From: "Anthony J. Bentley" <bentley@openbsd.org>
Subject: pledge(2) in fc-cache(1)
To: tech@openbsd.org
Date: Fri, 23 May 2025 03:00:37 -0600

When pkg_add installs a font, it regenerates the fontconfig cache,
/var/cache/fontconfig, by running fc-cache(1) as root. pledge(2) would
be a useful addition to this procedure.

We have to be careful to call pledge after the optional -c chroot.
Other than that, I didn't find any operations not allowed by the
new promises.

Since pkg_add runs fc-cache as root, even with this patch a fc-cache
exploit could theoretically allow a malicious font to trigger writes
anywhere. I believe we should create a new base system user _fontconfig
who owns /var/cache/fontconfig/, and have pkg_add drop to it when
running fc-cache. But that would be a future diff.

unveil(2) may also help here, but the code turned out unattractive and
needs more testing, so I've left it for later as well.

This diff survived a full xenocara release and sequential pkg_adds of
about 100 font packages.

ok?

--- dist/fontconfig/fc-cache/fc-cache.c
+++ dist/fontconfig/fc-cache/fc-cache.c
@@ -39,6 +39,7 @@
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #ifdef HAVE_DIRENT_H
@@ -378,6 +379,10 @@ main (int argc, char **argv)
 	}
 	systemOnly = FcTrue;
     }
+
+    if (pledge("stdio rpath wpath cpath flock", NULL) == -1)
+        err(1, "pledge");
+
     if (systemOnly)
 	FcConfigEnableHome (FcFalse);
     if (sysroot)