xz: Initialize the pledge(2) sandbox at the very beginning of main().

It feels better that the initializations are sandboxed too.
They don't do anything that the pledge() call wouldn't allow.
This commit is contained in:
Lasse Collin 2022-11-08 13:43:19 +02:00
parent 49a59f6ca0
commit 026a5897c7
1 changed files with 14 additions and 13 deletions

View File

@ -142,6 +142,20 @@ read_name(const args_info *args)
int
main(int argc, char **argv)
{
#ifdef HAVE_PLEDGE
// OpenBSD's pledge(2) sandbox
//
// Unconditionally enable sandboxing with fairly relaxed promises.
// This is still way better than having no sandbox at all. :-)
// More strict promises will be made later in file_io.c if possible.
if (pledge("stdio rpath wpath cpath fattr", "")) {
// Don't translate the string or use message_fatal() as
// those haven't been initialized yet.
fprintf(stderr, "%s: Failed to enable the sandbox\n", argv[0]);
return E_ERROR;
}
#endif
#if defined(_WIN32) && !defined(__CYGWIN__)
InitializeCriticalSection(&exit_status_cs);
#endif
@ -163,19 +177,6 @@ main(int argc, char **argv)
// on the command line, thus this must be done before args_parse().
hardware_init();
#ifdef HAVE_PLEDGE
// OpenBSD's pledge() sandbox
//
// Unconditionally enable sandboxing with fairly relaxed promises.
// This is still way better than having no sandbox at all. :-)
// More strict promises will be made later in file_io.c if possible.
//
// This is done only after the above initializations
// as the error message needs locale support.
if (pledge("stdio rpath wpath cpath fattr", ""))
message_fatal(_("Failed to enable the sandbox"));
#endif
// Parse the command line arguments and get an array of filenames.
// This doesn't return if something is wrong with the command line
// arguments. If there are no arguments, one filename ("-") is still