From b24c6fcc1c81fa2a6b71048a9d2fc532402448b7 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Sun, 27 Nov 2022 10:04:39 +0000
Subject: [PATCH] adjust pledge/unveil on OpenBSD

to connect to unix-domain sockets the `unix' pledge is needed and also
unveil "w".  gmid can't mutate files because it doesn't pledge `wpath'
nor `cpath'.
---
 sandbox.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sandbox.c b/sandbox.c
index f1ca7cb..076ce3c 100644
--- a/sandbox.c
+++ b/sandbox.c
@@ -611,14 +611,14 @@ sandbox_server_process(int can_open_sockets)
 			if (*l->dir == '\0')
 				continue;
 
-			if (unveil(l->dir, "r") == -1)
+			if (unveil(l->dir, "rw") == -1)
 				fatal("unveil %s for domain %s",
 				    l->dir,
 				    h->domain);
 		}
 	}
 
-	if (pledge("stdio recvfd rpath inet dns", NULL) == -1)
+	if (pledge("stdio recvfd rpath unix inet dns", NULL) == -1)
 		fatal("pledge");
 }