Hi list, Here is an updated patch which now just does unveil (no pledge). I have tightened up the permissions so that Dillo only has the minimum of filesystem access, just enough so that everything still (hopefully) works. Testers and comments welcome. There probably aren't many OpenBSD users on this list, so I will eventually submit this to the OpenBSD ports list for further review. --- a/src/dillo.cc Thu Jul 25 21:21:14 2024 +++ b/src/dillo.cc Thu Jul 25 21:28:54 2024 @@ -23,6 +23,7 @@ #include <stdio.h> #include <unistd.h> +#include <err.h> #include <stdlib.h> #include <time.h> #include <sys/types.h> @@ -396,6 +397,41 @@ int main(int argc, char **argv) srand((uint_t)(time(0) ^ getpid())); + // unveil() + if (unveil("/usr/local/share/fonts", "r") == -1) { + err(1, "unveil failed"); + } + if (unveil("/tmp", "rw") == -1) { + err(1, "unveil failed"); + } + if (unveil("/usr/local/bin/dpid", "x") == -1) { + err(1, "unveil failed"); + } + if (unveil("/etc/fonts", "r") == -1) { + err(1, "unveil failed"); + } + if (unveil("/etc/resolv.conf", "r") == -1) { + err(1, "unveil failed"); + } + if (unveil("/etc/ssl/cert.pem", "r") == -1) { + err(1, "unveil failed"); + } + char *dl_loc = dStrconcat(dGethomedir(), "/Downloads", NULL); + if (unveil(dl_loc, "rw") == -1) { + err(1, "unveil failed"); + } + dFree(dl_loc); + char *dil_loc = dStrconcat(dGethomedir(), "/.dillo", NULL); + if (unveil(dil_loc, "rwc") == -1) { + err(1, "unveil failed"); + } + dFree(dil_loc); + char *xauth_loc = dStrconcat(dGethomedir(), "/.Xauthority", NULL); + if (unveil(xauth_loc, "r") == -1) { + err(1, "unveil failed"); + } + dFree(xauth_loc); + // Some OSes exit dillo without this (not GNU/Linux). signal(SIGPIPE, SIG_IGN); // Establish our custom SIGCHLD handler The only small issue I see so far is that the ~/Downloads directory is now hardcoded, and so the 'save_dir' preference in dillorc will need to match. Also note that in order to be able to use Rodrigo's multiple-actions patch with this, or my external link handler patch, you will also need to add: if (unveil("/bin/sh", "x") == -1) { err(1, "unveil failed"); } But that's not really advisable if you are looking for maximum security. EDIT: I just realized we may need to unveil dpid as well. Since it's a separate process, I don't think it inherits the unveil from dillo.cc. For example, when I use the 'Open file...' dialog, I am unable to see the restricted directories. However, when I load 'file:/home/user' in the browser, the contents still show up. Back to the drawing board! I will try to look at that in the next few days if possible. Regards, Alex