From 5435dd1b3f17f6269bf9efb138bf660ae60db1a9 Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@tedunangst.com>
Date: Wed, 27 Nov 2019 15:58:41 -0500
Subject: [PATCH] use separate backend hooks with tighter pledge

---
 backend.go | 4 +++-
 unveil.go  | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend.go b/backend.go
index ca7ba1e..8ad3117 100644
--- a/backend.go
+++ b/backend.go
@@ -73,6 +73,8 @@ func shrinkit(data []byte) (*image.Image, error) {
 	return res.Image, nil
 }
 
+var backendhooks []func()
+
 func backendServer() {
 	log.Printf("backend server running")
 	shrinker := new(Shrinker)
@@ -92,7 +94,7 @@ func backendServer() {
 	if err != nil {
 		log.Panicf("unable to register shrinker: %s", err)
 	}
-	for _, h := range preservehooks {
+	for _, h := range backendhooks {
 		h()
 	}
 	srv.Accept(lis)
diff --git a/unveil.go b/unveil.go
index 4650ae5..efdba9b 100644
--- a/unveil.go
+++ b/unveil.go
@@ -62,4 +62,7 @@ func init() {
 		C.unveil(nil, nil)
 		Pledge("stdio rpath wpath cpath flock dns inet unix")
 	})
+	backendhooks = append(backendhooks, func() {
+		Pledge("stdio unix")
+	})
 }