initially, pledge "stdio rpath wpath cpath getpw tty id proc exec", yes

it sounds like a lot, but this will eventually run the /etc/rc scripts
to shutdown, then run reboot or halt.  After looking at getpw*, drop
pledge "getpw".  Later drop to just "stdio exec"...

This depends on new pledge semantics for revoke(2).

with help from jca
ok guenther millert semarie tedu jca

1 files changed, 11 insertions, 1 deletions

diff --git a/sbin/shutdown/shutdown.c b/sbin/shutdown/shutdown.c
index c06fc409a80..f85f10318f8 100644
--- a/sbin/shutdown/shutdown.c
+++ b/sbin/shutdown/shutdown.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: shutdown.c,v 1.43 2015/04/23 02:13:18 deraadt Exp $	*/
+/*	$OpenBSD: shutdown.c,v 1.44 2015/11/16 18:35:31 deraadt Exp $	*/
 /*	$NetBSD: shutdown.c,v 1.9 1995/03/18 15:01:09 cgd Exp $	*/
 
 /*
@@ -108,6 +108,9 @@ main(int argc, char *argv[])
 	char *p, *endp;
 	pid_t forkpid;
 
+	if (pledge("stdio rpath wpath cpath getpw tty id proc exec", NULL) == -1)
+		err(1, "pledge");
+
 #ifndef DEBUG
 	if (geteuid())
 		errx(1, "NOT super-user");
@@ -343,6 +346,10 @@ die_you_gravy_sucking_pig_dog(void)
 	}
 	if (dofast)
 		doitfast();
+
+	if (pledge("stdio rpath wpath cpath tty id proc exec", NULL) == -1)
+		err(1, "pledge");
+
 #ifdef DEBUG
 	if (doreboot)
 		(void)printf("reboot");
@@ -362,6 +369,9 @@ die_you_gravy_sucking_pig_dog(void)
 		char *args[10];
 		char **arg, *path;
 
+		if (pledge("stdio exec", NULL) == -1)
+			err(1, "pledge");
+
 		arg = &args[0];
 		if (doreboot) {
 			path = _PATH_REBOOT;