */
>  	if (pledge("stdio rpath dns inet", NULL) == -1)
>  		err(1, "pledge");
>  #endif
> 
>