all repos — honk @ 7fa5f1c2e9e2e5b112af5e9f2dedffade7551e15

my fork of honk 

use separate backend hooks with tighter pledge
Ted Unangst tedu@tedunangst.com
Wed, 27 Nov 2019 15:58:41 -0500
commit

7fa5f1c2e9e2e5b112af5e9f2dedffade7551e15

parent

9404eb134ab3290c50f2898202d78b5ab2e0bc38

2 files changed, 6 insertions(+), 1 deletions(-)

jump to
M backend.gobackend.go 
@@ -73,6 +73,8 @@ }
 	return res.Image, nil
 }
 
+var backendhooks []func()
+
 func backendServer() {
 	log.Printf("backend server running")
 	shrinker := new(Shrinker)

@@ -92,7 +94,7 @@ lis, err := net.Listen("unix", sockname)
 	if err != nil {
 		log.Panicf("unable to register shrinker: %s", err)
 	}
-	for _, h := range preservehooks {
+	for _, h := range backendhooks {
 		h()
 	}
 	srv.Accept(lis)
M unveil.gounveil.go 
@@ -62,4 +62,7 @@ Unveil(dataDir, "rwc")
 		C.unveil(nil, nil)
 		Pledge("stdio rpath wpath cpath flock dns inet unix")
 	})
+	backendhooks = append(backendhooks, func() {
+		Pledge("stdio unix")
+	})
 }