diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2019-05-23 13:11:38 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2019-05-23 13:11:38 +0000 |
| commit | 244b70643a27533dabd68cdb79e1820f1fcb296b (patch) | |
| tree | f3f6019daccb70eeb8731acc27dddaacdf7ca589 /usr.sbin/unbound | |
| parent | e74a6434ced99463f30796ff5e836a56d470e8da (diff) | |
unbound-checkconf pledges "stdio rpath getpw", later narrowing to "stdio rpath".
(File access is needed through the course of a run depending on which options
are configured - e.g. for DNSSEC root keys, hints and zone files).
Based on a diff from, and ok with, mestre@
Diffstat (limited to 'usr.sbin/unbound')
| -rw-r--r-- | usr.sbin/unbound/smallapp/unbound-checkconf.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/usr.sbin/unbound/smallapp/unbound-checkconf.c b/usr.sbin/unbound/smallapp/unbound-checkconf.c index eddd3e17282..a8656e685f1 100644 --- a/usr.sbin/unbound/smallapp/unbound-checkconf.c +++ b/usr.sbin/unbound/smallapp/unbound-checkconf.c @@ -587,6 +587,10 @@ morechecks(struct config_file* cfg) endpwent(); # endif } + + if (pledge("stdio rpath", NULL) == -1) + fatal_exit("Could not pledge"); + #endif if(cfg->remote_control_enable && options_remote_is_address(cfg) && cfg->control_use_cert) { @@ -724,6 +728,10 @@ int main(int argc, char* argv[]) if(argc == 1) f = argv[0]; else f = cfgfile; + + if (pledge("stdio rpath getpw", NULL) == -1) + fatal_exit("Could not pledge"); + checkconf(f, opt, final); checklock_stop(); return 0; |