summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrob <rob@cvs.openbsd.org>2017-08-12 04:29:58 +0000
committerrob <rob@cvs.openbsd.org>2017-08-12 04:29:58 +0000
commitd4219bc7fdb4080940d8453b1ebe1388cddbc9c2 (patch)
treeb40097fbb51cb46a609fe850ee264aa30ec7f001
parent651829018bab5677881a36e597b11d651ee60f52 (diff)
Initial pledge for snmpd. snmpe remains unpledged. Regression tests pass.
Ok benno@, jca@.
-rw-r--r--usr.sbin/snmpd/snmpd.c5
-rw-r--r--usr.sbin/snmpd/snmpe.c11
-rw-r--r--usr.sbin/snmpd/traphandler.c5
3 files changed, 18 insertions, 3 deletions
diff --git a/usr.sbin/snmpd/snmpd.c b/usr.sbin/snmpd/snmpd.c
index ba5661a2223..f600791618e 100644
--- a/usr.sbin/snmpd/snmpd.c
+++ b/usr.sbin/snmpd/snmpd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: snmpd.c,v 1.36 2017/04/04 02:37:15 millert Exp $ */
+/* $OpenBSD: snmpd.c,v 1.37 2017/08/12 04:29:57 rob Exp $ */
/*
* Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -255,6 +255,9 @@ main(int argc, char *argv[])
proc_connect(ps);
+ if (pledge("stdio rpath cpath dns id proc sendfd exec", NULL) == -1)
+ fatal("pledge");
+
event_dispatch();
log_debug("%d parent exiting", getpid());
diff --git a/usr.sbin/snmpd/snmpe.c b/usr.sbin/snmpd/snmpe.c
index 34fe283baa5..a6be72e01ab 100644
--- a/usr.sbin/snmpd/snmpe.c
+++ b/usr.sbin/snmpd/snmpe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: snmpe.c,v 1.48 2017/07/27 14:04:16 gerhard Exp $ */
+/* $OpenBSD: snmpe.c,v 1.49 2017/08/12 04:29:57 rob Exp $ */
/*
* Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org>
@@ -105,6 +105,15 @@ snmpe_init(struct privsep *ps, struct privsep_proc *p, void *arg)
snmpe_recvmsg, env);
event_add(&so->s_ev, NULL);
}
+
+#ifdef notyet
+ /*
+ * XXX Refactoring required to move illegal ioctls and sysctls.
+ * XXX See mps_* and if_mib in mib.c, etc.
+ */
+ if (pledge("stdio inet route recvfd vminfo", NULL) == -1)
+ fatal("pledge");
+#endif
}
void
diff --git a/usr.sbin/snmpd/traphandler.c b/usr.sbin/snmpd/traphandler.c
index e76ceb1ceac..f118ea4774c 100644
--- a/usr.sbin/snmpd/traphandler.c
+++ b/usr.sbin/snmpd/traphandler.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: traphandler.c,v 1.8 2017/01/09 14:49:22 reyk Exp $ */
+/* $OpenBSD: traphandler.c,v 1.9 2017/08/12 04:29:57 rob Exp $ */
/*
* Copyright (c) 2014 Bret Stephen Lambert <blambert@openbsd.org>
@@ -96,6 +96,9 @@ traphandler_init(struct privsep *ps, struct privsep_proc *p, void *arg)
struct snmpd *env = ps->ps_env;
struct listen_sock *so;
+ if (pledge("stdio id proc recvfd exec", NULL) == -1)
+ fatal("pledge");
+
if (!env->sc_traphandler)
return;