tame(2) is a subsystem which restricts programs into a "reduced feature

operating model".  This is the kernel component; various changes should
proceed in-tree for a while before userland programs start using it.
ok miod, discussions and help from many

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index bb7ef9fc210..2347af3d18c 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sysctl.c,v 1.285 2015/05/18 19:10:35 bluhm Exp $	*/
+/*	$OpenBSD: kern_sysctl.c,v 1.286 2015/07/19 02:35:35 deraadt Exp $	*/
 /*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/
 
 /*-
@@ -70,6 +70,7 @@
 #include <sys/domain.h>
 #include <sys/protosw.h>
 #include <sys/timetc.h>
+#include <sys/tame.h>
 #include <sys/evcount.h>
 #include <sys/un.h>
 #include <sys/unpcb.h>
@@ -170,6 +171,9 @@ sys___sysctl(struct proc *p, void *v, register_t *retval)
 	if (error)
 		return (error);
 
+	if (tame_sysctl_check(p, SCARG(uap, namelen), name, SCARG(uap, new)))
+		return (tame_fail(p, EPERM, _TM_SELF));
+
 	switch (name[0]) {
 	case CTL_KERN:
 		fn = kern_sysctl;