From a5fcd38896057ab1ff8c99caee1403857e1cd9d3 Mon Sep 17 00:00:00 2001
From: Omar Polo <op@omarpolo.com>
Date: Sat, 22 Jan 2022 18:22:06 +0100
Subject: [PATCH] move libwrap bit before calling pledge(2)

Just to make sure we don't fail due to libwrap calling syscall not
permitted by pledge.
---
 src/gophernicus.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/gophernicus.c b/src/gophernicus.c
index d6aa6e1..0d3c990 100644
--- a/src/gophernicus.c
+++ b/src/gophernicus.c
@@ -539,6 +539,13 @@ int main(int argc, char *argv[])
 		sstrlcpy(st.server_root, buf);
 	}
 
+	/* Check if TCP wrappers have something to say about this connection */
+#ifdef HAVE_LIBWRAP
+	if (sstrncmp(st.req_remote_addr, UNKNOWN_ADDR) != MATCH &&
+		hosts_ctl(self, STRING_UNKNOWN, st.req_remote_addr, STRING_UNKNOWN) == WRAP_DENIED)
+		die(&st, ERR_ACCESS, "Refused connection");
+#endif
+
 #ifdef __OpenBSD__
 	/* unveil(2) support.
 	 *
@@ -606,13 +613,6 @@ int main(int argc, char *argv[])
 	}
 #endif
 
-	/* Check if TCP wrappers have something to say about this connection */
-#ifdef HAVE_LIBWRAP
-	if (sstrncmp(st.req_remote_addr, UNKNOWN_ADDR) != MATCH &&
-		hosts_ctl(self, STRING_UNKNOWN, st.req_remote_addr, STRING_UNKNOWN) == WRAP_DENIED)
-		die(&st, ERR_ACCESS, "Refused connection");
-#endif
-
 	/* Make sure the computer is turned on */
 #ifdef __HAIKU__
 	if (is_computer_on() != TRUE)