prevent unveil from being called on <=6.3

jrick · jrick · commit df13fe5fbcc9 · 2023-02-14T19:30:16.000Z
diff --git a/unix/unveil_openbsd.go b/unix/unveil_openbsd.go
@@ -4,11 +4,19 @@
 
 package unix
 
+import "fmt"
+
 // Unveil implements the unveil syscall.
 // For more information see unveil(2).
 // Note that the special case of blocking further
 // unveil calls is handled by UnveilBlock.
+//
+// Unveil requires OpenBSD 6.4 or later.
 func Unveil(path string, flags string) error {
+	err := supportsUnveil()
+	if err != nil {
+		return err
+	}
 	pathBytes, err := BytePtrFromString(path)
 	if err != nil {
 		return err
@@ -22,6 +30,28 @@ func Unveil(path string, flags string) error {
 
 // UnveilBlock blocks future unveil calls.
 // For more information see unveil(2).
+//
+// Unveil requires OpenBSD 6.4 or later.
 func UnveilBlock() error {
+	err := supportsUnveil()
+	if err != nil {
+		return err
+	}
 	return unveil(nil, nil)
 }
+
+// supportsUnveil checks for availability of the unveil(2) system call based
+// on the running OpenBSD version.
+func supportsUnveil() error {
+	maj, min, err := majmin()
+	if err != nil {
+		return err
+	}
+
+	// unveil is not available before 6.4
+	if maj < 6 || (maj == 6 && min <= 3) {
+		return fmt.Errorf("cannot use execpromises on OpenBSD %d.%d", maj, min)
+	}
+
+	return nil
+}
