From 5a16728b228291b10559c2ea78640079d91b6c4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Marie?= <semarie@online.fr>
Date: Fri, 26 Nov 2021 11:27:24 +0000
Subject: [PATCH] use unveil to restrict which programs could be executed

---
 sysclean.pl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysclean.pl b/sysclean.pl
index bdf149b..52bf0d6 100755
--- a/sysclean.pl
+++ b/sysclean.pl
@@ -132,7 +132,12 @@ sub init
 	my ($self) = @_;
 
 	use OpenBSD::Pledge;
+	use OpenBSD::Unveil;
 
+	unveil('/', 'r');
+	unveil('/usr/bin/locate', 'x');
+	unveil('/usr/sbin/rcctl', 'x');
+	
 	pledge('rpath proc exec') || $self->err(1, "pledge");
 	$self->add_expected_base;
 	$self->add_expected_rcctl;