Add pledge and unveil

Index: src/main.c
--- src/main.c.orig
+++ src/main.c
@@ -138,6 +138,51 @@ sigend_handler(int sig)
     longjmp(sigend_jmp_buf, 1);
 }
 
+static void
+setup_pledge(struct iperf_test *test)
+{
+#if defined(__OpenBSD__)
+    int needwr = 0;
+
+    /* Check for options which require filesystem access */
+    if (test->diskfile_name) {
+	if (unveil(test->diskfile_name, "crw") == -1) {
+	    /* XXX read for client, write for server */
+	    fprintf(stderr, "unveil diskfile: %s\n", strerror(errno));
+	    exit(1);
+	}
+	needwr = 1;
+    }
+
+    if (test->pidfile) {
+	if (unveil(test->pidfile, "cw") == -1) {
+	    fprintf(stderr, "unveil pidfile: %s\n", strerror(errno));
+	    exit(1);
+	}
+	needwr = 1;
+    }
+
+    if (test->logfile) {
+	if (unveil(test->logfile, "cwr") == -1) {
+	    fprintf(stderr, "unveil logfile: %s\n", strerror(errno));
+	    exit(1);
+	}
+	needwr = 1;
+    }
+
+    /* Drop filesystem access if we can, otherwise lock unveil */
+    if (needwr == 0) {
+	if (pledge("stdio tmppath inet dns", NULL) == -1) {
+	    fprintf(stderr, "pledge !needwr: %s\n", strerror(errno));
+	    exit(1);
+	}
+    } else if (pledge("stdio tmppath rpath cpath wpath inet dns", NULL) == -1) {
+	fprintf(stderr, "pledge: %s\n", strerror(errno));
+	exit(1);
+    }
+#endif
+}
+
 /**************************************************************************/
 static int
 run(struct iperf_test *test)
@@ -160,6 +205,7 @@ run(struct iperf_test *test)
 		    iperf_errexit(test, "error - %s", iperf_strerror(i_errno));
 		}
 	    }
+	    setup_pledge(test);
 	    if (iperf_create_pidfile(test) < 0) {
 		i_errno = IEPIDFILE;
 		iperf_errexit(test, "error - %s", iperf_strerror(i_errno));
@@ -192,6 +238,7 @@ run(struct iperf_test *test)
 	    iperf_delete_pidfile(test);
             break;
 	case 'c':
+	    setup_pledge(test);
 	    if (iperf_create_pidfile(test) < 0) {
 		i_errno = IEPIDFILE;
 		iperf_errexit(test, "error - %s", iperf_strerror(i_errno));
