diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2019-04-30 11:09:12 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2019-04-30 11:09:12 +0000 |
| commit | bedc36300701d44b0b1ae0bec40b0e2ee21315e5 (patch) | |
| tree | 99f99a70bd386f272d181ac26b81985472d1989b /sbin/unwind/unwind.c | |
| parent | 2bd500e116bcc5a565cc50e592c7197d73c9c25f (diff) | |
Restrict file system access to /var/db for the dhclient lease files.
This and pledge("rpath") can go once we switch to RTM_PROPOSAL.
Diffstat (limited to 'sbin/unwind/unwind.c')
| -rw-r--r-- | sbin/unwind/unwind.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sbin/unwind/unwind.c b/sbin/unwind/unwind.c index 54d5e90fea3..d9e499286bd 100644 --- a/sbin/unwind/unwind.c +++ b/sbin/unwind/unwind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: unwind.c,v 1.23 2019/04/02 07:47:23 florian Exp $ */ +/* $OpenBSD: unwind.c,v 1.24 2019/04/30 11:09:11 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -307,6 +307,9 @@ main(int argc, char *argv[]) main_imsg_compose_frontend_fd(IMSG_ROUTESOCK, 0, frontend_routesock); main_imsg_send_config(main_conf); + if (unveil(LEASE_DB_DIR, "r") == -1) + fatal("unveil"); + if (pledge("stdio inet dns rpath sendfd", NULL) == -1) fatal("pledge"); |