For those who are curious, this is the tame diff which is currently in snapshots. Yes, we are asking for testing and feedback.
Index: bin/cat/cat.c =================================================================== RCS file: /cvs/src/bin/cat/cat.c,v retrieving revision 1.21 diff -u -p -u -r1.21 cat.c --- bin/cat/cat.c 16 Jan 2015 06:39:28 -0000 1.21 +++ bin/cat/cat.c 28 Sep 2015 20:15:11 -0000 @@ -66,6 +66,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "benstuv")) != -1) switch (ch) { case 'b': Index: bin/chmod/chmod.c =================================================================== RCS file: /cvs/src/bin/chmod/chmod.c,v retrieving revision 1.34 diff -u -p -u -r1.34 chmod.c --- bin/chmod/chmod.c 25 Jun 2015 02:04:08 -0000 1.34 +++ bin/chmod/chmod.c 28 Sep 2015 20:15:11 -0000 @@ -153,6 +153,9 @@ done: atflags = 0; if (ischflags) { + if (tame("stdio rpath wpath fattr", NULL) == -1) + err(1, "tame"); + flags = *argv; if (*flags >= '0' && *flags <= '7') { errno = 0; Index: bin/dd/dd.c =================================================================== RCS file: /cvs/src/bin/dd/dd.c,v retrieving revision 1.21 diff -u -p -u -r1.21 dd.c --- bin/dd/dd.c 16 Jan 2015 06:39:31 -0000 1.21 +++ bin/dd/dd.c 28 Sep 2015 20:15:11 -0000 @@ -149,6 +149,9 @@ setup(void) if (out.offset) pos_out(); + if (tame("stdio", NULL) == -1) + err(1, "tame"); + /* * Truncate the output file; ignore errors because it fails on some * kinds of output files, tapes, for example. Index: bin/df/df.c =================================================================== RCS file: /cvs/src/bin/df/df.c,v retrieving revision 1.52 diff -u -p -u -r1.52 df.c --- bin/df/df.c 16 Jan 2015 06:39:31 -0000 1.52 +++ bin/df/df.c 28 Sep 2015 20:15:11 -0000 @@ -79,6 +79,10 @@ main(int argc, char *argv[]) int width, maxwidth; char *mntpt; +// XXX what about statfs? +// if (tame("stdio rpath", NULL) == -1) +// err(1, "tame"); + while ((ch = getopt(argc, argv, "hiklnPt:")) != -1) switch (ch) { case 'h': Index: bin/echo/echo.c =================================================================== RCS file: /cvs/src/bin/echo/echo.c,v retrieving revision 1.8 diff -u -p -u -r1.8 echo.c --- bin/echo/echo.c 14 Dec 2014 16:55:59 -0000 1.8 +++ bin/echo/echo.c 28 Sep 2015 20:15:11 -0000 @@ -32,12 +32,17 @@ #include <stdio.h> #include <string.h> +#include <unistd.h> +#include <err.h> /* ARGSUSED */ int main(int argc, char *argv[]) { int nflag; + + if (tame("stdio", NULL) == -1) + err(1, "tame"); /* This utility may NOT do getopt(3) option parsing. */ if (*++argv && !strcmp(*argv, "-n")) { Index: bin/expr/expr.c =================================================================== RCS file: /cvs/src/bin/expr/expr.c,v retrieving revision 1.20 diff -u -p -u -r1.20 expr.c --- bin/expr/expr.c 11 Aug 2015 17:15:46 -0000 1.20 +++ bin/expr/expr.c 28 Sep 2015 20:15:11 -0000 @@ -12,6 +12,7 @@ #include <limits.h> #include <locale.h> #include <ctype.h> +#include <unistd.h> #include <regex.h> #include <err.h> @@ -499,6 +500,9 @@ main(int argc, char *argv[]) struct val *vp; (void) setlocale(LC_ALL, ""); + + if (tame("stdio", NULL) == -1) + err(1, "tame"); if (argc > 1 && !strcmp(argv[1], "--")) argv++; Index: bin/ls/ls.c =================================================================== RCS file: /cvs/src/bin/ls/ls.c,v retrieving revision 1.41 diff -u -p -u -r1.41 ls.c --- bin/ls/ls.c 25 Jun 2015 02:04:07 -0000 1.41 +++ bin/ls/ls.c 28 Sep 2015 20:15:11 -0000 @@ -123,6 +123,9 @@ ls_main(int argc, char *argv[]) termwidth = width; } + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + /* Root is -A automatically. */ if (!getuid()) f_listdot = 1; Index: bin/md5/md5.c =================================================================== RCS file: /cvs/src/bin/md5/md5.c,v retrieving revision 1.79 diff -u -p -u -r1.79 md5.c --- bin/md5/md5.c 19 Jan 2015 16:43:28 -0000 1.79 +++ bin/md5/md5.c 28 Sep 2015 20:15:11 -0000 @@ -200,6 +200,9 @@ main(int argc, char **argv) int fl, error, base64, i; int bflag, cflag, pflag, rflag, tflag, xflag; + if (tame("stdio cpath rpath wpath", NULL) == -1) + err(1, "tame"); + TAILQ_INIT(&hl); input_string = NULL; selective_checklist = NULL; @@ -308,8 +311,11 @@ main(int argc, char **argv) argc -= optind; argv += optind; - if (ofile == NULL) + if (ofile == NULL) { ofile = stdout; + } + if (tame("stdio rpath", NULL) != 0) + err(1, "tame"); /* Most arguments are mutually exclusive */ fl = pflag + (tflag ? 1 : 0) + xflag + cflag + (input_string != NULL); Index: bin/mkdir/mkdir.c =================================================================== RCS file: /cvs/src/bin/mkdir/mkdir.c,v retrieving revision 1.25 diff -u -p -u -r1.25 mkdir.c --- bin/mkdir/mkdir.c 2 Apr 2013 20:26:17 -0000 1.25 +++ bin/mkdir/mkdir.c 28 Sep 2015 20:15:11 -0000 @@ -55,6 +55,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio cpath rpath wpath fattr", NULL) == -1) + err(1, "tame"); + /* * The default file mode is a=rwx (0777) with selected permissions * removed in accordance with the file mode creation mask. For Index: bin/pax/pax.c =================================================================== RCS file: /cvs/src/bin/pax/pax.c,v retrieving revision 1.41 diff -u -p -u -r1.41 pax.c --- bin/pax/pax.c 9 Mar 2015 04:23:29 -0000 1.41 +++ bin/pax/pax.c 28 Sep 2015 20:15:11 -0000 @@ -256,6 +256,12 @@ main(int argc, char **argv) if ((gen_init() < 0) || (tty_init() < 0)) return(exit_val); + if (pmode == 0 && gzip_program == NULL) { + if (tame("stdio getpw ioctl proc cpath wpath rpath fattr", + NULL) == -1) + err(1, "tame"); + } + /* * select a primary operation mode */ Index: bin/pwd/pwd.c =================================================================== RCS file: /cvs/src/bin/pwd/pwd.c,v retrieving revision 1.12 diff -u -p -u -r1.12 pwd.c --- bin/pwd/pwd.c 28 May 2014 06:55:58 -0000 1.12 +++ bin/pwd/pwd.c 28 Sep 2015 20:15:11 -0000 @@ -47,6 +47,9 @@ main(int argc, char *argv[]) int ch, lFlag = 0; const char *p; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "LP")) != -1) { switch (ch) { case 'L': Index: bin/sleep/sleep.c =================================================================== RCS file: /cvs/src/bin/sleep/sleep.c,v retrieving revision 1.21 diff -u -p -u -r1.21 sleep.c --- bin/sleep/sleep.c 22 Sep 2015 15:37:06 -0000 1.21 +++ bin/sleep/sleep.c 1 Oct 2015 11:35:32 -0000 @@ -37,6 +37,7 @@ #include <stdlib.h> #include <time.h> #include <unistd.h> +#include <err.h> extern char *__progname; @@ -52,6 +53,9 @@ main(int argc, char *argv[]) long nsecs = 0; struct timespec rqtp; int i; + + if (tame("stdio", NULL) == -1) + err(1, "tame"); signal(SIGALRM, alarmh); Index: bin/test/test.c =================================================================== RCS file: /cvs/src/bin/test/test.c,v retrieving revision 1.13 diff -u -p -u -r1.13 test.c --- bin/test/test.c 2 Dec 2014 18:32:05 -0000 1.13 +++ bin/test/test.c 28 Sep 2015 20:15:11 -0000 @@ -158,6 +158,9 @@ main(int argc, char *argv[]) extern char *__progname; int res; + if (tame("rpath malloc", NULL) == -1) + err(1, "tame"); + if (strcmp(__progname, "[") == 0) { if (strcmp(argv[--argc], "]")) errx(2, "missing ]"); Index: sbin/dmesg/dmesg.c =================================================================== RCS file: /cvs/src/sbin/dmesg/dmesg.c,v retrieving revision 1.25 diff -u -p -u -r1.25 dmesg.c --- sbin/dmesg/dmesg.c 16 Jan 2015 06:39:57 -0000 1.25 +++ sbin/dmesg/dmesg.c 28 Sep 2015 20:15:11 -0000 @@ -108,6 +108,9 @@ main(int argc, char *argv[]) if (sysctl(mib, 2, bufdata, &len, NULL, 0)) err(1, "sysctl: KERN_MSGBUF"); + if (tame("stdio", NULL) == -1) + err(1, "tame"); + memcpy(&cur, bufdata, sizeof(cur)); bufdata = ((struct msgbuf *)bufdata)->msg_bufc; } else { Index: sbin/ping/ping.c =================================================================== RCS file: /cvs/src/sbin/ping/ping.c,v retrieving revision 1.125 diff -u -p -u -r1.125 ping.c --- sbin/ping/ping.c 3 Sep 2015 17:59:54 -0000 1.125 +++ sbin/ping/ping.c 28 Sep 2015 20:15:11 -0000 @@ -501,6 +501,14 @@ main(int argc, char *argv[]) else (void)printf("PING %s: %d data bytes\n", hostname, datalen); + if (options & F_NUMERIC) { + if (tame("stdio inet", NULL) == -1) + err(1, "tame"); + } else { + if (tame("stdio inet dns", NULL) == -1) + err(1, "tame"); + } + (void)signal(SIGINT, finish); (void)signal(SIGALRM, catcher); (void)signal(SIGINFO, prtsig); Index: sbin/ping6/ping6.c =================================================================== RCS file: /cvs/src/sbin/ping6/ping6.c,v retrieving revision 1.117 diff -u -p -u -r1.117 ping6.c --- sbin/ping6/ping6.c 30 Sep 2015 12:21:46 -0000 1.117 +++ sbin/ping6/ping6.c 30 Sep 2015 12:21:54 -0000 @@ -746,6 +746,14 @@ main(int argc, char *argv[]) (socklen_t)sizeof(optval)) < 0) warn("setsockopt(IPV6_RECVHOPLIMIT)"); /* XXX err? */ + if (options & F_HOSTNAME) { + if (tame("stdio inet dns", NULL) == -1) + err(1, "tame"); + } else { + if (tame("stdio inet", NULL) != 0) + err(1, "tame"); + } + arc4random_buf(&tv64_offset, sizeof(tv64_offset)); arc4random_buf(&mac_key, sizeof(mac_key)); Index: usr.bin/arch/arch.c =================================================================== RCS file: /cvs/src/usr.bin/arch/arch.c,v retrieving revision 1.16 diff -u -p -u -r1.16 arch.c --- usr.bin/arch/arch.c 25 Sep 2015 16:19:26 -0000 1.16 +++ usr.bin/arch/arch.c 28 Sep 2015 20:15:11 -0000 @@ -30,6 +30,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <err.h> static void __dead usage(void); @@ -43,6 +44,9 @@ main(int argc, char *argv[]) char *arch, *opts; setlocale(LC_ALL, ""); + + if (tame("stdio", NULL) == -1) + err(1, "tame"); machine = strcmp(__progname, "machine") == 0; if (machine) { Index: usr.bin/banner/banner.c =================================================================== RCS file: /cvs/src/usr.bin/banner/banner.c,v retrieving revision 1.9 diff -u -p -u -r1.9 banner.c --- usr.bin/banner/banner.c 27 Oct 2009 23:59:35 -0000 1.9 +++ usr.bin/banner/banner.c 28 Sep 2015 20:15:11 -0000 @@ -53,6 +53,7 @@ #include <unistd.h> #include <stdlib.h> #include <string.h> +#include <err.h> #include "banner.h" @@ -152,6 +153,8 @@ main(int argc, char *argv[]) { char word[10+1]; /* strings limited to 10 chars */ + if (tame("stdio", NULL) == -1) + err(1, "tame"); while (*++argv) { (void)strlcpy(word, *argv, sizeof (word)); scan_out(1, word, '\0'); Index: usr.bin/basename/basename.c =================================================================== RCS file: /cvs/src/usr.bin/basename/basename.c,v retrieving revision 1.9 diff -u -p -u -r1.9 basename.c --- usr.bin/basename/basename.c 27 Oct 2009 23:59:36 -0000 1.9 +++ usr.bin/basename/basename.c 28 Sep 2015 20:15:11 -0000 @@ -48,6 +48,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "")) != -1) { switch (ch) { default: Index: usr.bin/cal/cal.c =================================================================== RCS file: /cvs/src/usr.bin/cal/cal.c,v retrieving revision 1.28 diff -u -p -u -r1.28 cal.c --- usr.bin/cal/cal.c 17 Mar 2015 19:31:30 -0000 1.28 +++ usr.bin/cal/cal.c 28 Sep 2015 20:15:11 -0000 @@ -150,6 +150,9 @@ main(int argc, char *argv[]) int ch, month, year, yflag; const char *errstr; + if (tame("stdio", NULL) == -1) + err(1, "tame"); + yflag = year = 0; while ((ch = getopt(argc, argv, "jmwy")) != -1) switch(ch) { Index: usr.bin/col/col.c =================================================================== RCS file: /cvs/src/usr.bin/col/col.c,v retrieving revision 1.17 diff -u -p -u -r1.17 col.c --- usr.bin/col/col.c 9 May 2015 20:36:18 -0000 1.17 +++ usr.bin/col/col.c 28 Sep 2015 20:15:11 -0000 @@ -113,6 +113,9 @@ main(int argc, char *argv[]) int adjust, opt, warned; const char *errstr; + if (tame("stdio", NULL) == -1) + err(1, "tame"); + max_bufd_lines = 256; compress_spaces = 1; /* compress spaces into tabs */ while ((opt = getopt(argc, argv, "bfhl:x")) != -1) Index: usr.bin/colrm/colrm.c =================================================================== RCS file: /cvs/src/usr.bin/colrm/colrm.c,v retrieving revision 1.9 diff -u -p -u -r1.9 colrm.c --- usr.bin/colrm/colrm.c 27 Oct 2009 23:59:36 -0000 1.9 +++ usr.bin/colrm/colrm.c 28 Sep 2015 20:15:11 -0000 @@ -52,6 +52,9 @@ main(int argc, char *argv[]) int ch; char *p; + if (tame("stdio", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "")) != -1) switch(ch) { case '?': Index: usr.bin/column/column.c =================================================================== RCS file: /cvs/src/usr.bin/column/column.c,v retrieving revision 1.19 diff -u -p -u -r1.19 column.c --- usr.bin/column/column.c 22 May 2014 19:50:34 -0000 1.19 +++ usr.bin/column/column.c 28 Sep 2015 20:15:11 -0000 @@ -67,6 +67,9 @@ main(int argc, char *argv[]) char *p; const char *errstr; + if (tame("stdio rpath ioctl", NULL) == -1) + err(1, "tame"); + if (ioctl(1, TIOCGWINSZ, &win) == -1 || !win.ws_col) { if ((p = getenv("COLUMNS")) && *p != '\0') { termwidth = strtonum(p, 1, INT_MAX, &errstr); @@ -100,16 +103,23 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; - if (!*argv) + if (!*argv) { input(stdin); - else for (; *argv; ++argv) - if ((fp = fopen(*argv, "r"))) { - input(fp); - (void)fclose(fp); - } else { - warn("%s", *argv); - eval = 1; + if (tame("stdio", NULL) != 0) + err(1, "tame"); + } else { + if (tame("stdio rpath", NULL) != 0) + err(1, "tame"); + for (; *argv; ++argv) { + if ((fp = fopen(*argv, "r"))) { + input(fp); + (void)fclose(fp); + } else { + warn("%s", *argv); + eval = 1; + } } + } if (!entries) exit(eval); Index: usr.bin/comm/comm.c =================================================================== RCS file: /cvs/src/usr.bin/comm/comm.c,v retrieving revision 1.8 diff -u -p -u -r1.8 comm.c --- usr.bin/comm/comm.c 27 Oct 2009 23:59:37 -0000 1.8 +++ usr.bin/comm/comm.c 28 Sep 2015 20:15:11 -0000 @@ -61,6 +61,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + flag1 = flag2 = flag3 = 1; compare = strcoll; while ((ch = getopt(argc, argv, "123f")) != -1) Index: usr.bin/compress/main.c =================================================================== RCS file: /cvs/src/usr.bin/compress/main.c,v retrieving revision 1.86 diff -u -p -u -r1.86 main.c --- usr.bin/compress/main.c 30 Aug 2015 21:06:24 -0000 1.86 +++ usr.bin/compress/main.c 28 Sep 2015 20:15:11 -0000 @@ -167,6 +167,9 @@ main(int argc, char *argv[]) char outfile[PATH_MAX], _infile[PATH_MAX], suffix[16]; int bits, ch, error, rc, cflag, oflag; + if (tame("stdio wpath cpath fattr", NULL) == -1) + err(1, "tame"); + bits = cflag = oflag = 0; storename = -1; p = __progname; Index: usr.bin/csplit/csplit.c =================================================================== RCS file: /cvs/src/usr.bin/csplit/csplit.c,v retrieving revision 1.5 diff -u -p -u -r1.5 csplit.c --- usr.bin/csplit/csplit.c 20 May 2014 01:25:23 -0000 1.5 +++ usr.bin/csplit/csplit.c 28 Sep 2015 20:15:11 -0000 @@ -103,6 +103,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio rpath wpath cpath", NULL) == -1) + err(1, "tame"); + kflag = sflag = 0; prefix = "xx"; sufflen = 2; @@ -140,6 +143,8 @@ main(int argc, char *argv[]) if (strcmp(infn, "-") == 0) { infile = stdin; infn = "stdin"; + if (tame("stdio wpath cpath", NULL) != 0) + err(1, "tame"); } else if ((infile = fopen(infn, "r")) == NULL) err(1, "%s", infn); Index: usr.bin/cut/cut.c =================================================================== RCS file: /cvs/src/usr.bin/cut/cut.c,v retrieving revision 1.19 diff -u -p -u -r1.19 cut.c --- usr.bin/cut/cut.c 18 Aug 2015 17:10:48 -0000 1.19 +++ usr.bin/cut/cut.c 28 Sep 2015 20:15:11 -0000 @@ -63,6 +63,9 @@ main(int argc, char *argv[]) setlocale (LC_ALL, ""); + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + dchar = '\t'; /* default delimiter is \t */ /* Since we don't support multi-byte characters, the -c and -b Index: usr.bin/dc/dc.c =================================================================== RCS file: /cvs/src/usr.bin/dc/dc.c,v retrieving revision 1.13 diff -u -p -u -r1.13 dc.c --- usr.bin/dc/dc.c 26 Nov 2014 18:34:51 -0000 1.13 +++ usr.bin/dc/dc.c 28 Sep 2015 20:15:11 -0000 @@ -47,6 +47,8 @@ main(int argc, char *argv[]) char *buf, *p; struct stat st; + if (tame("stdio", NULL) == -1) + err(1, "tame"); if ((buf = strdup("")) == NULL) err(1, NULL); Index: usr.bin/deroff/deroff.c =================================================================== RCS file: /cvs/src/usr.bin/deroff/deroff.c,v retrieving revision 1.11 diff -u -p -u -r1.11 deroff.c --- usr.bin/deroff/deroff.c 9 Feb 2015 11:39:17 -0000 1.11 +++ usr.bin/deroff/deroff.c 28 Sep 2015 20:15:11 -0000 @@ -260,6 +260,9 @@ main(int ac, char **av) int errflg = 0; int kflag = NO; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + iflag = NO; wordflag = NO; msflag = NO; @@ -331,6 +334,8 @@ main(int ac, char **av) #endif /* DEBUG */ if (argc == 0) { infile = stdin; + if (tame("stdio", NULL) != 0) + err(1, "tame"); } else { infile = opn(argv[0]); --argc; Index: usr.bin/diff/diff.c =================================================================== RCS file: /cvs/src/usr.bin/diff/diff.c,v retrieving revision 1.59 diff -u -p -u -r1.59 diff.c --- usr.bin/diff/diff.c 29 Apr 2015 04:00:25 -0000 1.59 +++ usr.bin/diff/diff.c 28 Sep 2015 20:15:11 -0000 @@ -217,6 +217,10 @@ main(int argc, char **argv) argc -= optind; argv += optind; + if (lflag == 0) { + if (tame("stdio wpath rpath tmppath", NULL) == -1) + err(1, "tame"); + } /* * Do sanity checks, fill in stb1 and stb2 and call the appropriate * driver routine. Both drivers use the contents of stb1 and stb2. Index: usr.bin/diff3/diff3prog.c =================================================================== RCS file: /cvs/src/usr.bin/diff3/diff3prog.c,v retrieving revision 1.15 diff -u -p -u -r1.15 diff3prog.c --- usr.bin/diff3/diff3prog.c 5 Sep 2015 09:47:08 -0000 1.15 +++ usr.bin/diff3/diff3prog.c 28 Sep 2015 20:15:11 -0000 @@ -145,6 +145,9 @@ main(int argc, char **argv) { int ch, i, m, n; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + eflag = 0; oflag = 0; while ((ch = getopt(argc, argv, "EeXx3")) != -1) { Index: usr.bin/dirname/dirname.c =================================================================== RCS file: /cvs/src/usr.bin/dirname/dirname.c,v retrieving revision 1.13 diff -u -p -u -r1.13 dirname.c --- usr.bin/dirname/dirname.c 10 Aug 2010 22:05:36 -0000 1.13 +++ usr.bin/dirname/dirname.c 28 Sep 2015 20:15:11 -0000 @@ -33,6 +33,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "")) != -1) { switch (ch) { default: Index: usr.bin/expand/expand.c =================================================================== RCS file: /cvs/src/usr.bin/expand/expand.c,v retrieving revision 1.12 diff -u -p -u -r1.12 expand.c --- usr.bin/expand/expand.c 26 Nov 2013 13:18:55 -0000 1.12 +++ usr.bin/expand/expand.c 28 Sep 2015 20:15:11 -0000 @@ -51,6 +51,9 @@ main(int argc, char *argv[]) int c, column; int n; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + /* handle obsolete syntax */ while (argc > 1 && argv[1][0] == '-' && isdigit((unsigned char)argv[1][1])) { Index: usr.bin/fgen/fgen.l =================================================================== RCS file: /cvs/src/usr.bin/fgen/fgen.l,v retrieving revision 1.10 diff -u -p -u -r1.10 fgen.l --- usr.bin/fgen/fgen.l 30 Dec 2013 21:52:21 -0000 1.10 +++ usr.bin/fgen/fgen.l 28 Sep 2015 20:15:11 -0000 @@ -960,6 +960,9 @@ main(argc, argv) char *hdrtype = "version1"; int i; + if (tame("stdio rpath wpath cpath", NULL) == -1) + err(1, "tame"); + outf = 1; /* stdout */ myname = argv[0]; Index: usr.bin/file/Makefile =================================================================== RCS file: /cvs/src/usr.bin/file/Makefile,v retrieving revision 1.15 diff -u -p -u -r1.15 Makefile --- usr.bin/file/Makefile 27 Apr 2015 13:52:17 -0000 1.15 +++ usr.bin/file/Makefile 28 Sep 2015 20:15:11 -0000 @@ -1,7 +1,7 @@ # $OpenBSD: Makefile,v 1.15 2015/04/27 13:52:17 nicm Exp $ PROG= file -SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c sandbox.c \ +SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c \ text.c xmalloc.c MAN= file.1 magic.5 Index: usr.bin/file/file.c =================================================================== RCS file: /cvs/src/usr.bin/file/file.c,v retrieving revision 1.47 diff -u -p -u -r1.47 file.c --- usr.bin/file/file.c 12 Jul 2015 09:51:25 -0000 1.47 +++ usr.bin/file/file.c 28 Sep 2015 20:15:11 -0000 @@ -115,7 +115,7 @@ usage(void) int main(int argc, char **argv) { - int opt, pair[2], fd, idx; + int opt, pair[2], fd, idx, mode; char *home; struct passwd *pw; struct imsgbuf ibuf; @@ -191,8 +191,10 @@ main(int argc, char **argv) parent = getpid(); if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pair) != 0) err(1, "socketpair"); - pid = sandbox_fork(FILE_USER); - if (pid == 0) { + switch (pid = fork()) { + case -1: + err(1, "fork"); + case 0: close(pair[0]); child(pair[1], parent, argc, argv); } @@ -219,10 +221,21 @@ main(int argc, char **argv) fd = -1; msg.error = errno; } else { - fd = open(argv[idx], O_RDONLY|O_NONBLOCK); - if (fd == -1 && (errno == ENFILE || errno == EMFILE)) - err(1, "open"); - if (S_ISLNK(msg.sb.st_mode)) + /* + * tame(2) doesn't let us pass directory file + * descriptors around but we don't need them, so don't + * open directories or symlinks (which could be to + * directories). + */ + mode = msg.sb.st_mode; + if (!S_ISDIR(mode) && !S_ISLNK(mode)) { + fd = open(argv[idx], O_RDONLY|O_NONBLOCK); + if (fd == -1 && + (errno == ENFILE || errno == EMFILE)) + err(1, "open"); + } else + fd = -1; + if (S_ISLNK(mode)) read_link(&msg, argv[idx]); } send_message(&ibuf, &msg, sizeof msg, fd); @@ -327,6 +340,7 @@ read_link(struct input_msg *msg, const c static __dead void child(int fd, pid_t parent, int argc, char **argv) { + struct passwd *pw; struct magic *m; struct imsgbuf ibuf; struct imsg imsg; @@ -335,6 +349,24 @@ child(int fd, pid_t parent, int argc, ch struct input_file inf; int i, idx; size_t len, width = 0; + + if (tame("stdio cmsg getpw proc", NULL) == -1) + err(1, "tame"); + + if (geteuid() == 0) { + pw = getpwnam(FILE_USER); + if (pw == NULL) + errx(1, "unknown user %s", FILE_USER); + if (setgroups(1, &pw->pw_gid) != 0) + err(1, "setgroups"); + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) + err(1, "setresgid"); + if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) + err(1, "setresuid"); + } + + if (tame("stdio cmsg", NULL) == -1) + err(1, "tame"); m = magic_load(magicfp, magicpath, cflag || Wflag); if (cflag) { Index: usr.bin/file/sandbox.c =================================================================== RCS file: /cvs/src/usr.bin/file/sandbox.c,v retrieving revision 1.9 diff -u -p -u -r1.9 sandbox.c --- usr.bin/file/sandbox.c 23 Aug 2015 18:31:41 -0000 1.9 +++ usr.bin/file/sandbox.c 28 Sep 2015 20:15:11 -0000 @@ -1,158 +0,0 @@ -/* $OpenBSD: sandbox.c,v 1.9 2015/08/23 18:31:41 guenther Exp $ */ - -/* - * Copyright (c) 2015 Nicholas Marriott <n...@openbsd.org> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER - * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include <sys/types.h> -#include <sys/ioctl.h> -#include <sys/syscall.h> -#include <sys/wait.h> - -#include <dev/systrace.h> - -#include <errno.h> -#include <fcntl.h> -#include <pwd.h> -#include <signal.h> -#include <unistd.h> - -#include "file.h" -#include "magic.h" -#include "xmalloc.h" - -static const struct -{ - int syscallnum; - int action; -} allowed_syscalls[] = { - { SYS_open, SYSTR_POLICY_NEVER }, /* for strerror */ - - { SYS_close, SYSTR_POLICY_PERMIT }, - { SYS_exit, SYSTR_POLICY_PERMIT }, - { SYS_fcntl, SYSTR_POLICY_PERMIT }, - { SYS_fstat, SYSTR_POLICY_PERMIT }, - { SYS_getdtablecount, SYSTR_POLICY_PERMIT }, - { SYS_getentropy, SYSTR_POLICY_PERMIT }, - { SYS_getpid, SYSTR_POLICY_PERMIT }, - { SYS_getrlimit, SYSTR_POLICY_PERMIT }, - { SYS_issetugid, SYSTR_POLICY_PERMIT }, - { SYS_kbind, SYSTR_POLICY_PERMIT }, - { SYS_madvise, SYSTR_POLICY_PERMIT }, - { SYS_mmap, SYSTR_POLICY_PERMIT }, - { SYS_mprotect, SYSTR_POLICY_PERMIT }, - { SYS_mquery, SYSTR_POLICY_PERMIT }, - { SYS_munmap, SYSTR_POLICY_PERMIT }, - { SYS_read, SYSTR_POLICY_PERMIT }, - { SYS_recvmsg, SYSTR_POLICY_PERMIT }, - { SYS_sendmsg, SYSTR_POLICY_PERMIT }, - { SYS_sigprocmask, SYSTR_POLICY_PERMIT }, - { SYS_write, SYSTR_POLICY_PERMIT }, - - { -1, -1 } -}; - -static int -sandbox_find(int syscallnum) -{ - int i; - - for (i = 0; allowed_syscalls[i].syscallnum != -1; i++) { - if (allowed_syscalls[i].syscallnum == syscallnum) - return (allowed_syscalls[i].action); - } - return (SYSTR_POLICY_KILL); -} - -static int -sandbox_child(const char *user) -{ - struct passwd *pw; - - if (geteuid() == 0) { - pw = getpwnam(user); - if (pw == NULL) - errx(1, "unknown user %s", user); - if (setgroups(1, &pw->pw_gid) != 0) - err(1, "setgroups"); - if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) - err(1, "setresgid"); - if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) - err(1, "setresuid"); - } - - if (kill(getpid(), SIGSTOP) != 0) - err(1, "kill(SIGSTOP)"); - return (0); -} - -int -sandbox_fork(const char *user) -{ - pid_t pid; - int status, devfd, fd, i; - struct systrace_policy policy; - - switch (pid = fork()) { - case -1: - err(1, "fork"); - case 0: - return (sandbox_child(user)); - } - - /* - * Wait for the child to stop itself with SIGSTOP before assigning the - * policy, before that it might still be calling syscalls the policy - * would block. - */ - do { - pid = waitpid(pid, &status, WUNTRACED); - } while (pid == -1 && errno == EINTR); - if (!WIFSTOPPED(status)) - errx(1, "child not stopped"); - - devfd = open("/dev/systrace", O_RDONLY); - if (devfd == -1) - err(1, "open(\"/dev/systrace\")"); - if (ioctl(devfd, STRIOCCLONE, &fd) == -1) - err(1, "ioctl(STRIOCCLONE)"); - close(devfd); - - if (ioctl(fd, STRIOCATTACH, &pid) == -1) - goto out; - - memset(&policy, 0, sizeof policy); - policy.strp_op = SYSTR_POLICY_NEW; - policy.strp_maxents = SYS_MAXSYSCALL; - if (ioctl(fd, STRIOCPOLICY, &policy) == -1) - err(1, "ioctl(STRIOCPOLICY/NEW)"); - policy.strp_op = SYSTR_POLICY_ASSIGN; - policy.strp_pid = pid; - if (ioctl(fd, STRIOCPOLICY, &policy) == -1) - err(1, "ioctl(STRIOCPOLICY/ASSIGN)"); - - for (i = 0; i < SYS_MAXSYSCALL; i++) { - policy.strp_op = SYSTR_POLICY_MODIFY; - policy.strp_code = i; - policy.strp_policy = sandbox_find(i); - if (ioctl(fd, STRIOCPOLICY, &policy) == -1) - err(1, "ioctl(STRIOCPOLICY/MODIFY)"); - } - -out: - if (kill(pid, SIGCONT) != 0) - err(1, "kill(SIGCONT)"); - return (pid); -} Index: usr.bin/finger/finger.c =================================================================== RCS file: /cvs/src/usr.bin/finger/finger.c,v retrieving revision 1.20 diff -u -p -u -r1.20 finger.c --- usr.bin/finger/finger.c 20 Aug 2015 22:32:41 -0000 1.20 +++ usr.bin/finger/finger.c 28 Sep 2015 20:15:11 -0000 @@ -126,6 +126,9 @@ main(int argc, char *argv[]) mflag++; } + if (tame("stdio getpw rpath inet", NULL) == -1) + err(1, "tame"); + (void)time(&now); setpassent(1); if (!*argv) { @@ -134,6 +137,8 @@ main(int argc, char *argv[]) * not selected. Force the -s BEFORE we get names so proper * screening will be done. */ + if (tame("stdio getpw rpath", NULL) == -1) + err(1, "tame"); if (!lflag) sflag = 1; /* if -l not explicit, force -s */ loginlist(); @@ -213,6 +218,10 @@ userlist(int argc, char **argv) if (!dolocal) goto net; + + if (nettail == &nethead) + if (tame("stdio getpw rpath", NULL) == -1) + err(1, "tame"); /* * traverse the list of possible login names and check the login name Index: usr.bin/fmt/fmt.c =================================================================== RCS file: /cvs/src/usr.bin/fmt/fmt.c,v retrieving revision 1.30 diff -u -p -u -r1.30 fmt.c --- usr.bin/fmt/fmt.c 26 Nov 2013 13:18:55 -0000 1.30 +++ usr.bin/fmt/fmt.c 28 Sep 2015 20:15:11 -0000 @@ -255,6 +255,9 @@ main(int argc, char *argv[]) (void)setlocale(LC_CTYPE, ""); + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + /* 1. Grok parameters. */ while ((ch = getopt(argc, argv, "0123456789cd:hl:mnpst:w:")) != -1) { switch (ch) { @@ -337,6 +340,8 @@ main(int argc, char *argv[]) while (argc-- > 0) process_named_file(*argv++); } else { + if (tame("stdio", NULL) != 0) + err(1, "tame"); process_stream(stdin, "standard input"); } Index: usr.bin/fold/fold.c =================================================================== RCS file: /cvs/src/usr.bin/fold/fold.c,v retrieving revision 1.15 diff -u -p -u -r1.15 fold.c --- usr.bin/fold/fold.c 6 Feb 2015 09:10:55 -0000 1.15 +++ usr.bin/fold/fold.c 28 Sep 2015 20:15:11 -0000 @@ -56,6 +56,9 @@ main(int argc, char *argv[]) unsigned int width; const char *errstr; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + width = 0; lastch = '\0'; prevoptind = 1; @@ -99,14 +102,19 @@ main(int argc, char *argv[]) if (width == 0) width = DEFLINEWIDTH; - if (!*argv) + if (!*argv) { + if (tame("stdio", NULL) != 0) + err(1, "tame"); fold(width); - else for (; *argv; ++argv) - if (!freopen(*argv, "r", stdin)) { - err(1, "%s", *argv); - /* NOTREACHED */ - } else - fold(width); + } else { + for (; *argv; ++argv) { + if (!freopen(*argv, "r", stdin)) + err(1, "%s", *argv); + /* NOTREACHED */ + else + fold(width); + } + } exit(0); } Index: usr.bin/from/from.c =================================================================== RCS file: /cvs/src/usr.bin/from/from.c,v retrieving revision 1.20 diff -u -p -u -r1.20 from.c --- usr.bin/from/from.c 3 Jun 2015 18:08:54 -0000 1.20 +++ usr.bin/from/from.c 28 Sep 2015 20:15:11 -0000 @@ -80,6 +80,8 @@ main(int argc, char *argv[]) exit(EXIT_SUCCESS); err(1, "%s", file); } + if (tame("stdio", NULL) == -1) + err(1, "tame"); for (newline = 1; (linelen = getline(&line, &linesize, fp)) != -1;) { if (*line == '\n') { newline = 1; @@ -98,6 +100,9 @@ char * mail_spool(char *file, const char *user) { struct passwd *pwd; + + if (tame("stdio rpath getpw", NULL) != 0) + err(1, "tame"); /* * We find the mailbox by: Index: usr.bin/getopt/getopt.c =================================================================== RCS file: /cvs/src/usr.bin/getopt/getopt.c,v retrieving revision 1.8 diff -u -p -u -r1.8 getopt.c --- usr.bin/getopt/getopt.c 27 Oct 2009 23:59:38 -0000 1.8 +++ usr.bin/getopt/getopt.c 28 Sep 2015 20:15:11 -0000 @@ -8,6 +8,7 @@ #include <stdio.h> #include <stdlib.h> #include <unistd.h> +#include <err.h> int main(int argc, char *argv[]) @@ -16,6 +17,9 @@ main(int argc, char *argv[]) extern char *optarg; int c; int status = 0; + + if (tame("stdio", NULL) == -1) + err(1, "tame"); optind = 2; /* Past the program name and the option letters. */ while ((c = getopt(argc, argv, argv[1])) != -1) Index: usr.bin/grep/grep.c =================================================================== RCS file: /cvs/src/usr.bin/grep/grep.c,v retrieving revision 1.52 diff -u -p -u -r1.52 grep.c --- usr.bin/grep/grep.c 27 Aug 2015 05:11:39 -0000 1.52 +++ usr.bin/grep/grep.c 28 Sep 2015 20:15:11 -0000 @@ -238,6 +238,9 @@ main(int argc, char *argv[]) char **expr; const char *errstr; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + SLIST_INIT(&patfilelh); switch (__progname[0]) { case 'e': Index: usr.bin/head/head.c =================================================================== RCS file: /cvs/src/usr.bin/head/head.c,v retrieving revision 1.18 diff -u -p -u -r1.18 head.c --- usr.bin/head/head.c 8 Oct 2014 08:31:53 -0000 1.18 +++ usr.bin/head/head.c 28 Sep 2015 20:15:11 -0000 @@ -55,6 +55,9 @@ main(int argc, char *argv[]) char *p = NULL; int status = 0; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + /* handle obsolete -number syntax */ if (argc > 1 && argv[1][0] == '-' && isdigit((unsigned char)argv[1][1])) { @@ -87,6 +90,8 @@ main(int argc, char *argv[]) if (!firsttime) exit(status); fp = stdin; + if (tame("stdio", NULL) != 0) + err(1, "tame"); } else { if ((fp = fopen(*argv, "r")) == NULL) { warn("%s", *argv++); Index: usr.bin/hexdump/hexdump.c =================================================================== RCS file: /cvs/src/usr.bin/hexdump/hexdump.c,v retrieving revision 1.17 diff -u -p -u -r1.17 hexdump.c --- usr.bin/hexdump/hexdump.c 16 Jan 2015 06:40:08 -0000 1.17 +++ usr.bin/hexdump/hexdump.c 28 Sep 2015 20:15:11 -0000 @@ -33,6 +33,7 @@ #include <err.h> #include <stdio.h> #include <stdlib.h> +#include <unistd.h> #include <string.h> #include "hexdump.h" @@ -52,6 +53,9 @@ main(int argc, char *argv[]) { FS *tfs; char *p; + + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); if (!(p = strrchr(argv[0], 'o')) || strcmp(p, "od")) newsyntax(argc, &argv); Index: usr.bin/id/id.c =================================================================== RCS file: /cvs/src/usr.bin/id/id.c,v retrieving revision 1.23 diff -u -p -u -r1.23 id.c --- usr.bin/id/id.c 19 May 2015 16:03:19 -0000 1.23 +++ usr.bin/id/id.c 28 Sep 2015 20:15:11 -0000 @@ -105,6 +105,9 @@ main(int argc, char *argv[]) argc -= optind; argv += optind; + if (tame("stdio getpw", NULL) == -1) + err(1, "tame"); + switch (cflag + Gflag + gflag + pflag + uflag) { case 1: break; Index: usr.bin/indent/indent.c =================================================================== RCS file: /cvs/src/usr.bin/indent/indent.c,v retrieving revision 1.27 diff -u -p -u -r1.27 indent.c --- usr.bin/indent/indent.c 20 Aug 2015 22:32:41 -0000 1.27 +++ usr.bin/indent/indent.c 28 Sep 2015 20:15:11 -0000 @@ -78,6 +78,8 @@ main(int argc, char **argv) int last_else = 0; /* true iff last keyword was an else */ + if (tame("stdio rpath wpath cpath tmppath", NULL) == -1) + err(1, "tame"); /*-----------------------------------------------*\ | INITIALIZATION | Index: usr.bin/infocmp/infocmp.c =================================================================== RCS file: /cvs/src/usr.bin/infocmp/infocmp.c,v retrieving revision 1.20 diff -u -p -u -r1.20 infocmp.c --- usr.bin/infocmp/infocmp.c 12 Jan 2010 23:22:13 -0000 1.20 +++ usr.bin/infocmp/infocmp.c 28 Sep 2015 20:15:11 -0000 @@ -1282,6 +1282,9 @@ main(int argc, char *argv[]) bool init_analyze = FALSE; bool suppress_untranslatable = FALSE; + if (tame("stdio rpath", NULL) == -1) + perror("tame"); + /* where is the terminfo database location going to default to? */ restdir = firstdir = 0; Index: usr.bin/join/join.c =================================================================== RCS file: /cvs/src/usr.bin/join/join.c,v retrieving revision 1.25 diff -u -p -u -r1.25 join.c --- usr.bin/join/join.c 21 Jul 2015 04:42:59 -0000 1.25 +++ usr.bin/join/join.c 28 Sep 2015 20:15:11 -0000 @@ -104,6 +104,9 @@ main(int argc, char *argv[]) int aflag, ch, cval, vflag; char *end; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + F1 = &input1; F2 = &input2; Index: usr.bin/jot/jot.c =================================================================== RCS file: /cvs/src/usr.bin/jot/jot.c,v retrieving revision 1.24 diff -u -p -u -r1.24 jot.c --- usr.bin/jot/jot.c 21 Jul 2015 04:04:06 -0000 1.24 +++ usr.bin/jot/jot.c 28 Sep 2015 20:15:11 -0000 @@ -84,6 +84,9 @@ main(int argc, char *argv[]) int ch; const char *errstr; + if (tame("stdio", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "rb:w:cs:np:")) != -1) switch (ch) { case 'r': Index: usr.bin/kdump/kdump.c =================================================================== RCS file: /cvs/src/usr.bin/kdump/kdump.c,v retrieving revision 1.105 diff -u -p -u -r1.105 kdump.c --- usr.bin/kdump/kdump.c 13 Sep 2015 17:08:03 -0000 1.105 +++ usr.bin/kdump/kdump.c 28 Sep 2015 20:15:11 -0000 @@ -240,6 +240,9 @@ main(int argc, char *argv[]) if (argc > optind) usage(); + if (tame("malloc rpath", NULL) == -1) + err(1, "tame"); + m = malloc(size = 1025); if (m == NULL) err(1, NULL); Index: usr.bin/lam/lam.c =================================================================== RCS file: /cvs/src/usr.bin/lam/lam.c,v retrieving revision 1.17 diff -u -p -u -r1.17 lam.c --- usr.bin/lam/lam.c 16 Jan 2015 06:40:09 -0000 1.17 +++ usr.bin/lam/lam.c 28 Sep 2015 20:15:11 -0000 @@ -71,6 +71,9 @@ main(int argc, char *argv[]) { int i; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + /* Process arguments, set numfiles to file argument count. */ getargs(argc, argv); if (numfiles == 0) Index: usr.bin/lastcomm/lastcomm.c =================================================================== RCS file: /cvs/src/usr.bin/lastcomm/lastcomm.c,v retrieving revision 1.21 diff -u -p -u -r1.21 lastcomm.c --- usr.bin/lastcomm/lastcomm.c 15 Mar 2015 00:41:28 -0000 1.21 +++ usr.bin/lastcomm/lastcomm.c 28 Sep 2015 20:15:11 -0000 @@ -69,6 +69,9 @@ main(int argc, char *argv[]) int ch; char *acctfile; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + acctfile = _PATH_ACCT; while ((ch = getopt(argc, argv, "f:")) != -1) switch(ch) { Index: usr.bin/leave/leave.c =================================================================== RCS file: /cvs/src/usr.bin/leave/leave.c,v retrieving revision 1.15 diff -u -p -u -r1.15 leave.c --- usr.bin/leave/leave.c 16 Jan 2015 06:40:09 -0000 1.15 +++ usr.bin/leave/leave.c 28 Sep 2015 20:15:11 -0000 @@ -62,7 +62,10 @@ main(int argc, char *argv[]) time_t now; int plusnow = 0, twentyfour; char buf[50]; - + + if (tame("stdio proc", NULL) == -1) + err(1, "tame"); + if (setvbuf(stdout, NULL, _IOLBF, 0) != 0) errx(1, "Cannot set stdout to line buffered."); Index: usr.bin/logger/logger.c =================================================================== RCS file: /cvs/src/usr.bin/logger/logger.c,v retrieving revision 1.14 diff -u -p -u -r1.14 logger.c --- usr.bin/logger/logger.c 18 Apr 2015 18:28:37 -0000 1.14 +++ usr.bin/logger/logger.c 28 Sep 2015 20:15:11 -0000 @@ -37,6 +37,7 @@ #include <stdio.h> #include <ctype.h> #include <string.h> +#include <err.h> #define SYSLOG_NAMES #include <syslog.h> @@ -91,6 +92,9 @@ main(int argc, char *argv[]) /* setup for logging */ openlog(tag ? tag : getlogin(), logflags, 0); (void) fclose(stdout); + + if (tame("stdio", NULL) == -1) + err(1, "tame"); /* log input line if appropriate */ if (argc > 0) { Index: usr.bin/logname/logname.c =================================================================== RCS file: /cvs/src/usr.bin/logname/logname.c,v retrieving revision 1.7 diff -u -p -u -r1.7 logname.c --- usr.bin/logname/logname.c 27 Oct 2009 23:59:40 -0000 1.7 +++ usr.bin/logname/logname.c 28 Sep 2015 20:15:11 -0000 @@ -46,6 +46,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio getpw", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "")) != -1) switch (ch) { case '?': Index: usr.bin/look/look.c =================================================================== RCS file: /cvs/src/usr.bin/look/look.c,v retrieving revision 1.16 diff -u -p -u -r1.16 look.c --- usr.bin/look/look.c 6 Feb 2015 23:21:59 -0000 1.16 +++ usr.bin/look/look.c 28 Sep 2015 20:15:11 -0000 @@ -88,6 +88,9 @@ main(int argc, char *argv[]) int ch, fd, termchar; char *back, *file, *front, *string, *p; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + file = _PATH_WORDS; termchar = '\0'; while ((ch = getopt(argc, argv, "dft:")) != -1) Index: usr.bin/mktemp/mktemp.c =================================================================== RCS file: /cvs/src/usr.bin/mktemp/mktemp.c,v retrieving revision 1.20 diff -u -p -u -r1.20 mktemp.c --- usr.bin/mktemp/mktemp.c 6 Aug 2013 21:56:51 -0000 1.20 +++ usr.bin/mktemp/mktemp.c 28 Sep 2015 20:15:11 -0000 @@ -38,6 +38,9 @@ main(int argc, char *argv[]) char *cp, *template, *tempfile, *prefix = _PATH_TMP; size_t len; + if (tame("stdio wpath cpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "dp:qtu")) != -1) switch(ch) { case 'd': Index: usr.bin/nl/nl.c =================================================================== RCS file: /cvs/src/usr.bin/nl/nl.c,v retrieving revision 1.4 diff -u -p -u -r1.4 nl.c --- usr.bin/nl/nl.c 21 Jan 2015 22:28:09 -0000 1.4 +++ usr.bin/nl/nl.c 28 Sep 2015 20:15:11 -0000 @@ -118,6 +118,9 @@ main(int argc, char *argv[]) (void)setlocale(LC_ALL, ""); + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((c = getopt(argc, argv, "pb:d:f:h:i:l:n:s:v:w:")) != -1) { switch (c) { case 'p': @@ -204,10 +207,15 @@ main(int argc, char *argv[]) switch (argc) { case 0: + /* Read from stdin. */ + if (tame("stdio", NULL) != 0) + err(1, "tame"); break; case 1: - if (strcmp(argv[0], "-") != 0 && - freopen(argv[0], "r", stdin) == NULL) + if (strcmp(argv[0], "-") == 0) + if (tame("stdio", NULL) != 0) + err(1, "tame"); + else if (freopen(argv[0], "r", stdin) == NULL) err(EXIT_FAILURE, "%s", argv[0]); break; default: Index: usr.bin/nm/nm.c =================================================================== RCS file: /cvs/src/usr.bin/nm/nm.c,v retrieving revision 1.47 diff -u -p -u -r1.47 nm.c --- usr.bin/nm/nm.c 13 Aug 2015 19:13:28 -0000 1.47 +++ usr.bin/nm/nm.c 28 Sep 2015 20:15:11 -0000 @@ -135,6 +135,9 @@ main(int argc, char *argv[]) const struct option *lopts; int ch, eval; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + optstr = OPTSTRING_NM; lopts = longopts_nm; if (!strcmp(__progname, "size")) { Index: usr.bin/paste/paste.c =================================================================== RCS file: /cvs/src/usr.bin/paste/paste.c,v retrieving revision 1.19 diff -u -p -u -r1.19 paste.c --- usr.bin/paste/paste.c 25 Nov 2014 10:20:24 -0000 1.19 +++ usr.bin/paste/paste.c 28 Sep 2015 20:15:11 -0000 @@ -57,6 +57,9 @@ main(int argc, char *argv[]) extern int optind; int ch, seq; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + seq = 0; while ((ch = getopt(argc, argv, "d:s")) != -1) { switch (ch) { Index: usr.bin/patch/patch.c =================================================================== RCS file: /cvs/src/usr.bin/patch/patch.c,v retrieving revision 1.54 diff -u -p -u -r1.54 patch.c --- usr.bin/patch/patch.c 13 Dec 2014 10:31:07 -0000 1.54 +++ usr.bin/patch/patch.c 28 Sep 2015 20:15:11 -0000 @@ -147,6 +147,9 @@ main(int argc, char *argv[]) const char *tmpdir; char *v; + if (tame("stdio rpath wpath cpath tmppath fattr", NULL) == -1) + perror("tame"); + setvbuf(stdout, NULL, _IOLBF, 0); setvbuf(stderr, NULL, _IOLBF, 0); for (i = 0; i < MAXFILEC; i++) Index: usr.bin/pr/pr.c =================================================================== RCS file: /cvs/src/usr.bin/pr/pr.c,v retrieving revision 1.36 diff -u -p -u -r1.36 pr.c --- usr.bin/pr/pr.c 20 Aug 2015 22:32:41 -0000 1.36 +++ usr.bin/pr/pr.c 28 Sep 2015 20:15:11 -0000 @@ -140,6 +140,9 @@ main(int argc, char *argv[]) { int ret_val; + if (tame("stdio rpath", NULL) == -1) + perror("tame"); + if (signal(SIGINT, SIG_IGN) != SIG_IGN) (void)signal(SIGINT, terminate); ret_val = setup(argc, argv); Index: usr.bin/printenv/printenv.c =================================================================== RCS file: /cvs/src/usr.bin/printenv/printenv.c,v retrieving revision 1.6 diff -u -p -u -r1.6 printenv.c --- usr.bin/printenv/printenv.c 27 Oct 2009 23:59:41 -0000 1.6 +++ usr.bin/printenv/printenv.c 28 Sep 2015 20:15:11 -0000 @@ -32,6 +32,8 @@ #include <stdio.h> #include <string.h> #include <stdlib.h> +#include <unistd.h> +#include <err.h> /* * printenv @@ -45,6 +47,9 @@ main(int argc, char *argv[]) extern char **environ; char *cp, **ep; int len; + + if (tame("stdio", NULL) == -1) + err(1, "tame"); if (argc < 2) { for (ep = environ; *ep; ep++) Index: usr.bin/printf/printf.c =================================================================== RCS file: /cvs/src/usr.bin/printf/printf.c,v retrieving revision 1.22 diff -u -p -u -r1.22 printf.c --- usr.bin/printf/printf.c 25 May 2014 07:36:36 -0000 1.22 +++ usr.bin/printf/printf.c 28 Sep 2015 20:15:11 -0000 @@ -32,6 +32,7 @@ #include <ctype.h> #include <stdio.h> #include <stdlib.h> +#include <unistd.h> #include <string.h> #include <limits.h> #include <locale.h> @@ -80,6 +81,9 @@ main(int argc, char *argv[]) char *format; setlocale (LC_ALL, ""); + + if (tame("stdio", NULL) == -1) + err(1, "tame"); /* Need to accept/ignore "--" option. */ if (argc > 1 && strcmp(argv[1], "--") == 0) { Index: usr.bin/readlink/readlink.c =================================================================== RCS file: /cvs/src/usr.bin/readlink/readlink.c,v retrieving revision 1.25 diff -u -p -u -r1.25 readlink.c --- usr.bin/readlink/readlink.c 1 May 2009 10:36:48 -0000 1.25 +++ usr.bin/readlink/readlink.c 28 Sep 2015 20:15:11 -0000 @@ -44,6 +44,9 @@ main(int argc, char *argv[]) int n, ch, nflag = 0, fflag = 0; extern int optind; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "fn")) != -1) switch (ch) { case 'f': Index: usr.bin/rev/rev.c =================================================================== RCS file: /cvs/src/usr.bin/rev/rev.c,v retrieving revision 1.10 diff -u -p -u -r1.10 rev.c --- usr.bin/rev/rev.c 27 Oct 2009 23:59:42 -0000 1.10 +++ usr.bin/rev/rev.c 28 Sep 2015 20:15:11 -0000 @@ -49,6 +49,9 @@ main(int argc, char *argv[]) size_t len; int ch, rval; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "")) != -1) switch(ch) { case '?': @@ -71,6 +74,9 @@ main(int argc, char *argv[]) continue; } filename = *argv++; + } else { + if (tame("stdio", NULL) == -1) + err(1, "tame"); } while ((p = fgetln(fp, &len)) != NULL) { if (p[len - 1] == '\n') Index: usr.bin/rs/rs.c =================================================================== RCS file: /cvs/src/usr.bin/rs/rs.c,v retrieving revision 1.25 diff -u -p -u -r1.25 rs.c --- usr.bin/rs/rs.c 20 Aug 2015 22:32:41 -0000 1.25 +++ usr.bin/rs/rs.c 28 Sep 2015 20:15:11 -0000 @@ -93,6 +93,9 @@ void putfile(void); int main(int argc, char *argv[]) { + if (tame("stdio", NULL) == -1) + err(1, "tame"); + getargs(argc, argv); getfile(); if (flags & SHAPEONLY) { Index: usr.bin/script/script.c =================================================================== RCS file: /cvs/src/usr.bin/script/script.c,v retrieving revision 1.27 diff -u -p -u -r1.27 script.c --- usr.bin/script/script.c 19 Jul 2015 06:12:06 -0000 1.27 +++ usr.bin/script/script.c 28 Sep 2015 20:15:11 -0000 @@ -165,6 +165,9 @@ main(int argc, char *argv[]) sa.sa_handler = finish; (void)sigaction(SIGCHLD, &sa, NULL); + if (tame("stdio ioctl", NULL) == -1) + err(1, "tame"); + (void)fclose(fscript); while (1) { if (dead) @@ -247,6 +250,9 @@ dooutput(void) sigemptyset(&sa.sa_mask); sa.sa_handler = SIG_IGN; (void)sigaction(SIGCHLD, &sa, NULL); + + if (tame("stdio", NULL) != 0) + err(1, "tame"); value.it_interval.tv_sec = 30; value.it_interval.tv_usec = 0; Index: usr.bin/sed/main.c =================================================================== RCS file: /cvs/src/usr.bin/sed/main.c,v retrieving revision 1.24 diff -u -p -u -r1.24 main.c --- usr.bin/sed/main.c 19 Jul 2015 17:21:21 -0000 1.24 +++ usr.bin/sed/main.c 29 Sep 2015 14:22:53 -0000 @@ -159,6 +159,14 @@ main(int argc, char *argv[]) if (termwidth == 0) termwidth = 60; + if (inplace != NULL) { + if (tame("stdio wpath rpath cpath fattr", NULL) == -1) + err(1, "tame"); + } else { + if (tame("stdio wpath rpath cpath", NULL) == -1) + err(1, "tame"); + } + /* First usage case; script is the first arg */ if (!eflag && !fflag && *argv) { add_compunit(CU_STRING, *argv); Index: usr.bin/split/split.c =================================================================== RCS file: /cvs/src/usr.bin/split/split.c,v retrieving revision 1.18 diff -u -p -u -r1.18 split.c --- usr.bin/split/split.c 16 Jan 2015 06:40:12 -0000 1.18 +++ usr.bin/split/split.c 28 Sep 2015 20:15:11 -0000 @@ -68,6 +68,9 @@ main(int argc, char *argv[]) char *ep, *p; const char *errstr; + if (tame("stdio rpath wpath cpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "0123456789a:b:l:p:-")) != -1) switch (ch) { case '0': case '1': case '2': case '3': case '4': Index: usr.bin/stat/stat.c =================================================================== RCS file: /cvs/src/usr.bin/stat/stat.c,v retrieving revision 1.18 diff -u -p -u -r1.18 stat.c --- usr.bin/stat/stat.c 26 Nov 2013 21:08:12 -0000 1.18 +++ usr.bin/stat/stat.c 28 Sep 2015 20:15:11 -0000 @@ -158,6 +158,9 @@ main(int argc, char *argv[]) int lsF, fmtchar, usestat, fn, nonl, quiet; char *statfmt, *options, *synopsis; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + lsF = 0; fmtchar = '\0'; usestat = 0; Index: usr.bin/tail/tail.c =================================================================== RCS file: /cvs/src/usr.bin/tail/tail.c,v retrieving revision 1.17 diff -u -p -u -r1.17 tail.c --- usr.bin/tail/tail.c 27 Oct 2009 23:59:44 -0000 1.17 +++ usr.bin/tail/tail.c 28 Sep 2015 20:15:11 -0000 @@ -61,6 +61,9 @@ main(int argc, char *argv[]) int ch, first; char *p; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + /* * Tail's options are weird. First, -n10 is the same as -n-10, not * -n+10. Second, the number options are 1 based and not offsets, Index: usr.bin/tee/tee.c =================================================================== RCS file: /cvs/src/usr.bin/tee/tee.c,v retrieving revision 1.8 diff -u -p -u -r1.8 tee.c --- usr.bin/tee/tee.c 23 Apr 2013 17:48:17 -0000 1.8 +++ usr.bin/tee/tee.c 28 Sep 2015 20:15:11 -0000 @@ -74,6 +74,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio rpath wpath cpath", NULL) == -1) + err(1, "tame"); + append = 0; while ((ch = getopt(argc, argv, "ai")) != -1) { switch(ch) { Index: usr.bin/tic/tic.c =================================================================== RCS file: /cvs/src/usr.bin/tic/tic.c,v retrieving revision 1.31 diff -u -p -u -r1.31 tic.c --- usr.bin/tic/tic.c 28 Nov 2013 18:24:55 -0000 1.31 +++ usr.bin/tic/tic.c 30 Sep 2015 18:03:04 -0000 @@ -499,6 +499,9 @@ main(int argc, char *argv[]) bool check_only = FALSE; bool suppress_untranslatable = FALSE; + if (tame("stdio rpath cpath", NULL) == -1) + perror("tame"); + log_fp = stderr; _nc_progname = _nc_rootname(argv[0]); Index: usr.bin/touch/touch.c =================================================================== RCS file: /cvs/src/usr.bin/touch/touch.c,v retrieving revision 1.23 diff -u -p -u -r1.23 touch.c --- usr.bin/touch/touch.c 17 Mar 2015 19:31:30 -0000 1.23 +++ usr.bin/touch/touch.c 28 Sep 2015 20:15:11 -0000 @@ -60,6 +60,9 @@ main(int argc, char *argv[]) (void)setlocale(LC_ALL, ""); + if (tame("stdio wpath cpath fattr", NULL) == -1) + err(1, "tame"); + aflag = cflag = mflag = timeset = 0; while ((ch = getopt(argc, argv, "acd:fmr:t:")) != -1) switch (ch) { Index: usr.bin/tr/tr.c =================================================================== RCS file: /cvs/src/usr.bin/tr/tr.c,v retrieving revision 1.17 diff -u -p -u -r1.17 tr.c --- usr.bin/tr/tr.c 3 Jun 2014 20:57:23 -0000 1.17 +++ usr.bin/tr/tr.c 28 Sep 2015 20:15:11 -0000 @@ -87,6 +87,9 @@ main(int argc, char *argv[]) int ch, cnt, lastch, *p; int cflag, dflag, sflag, isstring2; + if (tame("stdio", NULL) == -1) + err(1, "tame"); + cflag = dflag = sflag = 0; while ((ch = getopt(argc, argv, "Ccds")) != -1) switch(ch) { Index: usr.bin/uname/uname.c =================================================================== RCS file: /cvs/src/usr.bin/uname/uname.c,v retrieving revision 1.14 diff -u -p -u -r1.14 uname.c --- usr.bin/uname/uname.c 21 Jul 2015 16:22:59 -0000 1.14 +++ usr.bin/uname/uname.c 28 Sep 2015 20:15:11 -0000 @@ -59,6 +59,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio", NULL) == -1) + err(1, "tame"); + while ((c = getopt(argc, argv, "amnrsvp")) != -1 ) { switch (c) { case 'a': Index: usr.bin/uniq/uniq.c =================================================================== RCS file: /cvs/src/usr.bin/uniq/uniq.c,v retrieving revision 1.19 diff -u -p -u -r1.19 uniq.c --- usr.bin/uniq/uniq.c 26 Nov 2013 19:25:39 -0000 1.19 +++ usr.bin/uniq/uniq.c 28 Sep 2015 20:15:11 -0000 @@ -61,6 +61,9 @@ main(int argc, char *argv[]) int ch; char *prevline, *thisline; + if (tame("stdio rpath wpath", NULL) == -1) + err(1, "tame"); + obsolete(argv); while ((ch = getopt(argc, argv, "cdf:s:u")) != -1) { const char *errstr; @@ -118,6 +121,9 @@ main(int argc, char *argv[]) default: usage(); } + + if (tame("stdio", NULL) != 0) + err(1, "tame"); prevline = malloc(MAXLINELEN); thisline = malloc(MAXLINELEN); Index: usr.bin/units/units.c =================================================================== RCS file: /cvs/src/usr.bin/units/units.c,v retrieving revision 1.20 diff -u -p -u -r1.20 units.c --- usr.bin/units/units.c 27 Nov 2013 00:13:24 -0000 1.20 +++ usr.bin/units/units.c 28 Sep 2015 20:15:11 -0000 @@ -23,6 +23,7 @@ #include <string.h> #include <stdlib.h> #include <unistd.h> +#include <err.h> #define UNITSFILE "/usr/share/misc/units.lib" @@ -630,6 +631,9 @@ main(int argc, char **argv) extern char *optarg; extern int optind; + + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); while ((optchar = getopt(argc, argv, "vqf:")) != -1) { switch (optchar) { Index: usr.bin/unvis/unvis.c =================================================================== RCS file: /cvs/src/usr.bin/unvis/unvis.c,v retrieving revision 1.12 diff -u -p -u -r1.12 unvis.c --- usr.bin/unvis/unvis.c 22 Jan 2014 09:45:21 -0000 1.12 +++ usr.bin/unvis/unvis.c 28 Sep 2015 20:15:11 -0000 @@ -43,6 +43,9 @@ main(int argc, char *argv[]) FILE *fp; int ch; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "")) != -1) switch(ch) { case '?': Index: usr.bin/users/users.c =================================================================== RCS file: /cvs/src/usr.bin/users/users.c,v retrieving revision 1.11 diff -u -p -u -r1.11 users.c --- usr.bin/users/users.c 8 Oct 2014 04:11:28 -0000 1.11 +++ usr.bin/users/users.c 28 Sep 2015 20:15:11 -0000 @@ -53,6 +53,9 @@ main(int argc, char *argv[]) struct utmp utmp; int ch; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "")) != -1) switch(ch) { case '?': Index: usr.bin/vacation/vacation.c =================================================================== RCS file: /cvs/src/usr.bin/vacation/vacation.c,v retrieving revision 1.37 diff -u -p -u -r1.37 vacation.c --- usr.bin/vacation/vacation.c 20 Aug 2015 22:32:42 -0000 1.37 +++ usr.bin/vacation/vacation.c 28 Sep 2015 20:15:11 -0000 @@ -49,6 +49,7 @@ #include <stdlib.h> #include <string.h> #include <paths.h> +#include <err.h> /* * VACATION -- return a message to the sender when on vacation. @@ -92,6 +93,9 @@ main(int argc, char *argv[]) time_t interval; struct stat sb; ALIAS *cur; + + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); opterr = iflag = 0; interval = -1; Index: usr.bin/vis/vis.c =================================================================== RCS file: /cvs/src/usr.bin/vis/vis.c,v retrieving revision 1.17 diff -u -p -u -r1.17 vis.c --- usr.bin/vis/vis.c 18 Apr 2015 18:28:38 -0000 1.17 +++ usr.bin/vis/vis.c 28 Sep 2015 20:15:11 -0000 @@ -55,6 +55,9 @@ main(int argc, char *argv[]) FILE *fp; int ch; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "anwctsobfF:ld")) != -1) switch(ch) { case 'a': Index: usr.bin/wc/wc.c =================================================================== RCS file: /cvs/src/usr.bin/wc/wc.c,v retrieving revision 1.17 diff -u -p -u -r1.17 wc.c --- usr.bin/wc/wc.c 16 Jan 2015 06:40:14 -0000 1.17 +++ usr.bin/wc/wc.c 28 Sep 2015 20:15:11 -0000 @@ -57,6 +57,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + while ((ch = getopt(argc, argv, "lwchm")) != -1) switch(ch) { case 'l': Index: usr.bin/what/what.c =================================================================== RCS file: /cvs/src/usr.bin/what/what.c,v retrieving revision 1.13 diff -u -p -u -r1.13 what.c --- usr.bin/what/what.c 22 Jan 2015 19:10:17 -0000 1.13 +++ usr.bin/what/what.c 28 Sep 2015 20:15:11 -0000 @@ -58,6 +58,9 @@ main(int argc, char *argv[]) char match[256]; int c; + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + matches = sflag = 0; while ((c = getopt(argc, argv, "s")) != -1) { switch (c) { Index: usr.bin/who/who.c =================================================================== RCS file: /cvs/src/usr.bin/who/who.c,v retrieving revision 1.20 diff -u -p -u -r1.20 who.c --- usr.bin/who/who.c 22 Aug 2013 04:43:41 -0000 1.20 +++ usr.bin/who/who.c 28 Sep 2015 20:15:11 -0000 @@ -72,6 +72,9 @@ main(int argc, char *argv[]) setlocale(LC_ALL, ""); + if (tame("stdio rpath", NULL) == -1) + err(1, "tame"); + only_current_term = show_term = show_idle = show_labels = 0; show_quick = 0; while ((c = getopt(argc, argv, "HmqTu")) != -1) { Index: usr.bin/whois/whois.c =================================================================== RCS file: /cvs/src/usr.bin/whois/whois.c,v retrieving revision 1.48 diff -u -p -u -r1.48 whois.c --- usr.bin/whois/whois.c 17 Aug 2015 10:48:10 -0000 1.48 +++ usr.bin/whois/whois.c 28 Sep 2015 20:15:11 -0000 @@ -138,6 +138,9 @@ main(int argc, char *argv[]) if (!argc || (country != NULL && host != NULL)) usage(); + if (tame("stdio dns inet", NULL) == -1) + err(1, "tame"); + if (host == NULL && country == NULL && !(flags & WHOIS_QUICK)) flags |= WHOIS_RECURSE; for (name = *argv; (name = *argv) != NULL; argv++) Index: usr.bin/yes/yes.c =================================================================== RCS file: /cvs/src/usr.bin/yes/yes.c,v retrieving revision 1.8 diff -u -p -u -r1.8 yes.c --- usr.bin/yes/yes.c 27 Oct 2009 23:59:50 -0000 1.8 +++ usr.bin/yes/yes.c 28 Sep 2015 20:15:11 -0000 @@ -30,11 +30,15 @@ * SUCH DAMAGE. */ +#include <unistd.h> #include <stdio.h> int main(int argc, char *argv[]) { + if (tame("stdio", NULL) == -1) + perror("tame"); + if (argc > 1) for (;;) puts(argv[1]); Index: usr.sbin/acpidump/acpidump.c =================================================================== RCS file: /cvs/src/usr.sbin/acpidump/acpidump.c,v retrieving revision 1.12 diff -u -p -u -r1.12 acpidump.c --- usr.sbin/acpidump/acpidump.c 4 Sep 2015 05:58:40 -0000 1.12 +++ usr.sbin/acpidump/acpidump.c 28 Sep 2015 20:15:11 -0000 @@ -269,7 +269,6 @@ acpi_find_rsd_ptr(void) u_int8_t buf[sizeof(struct ACPIrsdp)]; u_long addr; - acpi_user_init(); if ((addr = bios_acpi_addr()) != 0) { lseek(acpi_mem_fd, addr, SEEK_SET); read(acpi_mem_fd, buf, 16); @@ -532,6 +531,11 @@ asl_dump_from_devmem(void) snprintf(name, sizeof(name), "%s.headers", aml_dumpfile); + acpi_user_init(); + + if (tame("stdio wpath cpath", NULL) == -1) + err(1, "tame"); + rp = acpi_find_rsd_ptr(); if (!rp) errx(1, "Can't find ACPI information"); @@ -566,10 +570,14 @@ main(int argc, char *argv[]) char c; while ((c = getopt(argc, argv, "o:")) != -1) { - if (c == 'o') + switch (c) { + case 'o': aml_dumpfile = optarg; - else + break; + default: usage(); + break; + } } if (aml_dumpfile == NULL) Index: usr.sbin/arp/arp.c =================================================================== RCS file: /cvs/src/usr.sbin/arp/arp.c,v retrieving revision 1.64 diff -u -p -u -r1.64 arp.c --- usr.sbin/arp/arp.c 3 Jun 2015 08:10:53 -0000 1.64 +++ usr.sbin/arp/arp.c 28 Sep 2015 20:15:11 -0000 @@ -160,8 +160,12 @@ main(int argc, char *argv[]) func = F_GET; rtn = 0; + getsocket(); + switch (func) { case F_GET: + if (tame("stdio dns inet", NULL) == -1) + err(1, "tame"); if (aflag && argc == 0) dump(); else if (!aflag && argc == 1) @@ -177,6 +181,8 @@ main(int argc, char *argv[]) rtn = set(argc, argv) ? 1 : 0; break; case F_DELETE: + if (tame("stdio dns inet", NULL) == -1) + err(1, "tame"); if (aflag && argc == 0) search(0, nuke_entry); else if (!aflag && argc == 1) @@ -278,7 +284,6 @@ set(int argc, char *argv[]) sin = &sin_m; rtm = &(m_rtmsg.m_rtm); - getsocket(); argc -= 2; argv += 2; sdl_m = blank_sdl; /* struct copy */ @@ -408,7 +413,6 @@ delete(const char *host, const char *inf if (info && strncmp(info, "pro", 3) ) export_only = 1; - getsocket(); sin_m = blank_sin; /* struct copy */ if (getinetaddr(host, &sin->sin_addr) == -1) return (1); Index: usr.sbin/authpf/authpf.c =================================================================== RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v retrieving revision 1.123 diff -u -p -u -r1.123 authpf.c --- usr.sbin/authpf/authpf.c 21 Jan 2015 21:50:32 -0000 1.123 +++ usr.sbin/authpf/authpf.c 28 Sep 2015 20:15:11 -0000 @@ -148,6 +148,9 @@ main(int argc, char *argv[]) login_close(lc); + if (tame("stdio wpath", NULL) == -1) + err(1, "tame"); + if (strcmp(shell, PATH_AUTHPF_SHELL) && strcmp(shell, PATH_AUTHPF_SHELL_NOIP)) { syslog(LOG_ERR, "wrong shell for user %s, uid %u", Index: usr.sbin/bgpd/rde.c =================================================================== RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v retrieving revision 1.339 diff -u -p -u -r1.339 rde.c --- usr.sbin/bgpd/rde.c 21 Sep 2015 09:47:15 -0000 1.339 +++ usr.sbin/bgpd/rde.c 28 Sep 2015 20:15:11 -0000 @@ -30,6 +30,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <err.h> #include "bgpd.h" #include "mrt.h" @@ -185,6 +186,9 @@ rde_main(int debug, int verbose) setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) fatal("can't drop privileges"); + + if (tame("malloc unix cmsg", NULL) == -1) + err(1, "tame"); signal(SIGTERM, rde_sighdlr); signal(SIGINT, rde_sighdlr); Index: usr.sbin/bgpd/session.c =================================================================== RCS file: /cvs/src/usr.sbin/bgpd/session.c,v retrieving revision 1.340 diff -u -p -u -r1.340 session.c --- usr.sbin/bgpd/session.c 4 Aug 2015 14:46:38 -0000 1.340 +++ usr.sbin/bgpd/session.c 28 Sep 2015 20:15:11 -0000 @@ -219,6 +219,9 @@ session_main(int debug, int verbose) setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) fatal("can't drop privileges"); + if (tame("malloc inet cmsg", NULL) == -1) + err(1, "tame"); + signal(SIGTERM, session_sighdlr); signal(SIGINT, session_sighdlr); signal(SIGPIPE, SIG_IGN); Index: usr.sbin/httpd/httpd.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v retrieving revision 1.39 diff -u -p -u -r1.39 httpd.c --- usr.sbin/httpd/httpd.c 20 Aug 2015 13:00:23 -0000 1.39 +++ usr.sbin/httpd/httpd.c 29 Sep 2015 09:34:57 -0000 @@ -247,6 +247,9 @@ main(int argc, char *argv[]) setproctitle("parent"); + if (tame("malloc inet cmsg cpath rpath wpath proc ioctl", NULL) == -1) + err(1, "tame"); + event_init(); signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); Index: usr.sbin/httpd/logger.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/logger.c,v retrieving revision 1.13 diff -u -p -u -r1.13 logger.c --- usr.sbin/httpd/logger.c 20 Aug 2015 13:00:23 -0000 1.13 +++ usr.sbin/httpd/logger.c 28 Sep 2015 20:15:11 -0000 @@ -26,6 +26,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <err.h> #include <fcntl.h> #include <imsg.h> @@ -70,6 +71,9 @@ logger_shutdown(void) void logger_init(struct privsep *ps, struct privsep_proc *p, void *arg) { + if (tame("malloc cmsg", NULL) == -1) + err(1, "tame"); + if (config_init(ps->ps_env) == -1) fatal("failed to initialize configuration"); Index: usr.sbin/httpd/server.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server.c,v retrieving revision 1.80 diff -u -p -u -r1.80 server.c --- usr.sbin/httpd/server.c 11 Sep 2015 13:21:09 -0000 1.80 +++ usr.sbin/httpd/server.c 28 Sep 2015 20:15:11 -0000 @@ -38,6 +38,7 @@ #include <string.h> #include <syslog.h> #include <unistd.h> +#include <err.h> #include <event.h> #include <imsg.h> #include <tls.h> @@ -243,6 +244,14 @@ server_init(struct privsep *ps, struct p /* Unlimited file descriptors (use system limits) */ socket_rlimit(-1); + + /* + * XXX "inet" and "unix" are only needed for fcgi + * however if fcgi is used or not can change on config reload + * should we re-fork the children and tame again on reload + */ + if (tame("malloc cmsg rpath proc inet unix ioctl", NULL) == -1) + err(1, "tame"); #if 0 /* Schedule statistics timer */ Index: usr.sbin/ntpd/ntp.c =================================================================== RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v retrieving revision 1.135 diff -u -p -u -r1.135 ntp.c --- usr.sbin/ntpd/ntp.c 14 Aug 2015 02:00:18 -0000 1.135 +++ usr.sbin/ntpd/ntp.c 28 Sep 2015 20:15:11 -0000 @@ -30,6 +30,7 @@ #include <string.h> #include <time.h> #include <unistd.h> +#include <err.h> #include <tls.h> #include "ntpd.h" @@ -164,6 +165,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, s fatal("can't drop privileges"); endservent(); + + /* XXX "dns" for constraint.c, which is forked off wrong parent? */ + if (tame("stdio inet dns proc", NULL) == -1) + err(1, "tame"); signal(SIGTERM, ntp_sighdlr); signal(SIGINT, ntp_sighdlr); Index: usr.sbin/ntpd/ntp_dns.c =================================================================== RCS file: /cvs/src/usr.sbin/ntpd/ntp_dns.c,v retrieving revision 1.10 diff -u -p -u -r1.10 ntp_dns.c --- usr.sbin/ntpd/ntp_dns.c 24 Mar 2015 18:25:27 -0000 1.10 +++ usr.sbin/ntpd/ntp_dns.c 28 Sep 2015 20:15:11 -0000 @@ -90,6 +90,9 @@ ntp_dns(int pipe_ntp[2], struct ntpd_con fatal(NULL); imsg_init(ibuf_dns, pipe_ntp[1]); + if (tame("dns rw", NULL) == -1) + err(1, "tame"); + while (quit_dns == 0) { pfd[0].fd = ibuf_dns->fd; pfd[0].events = POLLIN; Index: usr.sbin/ntpd/ntpd.c =================================================================== RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v retrieving revision 1.94 diff -u -p -u -r1.94 ntpd.c --- usr.sbin/ntpd/ntpd.c 18 Jul 2015 00:53:44 -0000 1.94 +++ usr.sbin/ntpd/ntpd.c 28 Sep 2015 20:15:11 -0000 @@ -196,6 +196,10 @@ main(int argc, char *argv[]) setproctitle("[priv]"); readfreq(); +// XXX missing: adjtime() to change time +// if (tame("stdio unix proc", NULL) == -1) +// err(1, "tame"); + signal(SIGTERM, sighdlr); signal(SIGINT, sighdlr); signal(SIGHUP, sighdlr); @@ -564,6 +568,9 @@ ctl_main(int argc, char *argv[]) errx(1, "ctl socket name too long"); if (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) == -1) err(1, "connect: %s", sockname); + + if (tame("stdio", NULL) != 0) + err(1, "tame"); if ((ibuf_ctl = malloc(sizeof(struct imsgbuf))) == NULL) err(1, NULL); Index: usr.sbin/relayd/ca.c =================================================================== RCS file: /cvs/src/usr.sbin/relayd/ca.c,v retrieving revision 1.13 diff -u -p -u -r1.13 ca.c --- usr.sbin/relayd/ca.c 2 May 2015 13:15:24 -0000 1.13 +++ usr.sbin/relayd/ca.c 28 Sep 2015 20:15:11 -0000 @@ -23,6 +23,7 @@ #include <unistd.h> #include <string.h> #include <stdlib.h> +#include <err.h> #include <imsg.h> #include <openssl/bio.h> @@ -73,6 +74,9 @@ ca(struct privsep *ps, struct privsep_pr void ca_init(struct privsep *ps, struct privsep_proc *p, void *arg) { + if (tame("malloc rw cmsg", NULL) == -1) + err(1, "tame"); + if (config_init(ps->ps_env) == -1) fatal("failed to initialize configuration"); Index: usr.sbin/syslogd/syslogd.c =================================================================== RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.190 diff -u -p -u -r1.190 syslogd.c --- usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:19:23 -0000 1.190 +++ usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:42:24 -0000 @@ -593,6 +593,9 @@ main(int argc, char *argv[]) if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0) errx(1, "unable to privsep"); + if (tame("malloc rpath unix inet cmsg", NULL) == -1) + err(1, "tame"); + /* Process is now unprivileged and inside a chroot */ event_init(); Index: usr.sbin/tcpdump/privsep.c =================================================================== RCS file: /cvs/src/usr.sbin/tcpdump/privsep.c,v retrieving revision 1.35 diff -u -p -u -r1.35 privsep.c --- usr.sbin/tcpdump/privsep.c 21 Aug 2015 02:07:32 -0000 1.35 +++ usr.sbin/tcpdump/privsep.c 28 Sep 2015 20:15:11 -0000 @@ -281,6 +281,8 @@ priv_init(int argc, char **argv) case PRIV_INIT_DONE: test_state(cmd, STATE_RUN); impl_init_done(socks[0], &bpfd); + if (tame("malloc cmsg inet ioctl dns rpath", NULL) == -1) + err(1, "tame"); break; case PRIV_GETHOSTBYADDR: test_state(cmd, STATE_RUN); Index: usr.sbin/tcpdump/tcpdump.c =================================================================== RCS file: /cvs/src/usr.sbin/tcpdump/tcpdump.c,v retrieving revision 1.72 diff -u -p -u -r1.72 tcpdump.c --- usr.sbin/tcpdump/tcpdump.c 14 Jul 2015 20:23:40 -0000 1.72 +++ usr.sbin/tcpdump/tcpdump.c 28 Sep 2015 20:15:11 -0000 @@ -490,6 +490,8 @@ main(int argc, char **argv) if (tflag > 0) thiszone = gmt2local(0); + if (tame("stdio", NULL) == -1) + err(1, "tame"); if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) { (void)fprintf(stderr, "%s: pcap_loop: %s\n", Index: usr.sbin/traceroute/traceroute.c =================================================================== RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v retrieving revision 1.141 diff -u -p -u -r1.141 traceroute.c --- usr.sbin/traceroute/traceroute.c 30 Aug 2015 22:10:57 -0000 1.141 +++ usr.sbin/traceroute/traceroute.c 28 Sep 2015 20:15:11 -0000 @@ -844,6 +844,14 @@ main(int argc, char *argv[]) sizeof(datalen)) < 0) err(6, "SO_SNDBUF"); + if (nflag) { + if (tame("stdio inet", NULL) == -1) + err(1, "tame"); + } else { + if (tame("stdio inet dns", NULL) == -1) + err(1, "tame"); + } + if (getnameinfo(to, to->sa_len, hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) strlcpy(hbuf, "(invalid)", sizeof(hbuf));