From 444eb76babb50474d8865b81f2a928f8572416c1 Mon Sep 17 00:00:00 2001
From: Alvar Penning <post@0x21.biz>
Date: Mon, 19 Aug 2024 12:52:06 +0200
Subject: [PATCH] openbsd_privdrop.py 0.1.2: add fattr to pledge_promises

Since WeeChat 4.3.0, the return value of chmod is being checked[0]. This
revealed a too strict pledge promise, missing fattr.

As an additional change, the level of documentation was increased,
including a remainder why read permissions on /home are necessary.

[0]: https://github.com/weechat/weechat/commit/2423fdbf2d66d241c809f797f75afd65dff91568#diff-b08b83cf9b86fa0f5c4ca579554a7ba593a892fd143526210844a05701e57058
---
 python/openbsd_privdrop.py | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/python/openbsd_privdrop.py b/python/openbsd_privdrop.py
index c5f88652..fd6ca2b4 100644
--- a/python/openbsd_privdrop.py
+++ b/python/openbsd_privdrop.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Alvar Penning <post@0x21.biz>
+# Copyright (c) 2022, 2024 Alvar Penning <post@0x21.biz>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -27,9 +27,17 @@
 #
 # - https://man.openbsd.org/pledge.2
 # - https://man.openbsd.org/unveil.2
+#
+# The config options for the SETTINGS below are:
+# - plugins.var.python.openbsd_privdrop.pledge_promises
+# - plugins.var.python.openbsd_privdrop.pledge_execpromises
+# - plugins.var.python.openbsd_privdrop.unveil
 
 # History:
 #
+# 2024-08-19, Alvar Penning <post@0x21.biz>
+#   version 0.1.2: add fattr to pledge_promises and a bit more documentation
+#
 # 2022-11-09, Alvar Penning <post@0x21.biz>
 #   version 0.1.1: sane defaults for unveil
 #
@@ -45,13 +53,13 @@
 
 SCRIPT_NAME    = "openbsd_privdrop"
 SCRIPT_AUTHOR  = "Alvar Penning <post@0x21.biz>"
-SCRIPT_VERSION = "0.1.1"
+SCRIPT_VERSION = "0.1.2"
 SCRIPT_LICENSE = "ISC"
 SCRIPT_DESC    = "Drop WeeChat's privileges through OpenBSD's pledge(2) and unveil(2)."
 
 SETTINGS = {
         "pledge_promises": (
-            "stdio rpath wpath cpath dpath inet flock unix dns sendfd recvfd tty proc error",
+            "stdio rpath wpath cpath dpath inet fattr flock unix dns sendfd recvfd tty proc error",
             "List of promises for pledge(2).",
             ),
         "pledge_execpromises": (
@@ -64,7 +72,8 @@
                 # This may be tightened, especially if WeeChat is not run as a separate user.
                 "~:rwc",
                 # WeeChat `stat`s /home while building the path to /home/$USER/...
-                # Might be changed if the home directory lies somehwere else.
+                # Might be changed if the home directory lies somewhere else.
+                # This  happens by weechat_mkdir_parents calls, e.g., from logger_create_directory.
                 "/home:r",
                 # Other scripts might load some library or a third-party Python modules later.
                 "/usr/local/lib:r",