Re: add pledge to devel/cvsweb

Thu, 26 Sep 2019 08:41:18 -0700 

On Thu, Sep 26, 2019 at 05:27:08PM +0200, Solene Rapenne wrote:

> Hi, now that we have OpenBSD::pledge I thought it would be nice to use
> it in devel/cvsweb
> 
> I've been able to tight it to "rpath proc exec prot_exec", removing
> wpath and cpath was possible by commenting lines piping STDERROR to
> /dev/null, that doesn't mean creating dev/null is not required anymore,
> it's still required for cvsweb to work correctly (due to rlog I think).
> 
> I updated pkg/README because this requires OpenBSD/Pledge.pm and a so
> file to be copied into the chroot too.
> 
> I had some testing on www repository by lot of people and it worked
> perfectly.

Be careful that error messages do not show up on the web pages
generated by not redirecting stderr...

        -Otto

> 
> 
> Index: Makefile
> ===================================================================
> RCS file: /data/cvs/ports/devel/cvsweb/Makefile,v
> retrieving revision 1.62
> diff -u -p -r1.62 Makefile
> --- Makefile  12 Jul 2019 20:44:07 -0000      1.62
> +++ Makefile  26 Sep 2019 14:24:53 -0000
> @@ -3,7 +3,7 @@
>  COMMENT=     CGI script to browse CVS repository trees
>  
>  DISTNAME=    cvsweb-2.0.6
> -REVISION=    27
> +REVISION=    28
>  CATEGORIES=  devel www
>  HOMEPAGE=    http://www.freebsd.org/projects/cvsweb.html
>  
> Index: patches/patch-cvsweb_cgi
> ===================================================================
> RCS file: /data/cvs/ports/devel/cvsweb/patches/patch-cvsweb_cgi,v
> retrieving revision 1.13
> diff -u -p -r1.13 patch-cvsweb_cgi
> --- patches/patch-cvsweb_cgi  7 Apr 2013 20:07:24 -0000       1.13
> +++ patches/patch-cvsweb_cgi  26 Sep 2019 15:21:46 -0000
> @@ -1,6 +1,7 @@
>  $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/04/07 20:07:24 naddy Exp $
> ---- cvsweb.cgi.orig  Thu Sep 26 22:56:05 2002
> -+++ cvsweb.cgi       Sun Apr  7 14:15:55 2013
> +Index: cvsweb.cgi
> +--- cvsweb.cgi.orig
> ++++ cvsweb.cgi
>  @@ -1,4 +1,4 @@
>  -#!/usr/bin/perl -wT
>  +#!/usr/bin/perl -w
> @@ -37,7 +38,27 @@ $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/0
>   );
>   
>   @LOGSORTKEYS = qw(cvs date rev);
> -@@ -2014,20 +2009,6 @@ sub doDiff($$$$$$) {
> +@@ -249,7 +244,10 @@ EOM
> + 
> + use Time::Local ();
> + use IPC::Open2 qw(open2);
> ++use OpenBSD::Pledge;
> + 
> ++pledge( qw( rpath proc exec prot_exec ) ) || die "Can't pledge: $!";
> ++
> + # Check if the zlib C library interface is installed, and if yes
> + # we can avoid using the extra gzip process.
> + eval { require Compress::Zlib; };
> +@@ -1578,7 +1576,7 @@ sub openOutputFilter() {
> +     open(STDOUT, "|-") and return;
> + 
> +     # child of child
> +-    open(STDERR, '>/dev/null');
> ++    #open(STDERR, '>/dev/null');
> +     exec($output_filter) or exit -1;
> + }
> + 
> +@@ -2014,20 +2012,6 @@ sub doDiff($$$$$$) {
>       my @difftype       = @{$difftype->{'opts'}};
>       my $human_readable = $difftype->{'colored'};
>   
> @@ -58,7 +79,24 @@ $OpenBSD: patch-cvsweb_cgi,v 1.13 2013/0
>       if ($human_readable) {
>               if ($hr_ignwhite) {
>                       push @difftype, '-w';
> -@@ -2658,7 +2639,7 @@ sub printLog($;$) {
> +@@ -2128,14 +2112,14 @@ sub getDirLogs($$@) {
> + 
> +             #can't use -r<tag> as - is allowed in tagnames, but 
> misinterpreated by rlog..
> +             if (!open($fh, "-|")) {    # child
> +-                    open(STDERR, '>/dev/null'); # rlog may complain; ignore.
> ++                    #open(STDERR, '>/dev/null'); # rlog may complain; 
> ignore.
> +                     openOutputFilter();
> +                     exec($CMD{rlog}, @files) or exit -1;
> +             }
> +     } else {
> + 
> +             if (!open($fh, "-|")) {    # child
> +-                    open(STDERR, '>/dev/null'); # rlog may complain; ignore.
> ++                    #open(STDERR, '>/dev/null'); # rlog may complain; 
> ignore.
> +                     openOutputFilter();
> +                     exec($CMD{rlog}, '-r', @files) or exit -1;
> +             }
> +@@ -2658,7 +2642,7 @@ sub printLog($;$) {
>       if (/^1\.1\.1\.\d+$/) {
>               print " <i>(vendor branch)</i>";
>       }
> Index: pkg/README
> ===================================================================
> RCS file: /data/cvs/ports/devel/cvsweb/pkg/README,v
> retrieving revision 1.18
> diff -u -p -r1.18 README
> --- pkg/README        2 May 2019 18:58:38 -0000       1.18
> +++ pkg/README        26 Sep 2019 14:24:47 -0000
> @@ -22,7 +22,7 @@ cd /var/www/usr
>  mkdir -p bin lib libdata/perl5 libexec
>  
>  cd /var/www/usr/libdata/perl5
> -mkdir -p File IPC Time warnings `arch -s`-openbsd/auto/{Cwd,Fcntl} unicore
> +mkdir -p File IPC Time warnings `arch 
> -s`-openbsd/auto/{Cwd,Fcntl,OpenBSD/Pledge} `arch -s`-openbsd/OpenBSD unicore
>  
>  # The "annotate" function requires this empty file:
>  #
> @@ -72,6 +72,8 @@ cp -p /usr/libdata/perl5/`arch -s`-openb
>  cp -p /usr/libdata/perl5/`arch -s`-openbsd/DynaLoader.pm .
>  cp -p /usr/libdata/perl5/`arch -s`-openbsd/Fcntl.pm .
>  cp -p /usr/libdata/perl5/`arch -s`-openbsd/auto/Fcntl/Fcntl.so ./auto/Fcntl/
> +cp -p /usr/libdata/perl5/`arch -s`-openbsd/OpenBSD/Pledge.pm ./OpenBSD/
> +cp -p /usr/libdata/perl5/`arch -s`-openbsd/auto/OpenBSD/Pledge/Pledge.so 
> ./auto/OpenBSD/Pledge/
>  
>  # You also need to enable slowcgi(8):
>  
>

Reply via email to