From 2fde2f7e9ee4be054f5a8fcc1121309f8daaac31 Mon Sep 17 00:00:00 2001 From: Jonathan Matthew Date: Sun, 15 Nov 2015 01:31:58 +0000 Subject: pledge for ypldap is easy because it's purely a network program. One process talks to yp clients, one talks to ldap servers, one does dns. ok deraadt@ --- usr.sbin/ypldap/ldapclient.c | 5 ++++- usr.sbin/ypldap/ypldap.c | 5 ++++- usr.sbin/ypldap/ypldap_dns.c | 5 ++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/usr.sbin/ypldap/ldapclient.c b/usr.sbin/ypldap/ldapclient.c index 3cb1a0701f3..07388d53772 100644 --- a/usr.sbin/ypldap/ldapclient.c +++ b/usr.sbin/ypldap/ldapclient.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ldapclient.c,v 1.32 2015/01/16 06:40:22 deraadt Exp $ */ +/* $OpenBSD: ldapclient.c,v 1.33 2015/11/15 01:31:57 jmatthew Exp $ */ /* * Copyright (c) 2008 Alexander Schrijver @@ -404,6 +404,9 @@ ldapclient(int pipe_main2client[2]) #warning disabling privilege revocation in DEBUG mode #endif + if (pledge("stdio inet", NULL) == -1) + fatal("pledge"); + event_init(); signal(SIGPIPE, SIG_IGN); signal_set(&ev_sigint, SIGINT, client_sig_handler, NULL); diff --git a/usr.sbin/ypldap/ypldap.c b/usr.sbin/ypldap/ypldap.c index 327a78315ae..331b6b0d08a 100644 --- a/usr.sbin/ypldap/ypldap.c +++ b/usr.sbin/ypldap/ypldap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ypldap.c,v 1.16 2015/11/02 10:06:06 jmatthew Exp $ */ +/* $OpenBSD: ypldap.c,v 1.17 2015/11/15 01:31:57 jmatthew Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -608,6 +608,9 @@ main(int argc, char *argv[]) #warning disabling privilege revocation in debug mode #endif + if (pledge("stdio inet", NULL) == -1) + fatal("pledge"); + bzero(&tv, sizeof(tv)); evtimer_set(&ev_timer, main_init_timer, &env); evtimer_add(&ev_timer, &tv); diff --git a/usr.sbin/ypldap/ypldap_dns.c b/usr.sbin/ypldap/ypldap_dns.c index 24483861715..368af3742c4 100644 --- a/usr.sbin/ypldap/ypldap_dns.c +++ b/usr.sbin/ypldap/ypldap_dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ypldap_dns.c,v 1.8 2015/01/16 06:40:22 deraadt Exp $ */ +/* $OpenBSD: ypldap_dns.c,v 1.9 2015/11/15 01:31:57 jmatthew Exp $ */ /* * Copyright (c) 2003-2008 Henning Brauer @@ -96,6 +96,9 @@ ypldap_dns(int pipe_ntp[2], struct passwd *pw) fatal("can't drop privileges"); endservent(); + if (pledge("stdio dns", NULL) == -1) + fatal("pledge"); + event_init(); signal_set(&ev_sigint, SIGINT, dns_sig_handler, NULL); signal_set(&ev_sigterm, SIGTERM, dns_sig_handler, NULL); -- cgit v1.2.3