CVSROOT: /cvs
Module name: src
Changes by: sema...@cvs.openbsd.org 2015/10/28 08:07:58
Modified files:
sys/kern : kern_pledge.c vfs_syscalls.c
Log message:
make sys_chroot() only allowed to be used when pledged, with "rpath id proc".
the previous check in pledge_namei() was incomplete. For using SYS_chroot we
needed "id", and we could have passed pledge_namei() just with "rpath" (without
using the now removed whitelisted entry).
the check for "rpath id proc" is now done using p_pledgenote: pledge_namei()
will check that the pledgenote is permitted by your pledge.
"go ahead" deraadt@
