From b69a15ac21e565ffd805d0d8c8c05fd130c33766 Mon Sep 17 00:00:00 2001
From: Thomas Habets <habets@google.com>
Date: Wed, 31 Jul 2019 23:10:57 +0100
Subject: Use unveil(2) and pledge(2) to drop more privileges, where available

Only available on OpenBSD as far as I know.

pledge(2):
Strangely there doesn't seem to be a way to use many of the ioctls
needed during setup, so pledge(2) only protects the main loop.

unveil(2):
Strangely there doesn't seem to be a way of just dropping all fs
access. Instead I restricted to only reading what is probably a
nonexistent file.
---
 configure.ac | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'configure.ac')

diff --git a/configure.ac b/configure.ac
index 253b46d..0ba11d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -74,7 +74,8 @@ AC_FUNC_SELECT_ARGTYPES
 AC_FUNC_SETVBUF_REVERSED
 AC_TYPE_SIGNAL
 AC_CHECK_FUNCS([gettimeofday memset select strchr strdup strerror strstr \
-getifaddrs cap_init pcap_create pcap_list_tstamp_types pcap_set_immediate_mode])
+getifaddrs cap_init pcap_create pcap_list_tstamp_types pcap_set_immediate_mode \
+pledge unveil])
 
 if test x$ac_cv_func_getifaddrs = xyes; then
     AC_LIBOBJ([findif_getifaddrs])
-- 
cgit v1.2.1