From 85baac6fce7b883c5c0a2b6f61b8a39fd4abe9c3 Mon Sep 17 00:00:00 2001
From: "Anthony J. Bentley" <anthony@roadrunner.page>
Date: Sat, 23 May 2020 04:59:44 -0600
Subject: [PATCH 1/5] SDL: Add option to drop privileges with pledge()

---
 CMakeLists.txt          | 10 +++++++
 src/platform/sdl/main.c | 60 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1cabb08873a..8d4db701ae1 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,6 +34,7 @@ if(NOT LIBMGBA_ONLY)
 		set(USE_EDITLINE ON CACHE BOOL "Whether or not to enable the CLI-mode debugger")
 	endif()
 	set(USE_GDB_STUB ON CACHE BOOL "Whether or not to enable the GDB stub ARM debugger")
+	set(USE_PLEDGE OFF CACHE BOOL "Whether or not to drop privileges with pledge")
 	set(USE_FFMPEG ON CACHE BOOL "Whether or not to enable FFmpeg support")
 	set(USE_ZLIB ON CACHE BOOL "Whether or not to enable zlib support")
 	set(USE_MINIZIP ON CACHE BOOL "Whether or not to enable external minizip support")
@@ -489,6 +490,10 @@ find_feature(USE_SQLITE3 "sqlite3")
 find_feature(USE_ELF "libelf")
 find_feature(ENABLE_PYTHON "PythonLibs")
 
+if(USE_PLEDGE)
+	set(USE_EPOXY OFF)
+endif()
+
 if(USE_FFMPEG AND NOT DEFINED VCPKG_TARGET_TRIPLET)
 	set(USE_LIBAVRESAMPLE ON)
 	set(USE_LIBSWRESAMPLE ON)
@@ -520,6 +525,10 @@ if(USE_GDB_STUB)
 endif()
 source_group("Debugger" FILES ${DEBUGGER_SRC})
 
+if(USE_PLEDGE)
+	list(APPEND FEATURES PLEDGE)
+endif()
+
 if(USE_FFMPEG)
 	list(APPEND FEATURES FFMPEG)
 	if(USE_LIBSWRESAMPLE)
@@ -1199,6 +1208,7 @@ if(NOT QUIET AND NOT LIBMGBA_ONLY)
 		message(STATUS "	CLI debugger: ${USE_EDITLINE}")
 	endif()
 	message(STATUS "	GDB stub: ${USE_GDB_STUB}")
+	message(STATUS "	pledge: ${USE_PLEDGE}")
 	message(STATUS "	GIF/Video recording: ${USE_FFMPEG}")
 	message(STATUS "	Screenshot/advanced savestate support: ${USE_PNG}")
 	message(STATUS "	ZIP support: ${SUMMARY_ZIP}")
diff --git a/src/platform/sdl/main.c b/src/platform/sdl/main.c
index deda425069a..65cf790a80d 100644
--- a/src/platform/sdl/main.c
+++ b/src/platform/sdl/main.c
@@ -44,6 +44,11 @@ static void mSDLDeinit(struct mSDLRenderer* renderer);
 
 static int mSDLRun(struct mSDLRenderer* renderer, struct mArguments* args);
 
+#ifdef USE_PLEDGE
+static bool mPledgeBroad(struct mArguments* args);
+static bool mPledgeNarrow(struct mArguments* args);
+#endif
+
 static struct VFile* _state = NULL;
 
 static void _loadState(struct mCoreThread* thread) {
@@ -149,6 +154,15 @@ int main(int argc, char** argv) {
 	renderer.player.bindings = &renderer.core->inputMap;
 	mSDLInitBindingsGBA(&renderer.core->inputMap);
 	mSDLInitEvents(&renderer.events);
+
+#ifdef USE_PLEDGE
+	if (!mPledgeBroad(&args)) {
+		freeArguments(&args);
+		fprintf(stderr, "pledge\n");
+		return 1;
+	}
+#endif
+
 	mSDLEventsLoadConfig(&renderer.events, mCoreConfigGetInput(&renderer.core->config));
 	mSDLAttachPlayer(&renderer.events, &renderer.player);
 	mSDLPlayerLoadConfig(&renderer.player, mCoreConfigGetInput(&renderer.core->config));
@@ -264,6 +278,12 @@ int mSDLRun(struct mSDLRenderer* renderer, struct mArguments* args) {
 					state->close(state);
 				}
 			}
+#ifdef USE_PLEDGE
+		if (!mPledgeNarrow(args)) {
+			didFail = true;
+			fprintf(stderr, "pledge\n");
+		}
+#endif
 			renderer->runloop(renderer, &thread);
 			mSDLPauseAudio(&renderer->audio);
 			if (mCoreThreadHasCrashed(&thread)) {
@@ -312,3 +332,43 @@ static void mSDLDeinit(struct mSDLRenderer* renderer) {
 
 	SDL_Quit();
 }
+
+#ifdef USE_PLEDGE
+static bool mPledgeBroad(struct mArguments *args) {
+	if (args->debuggerType == DEBUGGER_CLI) {
+		if (pledge("stdio rpath wpath cpath inet fattr unix dns sendfd prot_exec tty drm audio", NULL) == -1) {
+			return false;
+		}
+#ifdef USE_GDB_STUB
+	} else if (args->debuggerType == DEBUGGER_GDB) {
+		if (pledge("stdio rpath wpath cpath inet fattr unix dns sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+#endif
+	} else {
+		if (pledge("stdio rpath wpath cpath inet fattr unix dns sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+	}
+	return true;
+}
+
+static bool mPledgeNarrow(struct mArguments *args) {
+	if (args->debuggerType == DEBUGGER_CLI) {
+		if (pledge("stdio rpath wpath cpath fattr sendfd tty prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+#ifdef USE_GDB_STUB
+	} else if (args->debuggerType == DEBUGGER_GDB) {
+		if (pledge("stdio rpath wpath cpath inet fattr sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+#endif
+	} else {
+		if (pledge("stdio rpath wpath cpath fattr sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+	}
+	return true;
+}
+#endif

From c2ef2a6ae9498694ae33506f2effc2aebc054ab1 Mon Sep 17 00:00:00 2001
From: "Anthony J. Bentley" <anthony@roadrunner.page>
Date: Sat, 23 May 2020 05:24:10 -0600
Subject: [PATCH 2/5] CMake: Hide pledge() support behind an OpenBSD check

---
 CMakeLists.txt | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8d4db701ae1..139551d7d76 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,7 +34,9 @@ if(NOT LIBMGBA_ONLY)
 		set(USE_EDITLINE ON CACHE BOOL "Whether or not to enable the CLI-mode debugger")
 	endif()
 	set(USE_GDB_STUB ON CACHE BOOL "Whether or not to enable the GDB stub ARM debugger")
-	set(USE_PLEDGE OFF CACHE BOOL "Whether or not to drop privileges with pledge")
+	if (CMAKE_SYSTEM_NAME STREQUAL OpenBSD)
+		set(USE_PLEDGE ON CACHE BOOL "Whether or not to drop privileges with pledge")
+	endif()
 	set(USE_FFMPEG ON CACHE BOOL "Whether or not to enable FFmpeg support")
 	set(USE_ZLIB ON CACHE BOOL "Whether or not to enable zlib support")
 	set(USE_MINIZIP ON CACHE BOOL "Whether or not to enable external minizip support")
@@ -1208,7 +1210,9 @@ if(NOT QUIET AND NOT LIBMGBA_ONLY)
 		message(STATUS "	CLI debugger: ${USE_EDITLINE}")
 	endif()
 	message(STATUS "	GDB stub: ${USE_GDB_STUB}")
-	message(STATUS "	pledge: ${USE_PLEDGE}")
+	if(CMAKE_SYSTEM_NAME STREQUAL OpenBSD)
+		message(STATUS "	pledge: ${USE_PLEDGE}")
+	endif()
 	message(STATUS "	GIF/Video recording: ${USE_FFMPEG}")
 	message(STATUS "	Screenshot/advanced savestate support: ${USE_PNG}")
 	message(STATUS "	ZIP support: ${SUMMARY_ZIP}")

From 7f7ea7c033e6a2897ebacf39ad29b5f7d0d9a698 Mon Sep 17 00:00:00 2001
From: "Anthony J. Bentley" <anthony@roadrunner.page>
Date: Fri, 10 Jul 2020 00:56:41 -0600
Subject: [PATCH 3/5] CMake: Rearrange epoxy disable

---
 CMakeLists.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 139551d7d76..d81546ea233 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -468,6 +468,10 @@ if(DISABLE_DEPS)
 	set(USE_ZLIB OFF)
 endif()
 
+if(USE_PLEDGE)
+	set(USE_EPOXY OFF)
+endif()
+
 set(WANT_ZLIB ${USE_ZLIB})
 set(WANT_PNG ${USE_PNG})
 set(WANT_SQLITE3 ${USE_SQLITE3})

From 0387a8e783daf58871c198a57470f6877d750e17 Mon Sep 17 00:00:00 2001
From: "Anthony J. Bentley" <anthony@roadrunner.page>
Date: Fri, 10 Jul 2020 00:57:13 -0600
Subject: [PATCH 4/5] CMake: Don't print pledge configuration in status output

---
 CMakeLists.txt | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d81546ea233..f6fdeb105e2 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1214,9 +1214,6 @@ if(NOT QUIET AND NOT LIBMGBA_ONLY)
 		message(STATUS "	CLI debugger: ${USE_EDITLINE}")
 	endif()
 	message(STATUS "	GDB stub: ${USE_GDB_STUB}")
-	if(CMAKE_SYSTEM_NAME STREQUAL OpenBSD)
-		message(STATUS "	pledge: ${USE_PLEDGE}")
-	endif()
 	message(STATUS "	GIF/Video recording: ${USE_FFMPEG}")
 	message(STATUS "	Screenshot/advanced savestate support: ${USE_PNG}")
 	message(STATUS "	ZIP support: ${SUMMARY_ZIP}")

From 585d55a14d32baa683d8b9131cc25fcc7d074abd Mon Sep 17 00:00:00 2001
From: "Anthony J. Bentley" <anthony@roadrunner.page>
Date: Fri, 10 Jul 2020 01:22:21 -0600
Subject: [PATCH 5/5] SDL: Revamp pledge() error handling

---
 src/platform/sdl/main.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/platform/sdl/main.c b/src/platform/sdl/main.c
index 65cf790a80d..55a62ac89b1 100644
--- a/src/platform/sdl/main.c
+++ b/src/platform/sdl/main.c
@@ -158,7 +158,12 @@ int main(int argc, char** argv) {
 #ifdef USE_PLEDGE
 	if (!mPledgeBroad(&args)) {
 		freeArguments(&args);
-		fprintf(stderr, "pledge\n");
+		mCoreConfigDeinit(&renderer.core->config);
+		mInputMapDeinit(&renderer.core->inputMap);
+		renderer.core->deinit(renderer.core);
+		mSDLDeinitEvents(&renderer.events);
+		mSDLDeinit(&renderer);
+		fputs("Broad pledge() failed\n", stderr);
 		return 1;
 	}
 #endif
@@ -279,10 +284,10 @@ int mSDLRun(struct mSDLRenderer* renderer, struct mArguments* args) {
 				}
 			}
 #ifdef USE_PLEDGE
-		if (!mPledgeNarrow(args)) {
-			didFail = true;
-			fprintf(stderr, "pledge\n");
-		}
+			if (!mPledgeNarrow(args)) {
+				didFail = true;
+				fputs("Narrow pledge() failed\n", stderr);
+			}
 #endif
 			renderer->runloop(renderer, &thread);
 			mSDLPauseAudio(&renderer->audio);