commit e9495ffd168087aa382d316bfd6d75f2082b462e
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas.adam22@gmail.com>
date: Thu Apr 25 14:57:36 2024 UTC

can drop "rpath" pledge in got-fetch-http if plaintext HTTP is being used

commit - cc66d7541018b667f159ed509c2d63885e2432e2
commit + e9495ffd168087aa382d316bfd6d75f2082b462e
blob - 4ac28d9fb06153bf6428008b8a6b9a556517e6ef
blob + f1cf123c468f636b6b2290fd62ca8e6b179ab5ac
--- libexec/got-fetch-http/got-fetch-http.c
+++ libexec/got-fetch-http/got-fetch-http.c
@@ -556,7 +556,13 @@ main(int argc, char **argv)
 		usage();
 
 	https = strcmp(argv[0], "https") == 0;
-
+#ifndef PROFILE
+	if (!https) {
+		/* drop "rpath" */
+		if (pledge("stdio inet dns", NULL) == -1)
+			err(1, "pledge");
+	}
+#endif
 	host = argv[1];
 	port = argv[2];
 	path = argv[3];