From ea81780895702b08b0b93ff48bd1876330632b89 Mon Sep 17 00:00:00 2001
From: Alvar Penning
Date: Thu, 5 Feb 2026 20:58:25 +0100
Subject: strip_exif support for the OpenBSD sandbox

Change the strip_exif logic to work with the already existing OpenBSD
sandbox and allow ffmpeg and mogrify to be executed.

The previous strip_exif implementation relied on system(3), effectively
starting "/bin/sh" and executing the required tool within a shell
session. Making this work in the sandbox would require to allow
executing "/bin/sh", rendering the sandbox useless.

Thus, the code now starts determining the absolute path of the tools -
unless they are given as ffmpeg_path or mogrify_path - and allowing them
to be executed via unveil(2). Then, instead of the system(3) call, the
good old fork(2) and execve(2) dance is performed.

The sbox_enter code was made aware of strip_exif, which resulted in a
pledge(2) violation before when disable_email_notifications was set to
false. Furthermore, the detected paths of the tools are now allowed.
---
 snac.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'snac.h')

diff --git a/snac.h b/snac.h
index dfc12cb..dfed18a 100644
--- a/snac.h
+++ b/snac.h
@@ -107,6 +107,7 @@ int validate_uid(const char *uid);
 xs_str *hash_password(const char *uid, const char *passwd, const char *nonce);
 int check_password(const char *uid, const char *passwd, const char *hash);
 
+char* findprog(const char *prog);
 int strip_media(const char *fn);
 int check_strip_tool(void);
 
-- 
cgit v1.2.3