reolink: sandbox fixes

Enable config file creation and exec (for video creation).

1 files changed, 4 insertions, 3 deletions

diff --git a/reolink/reolink b/reolink/reolink
index 8d24810..02e5c02 100755
--- a/reolink/reolink
+++ b/reolink/reolink
@@ -347,7 +347,7 @@ sub maybe_generate_video {
     return;
   }
 
-  debug ("generating video for $video_prefix");
+  message ("generating video for $video_prefix");
 
   # extract program name and any "--debug" from @saved_argv
   my @process_args;
@@ -407,15 +407,16 @@ sub run {
   main::load_params (\%server_params);
 
   unless ($debug) {
-    pledge (qw/rpath wpath cpath inet proc unix unveil/) or die "Failed to pledge: $!";
+    pledge (qw/rpath wpath cpath inet exec proc unix unveil/) or die "Failed to pledge: $!";
     openlog ('reolink', 'PID', LOG_DAEMON);
+    message ('startup');
     $SIG{__DIE__} = sub { syslog (LOG_CRIT, "fatal: @_") };
 
     daemonize;
 
     unveil ($server_params{spool_dir}, 'rwxc') || die "unveil($server_params{spool_dir}): $!";
     unveil ($global_config->{socket}, 'rwc')   || die "unveil($global_config->{socket}): $!";
-    unveil ($global_config->{config}, 'rw')    || die "unveil($global_config->{config}): $!";
+    unveil ($global_config->{config}, 'rwc')   || die "unveil($global_config->{config}): $!";
     unveil ($saved_argv[0], 'rx')              || die "unveil($saved_argv[0]): $!";
     unveil ('/etc/protocols', 'r')             || die "unveil(/etc/protocols): $!"; # HTTP::Tiny
     unveil ('/etc/localtime', 'r')             || die "unveil(/etc/localtime): $!"; # localtime