From: Stefan Sperling Subject: Re: drop tmppath from got-notify-http To: Omar Polo Cc: gameoftrees@openbsd.org Date: Mon, 23 Feb 2026 10:56:10 +0100 On Sun, Feb 22, 2026 at 12:48:48PM +0100, Omar Polo wrote: > Hello, > > tmppath seems that is going to go away, so let's follow suit. > got-notify-http seems to be the only place where we have the tmppath > pledge, so luckily it's not too complex ;-) > > diff belows trades tmppath for wpath+cpath and a unveil(/tmp, rwc), and > while here it does what nc does too, which is to unveil the ca cert file. > > This is basically removing rpath from / and instead keeping it only for > /tmp and /etc/ssl/cert.pem. I don't think we can drop rpath on /tmp > after we've created the temp file, which is a bit of a bummer, but it's > better than rpath on /. > > regress passes, and i've manually tested this in the TLS code-path by > (ab)using nc -c. > > okay? looks good, ok. > diff /home/op/w/got > path + /home/op/w/got > commit - 9456c7974d487ec39d90e4fd16887cf464d3841e > blob - 74f54056a42dc99629d4ed9705ac6f149ab935ad > file + gotd/libexec/got-notify-http/got-notify-http.c > --- gotd/libexec/got-notify-http/got-notify-http.c > +++ gotd/libexec/got-notify-http/got-notify-http.c > @@ -33,6 +33,7 @@ > #include > #include > #include > +#include > #include > > #include > @@ -928,7 +929,14 @@ main(int argc, char **argv) > int ch, flags, ret, nonstd = 0; > > #ifndef PROFILE > - if (pledge("stdio rpath tmppath dns inet", NULL) == -1) > + const char *root_ca; > + root_ca = tls_default_ca_cert_file(); > + > + if (unveil(root_ca, "r") == -1) > + err(1, "unveil %s", root_ca); > + if (unveil("/tmp/", "rwc") == -1) > + err(1, "unveil /tmp"); > + if (pledge("stdio rpath wpath cpath dns inet", NULL) == -1) > err(1, "pledge"); > #endif > > @@ -997,7 +1005,7 @@ main(int argc, char **argv) > fatal("fseeko"); > > #ifndef PROFILE > - /* drop tmppath */ > + /* drop wpath cpath */ > if (pledge("stdio rpath dns inet", NULL) == -1) > err(1, "pledge"); > #endif > >