So you'd love me to say sleep() can be tighter than tame "stdio". OK,

there is that pesky usage message...  We could tame "something" in the
non-usage codepath.. but pop quiz, anyone know what happens after main
returns or if exit(3) is called?  atexit completion..  our atexit is
very paranoid with structure management and uses mprotect.  So current
minimum a normal program needs is tame "malloc".

tame "stdio" done before the usage codepath splits is just as good;
tame placement before getopt provides a strong hint about program
behaviour.

I am still hoping someone comes up with a nice solution for atexit,
or a nice tame subset between "" (pure computation) and "malloc".
Ideas have been floated to expose "self", but it lacks mprotect also,
and should continue to lack it (see the ssh tame sandbox).

1 files changed, 5 insertions, 1 deletions

diff --git a/bin/sleep/sleep.c b/bin/sleep/sleep.c
index 4789aa5cf88..ba8ec348c26 100644
--- a/bin/sleep/sleep.c
+++ b/bin/sleep/sleep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sleep.c,v 1.21 2015/09/22 15:37:06 tedu Exp $	*/
+/*	$OpenBSD: sleep.c,v 1.22 2015/10/03 03:10:38 deraadt Exp $	*/
 /*	$NetBSD: sleep.c,v 1.8 1995/03/21 09:11:11 cgd Exp $	*/
 
 /*
@@ -37,6 +37,7 @@
 #include <stdlib.h>
 #include <time.h>
 #include <unistd.h>
+#include <err.h>
 
 extern char *__progname;
 
@@ -53,6 +54,9 @@ main(int argc, char *argv[])
 	struct timespec rqtp;
 	int i;
 
+	if (tame("stdio", NULL) == -1)
+		err(1, "tame");
+
 	signal(SIGALRM, alarmh);
 
 	while ((ch = getopt(argc, argv, "")) != -1)