SDL: Add option to drop privileges with pledge()

Author: bentley

CMakeLists.txt

@@ -31,6 +31,7 @@ if(NOT LIBMGBA_ONLY)
 		set(USE_EDITLINE ON CACHE BOOL "Whether or not to enable the CLI-mode debugger")
 	endif()
 	set(USE_GDB_STUB ON CACHE BOOL "Whether or not to enable the GDB stub ARM debugger")
+	set(USE_PLEDGE OFF CACHE BOOL "Whether or not to drop privileges with pledge")
 	set(USE_FFMPEG ON CACHE BOOL "Whether or not to enable FFmpeg support")
 	set(USE_ZLIB ON CACHE BOOL "Whether or not to enable zlib support")
 	set(USE_MINIZIP ON CACHE BOOL "Whether or not to enable external minizip support")
@@ -473,6 +474,10 @@ find_feature(USE_SQLITE3 "sqlite3")
 find_feature(USE_ELF "libelf")
 find_feature(ENABLE_PYTHON "PythonLibs")
 
+if(USE_PLEDGE)
+	set(USE_EPOXY OFF)
+endif()
+
 if(USE_FFMPEG)
 	set(USE_LIBAVRESAMPLE ON)
 	set(USE_LIBSWRESAMPLE ON)
@@ -504,6 +509,10 @@ if(USE_GDB_STUB)
 endif()
 source_group("Debugger" FILES ${DEBUGGER_SRC})
 
+if(USE_PLEDGE)
+	list(APPEND FEATURES PLEDGE)
+endif()
+
 if(USE_FFMPEG)
 	list(APPEND FEATURES FFMPEG)
 	if(USE_LIBSWRESAMPLE)
@@ -1221,6 +1230,7 @@ if(NOT QUIET AND NOT LIBMGBA_ONLY)
 		message(STATUS "	CLI debugger: ${USE_EDITLINE}")
 	endif()
 	message(STATUS "	GDB stub: ${USE_GDB_STUB}")
+	message(STATUS "	pledge: ${USE_PLEDGE}")
 	message(STATUS "	GIF/Video recording: ${USE_FFMPEG}")
 	message(STATUS "	Screenshot/advanced savestate support: ${USE_PNG}")
 	message(STATUS "	ZIP support: ${SUMMARY_ZIP}")

src/platform/sdl/main.c

@@ -44,6 +44,11 @@ static void mSDLDeinit(struct mSDLRenderer* renderer);
 
 static int mSDLRun(struct mSDLRenderer* renderer, struct mArguments* args);
 
+#ifdef USE_PLEDGE
+static bool mPledgeBroad(struct mArguments* args);
+static bool mPledgeNarrow(struct mArguments* args);
+#endif
+
 static struct VFile* _state = NULL;
 
 static void _loadState(struct mCoreThread* thread) {
@@ -149,6 +154,15 @@ int main(int argc, char** argv) {
 	renderer.player.bindings = &renderer.core->inputMap;
 	mSDLInitBindingsGBA(&renderer.core->inputMap);
 	mSDLInitEvents(&renderer.events);
+
+#ifdef USE_PLEDGE
+	if (!mPledgeBroad(&args)) {
+		freeArguments(&args);
+		fprintf(stderr, "pledge\n");
+		return 1;
+	}
+#endif
+
 	mSDLEventsLoadConfig(&renderer.events, mCoreConfigGetInput(&renderer.core->config));
 	mSDLAttachPlayer(&renderer.events, &renderer.player);
 	mSDLPlayerLoadConfig(&renderer.player, mCoreConfigGetInput(&renderer.core->config));
@@ -264,6 +278,12 @@ int mSDLRun(struct mSDLRenderer* renderer, struct mArguments* args) {
 					state->close(state);
 				}
 			}
+#ifdef USE_PLEDGE
+		if (!mPledgeNarrow(args)) {
+			didFail = true;
+			fprintf(stderr, "pledge\n");
+		}
+#endif
 			renderer->runloop(renderer, &thread);
 			mSDLPauseAudio(&renderer->audio);
 			if (mCoreThreadHasCrashed(&thread)) {
@@ -312,3 +332,43 @@ static void mSDLDeinit(struct mSDLRenderer* renderer) {
 
 	SDL_Quit();
 }
+
+#ifdef USE_PLEDGE
+static bool mPledgeBroad(struct mArguments *args) {
+	if (args->debuggerType == DEBUGGER_CLI) {
+		if (pledge("stdio rpath wpath cpath inet fattr unix dns sendfd prot_exec tty drm audio", NULL) == -1) {
+			return false;
+		}
+#ifdef USE_GDB_STUB
+	} else if (args->debuggerType == DEBUGGER_GDB) {
+		if (pledge("stdio rpath wpath cpath inet fattr unix dns sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+#endif
+	} else {
+		if (pledge("stdio rpath wpath cpath inet fattr unix dns sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+	}
+	return true;
+}
+
+static bool mPledgeNarrow(struct mArguments *args) {
+	if (args->debuggerType == DEBUGGER_CLI) {
+		if (pledge("stdio rpath wpath cpath fattr sendfd tty prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+#ifdef USE_GDB_STUB
+	} else if (args->debuggerType == DEBUGGER_GDB) {
+		if (pledge("stdio rpath wpath cpath inet fattr sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+#endif
+	} else {
+		if (pledge("stdio rpath wpath cpath fattr sendfd prot_exec drm audio", NULL) == -1) {
+			return false;
+		}
+	}
+	return true;
+}
+#endif