From: "Omar Polo" <op@omarpolo.com>
Subject: drop tmppath from got-notify-http
To: gameoftrees@openbsd.org
Date: Sun, 22 Feb 2026 12:48:48 +0100

Hello,

tmppath seems that is going to go away, so let's follow suit.
got-notify-http seems to be the only place where we have the tmppath
pledge, so luckily it's not too complex ;-)

diff belows trades tmppath for wpath+cpath and a unveil(/tmp, rwc), and
while here it does what nc does too, which is to unveil the ca cert file.

This is basically removing rpath from / and instead keeping it only for
/tmp and /etc/ssl/cert.pem.  I don't think we can drop rpath on /tmp
after we've created the temp file, which is a bit of a bummer, but it's
better than rpath on /.

regress passes, and i've manually tested this in the TLS code-path by
(ab)using nc -c.

okay?

diff /home/op/w/got
path + /home/op/w/got
commit - 9456c7974d487ec39d90e4fd16887cf464d3841e
blob - 74f54056a42dc99629d4ed9705ac6f149ab935ad
file + gotd/libexec/got-notify-http/got-notify-http.c
--- gotd/libexec/got-notify-http/got-notify-http.c
+++ gotd/libexec/got-notify-http/got-notify-http.c
@@ -33,6 +33,7 @@
 #include <string.h>
 #include <syslog.h>
 #include <time.h>
+#include <tls.h>
 #include <unistd.h>
 
 #include <openssl/evp.h>
@@ -928,7 +929,14 @@ main(int argc, char **argv)
 	int		 ch, flags, ret, nonstd = 0;
 
 #ifndef PROFILE
-	if (pledge("stdio rpath tmppath dns inet", NULL) == -1)
+	const char *root_ca;
+	root_ca = tls_default_ca_cert_file();
+
+	if (unveil(root_ca, "r") == -1)
+		err(1, "unveil %s", root_ca);
+	if (unveil("/tmp/", "rwc") == -1)
+		err(1, "unveil /tmp");
+	if (pledge("stdio rpath wpath cpath dns inet", NULL) == -1)
 		err(1, "pledge");
 #endif
 
@@ -997,7 +1005,7 @@ main(int argc, char **argv)
 		fatal("fseeko");
 
 #ifndef PROFILE
-	/* drop tmppath */
+	/* drop wpath cpath */
 	if (pledge("stdio rpath dns inet", NULL) == -1)
 		err(1, "pledge");
 #endif