add unveil(2) to ctfconv(1)

Once we know what the input file is, usually /bsd.gdb, we can unveil it in read
mode. If we also define as argument an output file we can additionally unveil
that one with write/create permissions.

We don't need to care about calling unveil(NULL, NULL) since we can call
pledge(2) and reduce the permissions down the road depending on the code path.

"reads OK" jasper@, "put it in if works" mpi@
prodded by deraadt@

1 files changed, 13 insertions, 4 deletions

diff --git a/usr.bin/ctfconv/ctfconv.c b/usr.bin/ctfconv/ctfconv.c
index a7f65090a8c..8337cd8a2fe 100644
--- a/usr.bin/ctfconv/ctfconv.c
+++ b/usr.bin/ctfconv/ctfconv.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ctfconv.c,v 1.16 2017/11/06 14:59:27 mpi Exp $ */
+/*	$OpenBSD: ctfconv.c,v 1.17 2018/08/08 20:15:17 mestre Exp $ */
 
 /*
  * Copyright (c) 2016-2017 Martin Pieuchot
@@ -92,9 +92,6 @@ main(int argc, char *argv[])
 
 	setlocale(LC_ALL, "");
 
-	if (pledge("stdio rpath wpath cpath", NULL) == -1)
-		err(1, "pledge");
-
 	while ((ch = getopt(argc, argv, "dl:o:")) != -1) {
 		switch (ch) {
 		case 'd':
@@ -127,6 +124,18 @@ main(int argc, char *argv[])
 		usage();
 
 	filename = *argv;
+
+	if (unveil(filename, "r") == -1)
+		err(1, "unveil");
+
+	if (outfile != NULL) {
+		if (unveil(outfile, "wc") == -1)
+			err(1, "unveil");
+	}
+
+	if (pledge("stdio rpath wpath cpath", NULL) == -1)
+		err(1, "pledge");
+
 	error = convert(filename);
 	if (error != 0)
 		return error;