perror(3) is being used instead of err(3) in a few places; is that on purpose? If it's an oversight, I also noticed the same in patch(1).
On 10/04/15 01:34, Theo de Raadt wrote: > 42 tame calls have been commited to 28 userland programs so far. > For instance gzip, md5, ping, traceroute, tcpdump, script, arp, > whois, ntpd, sshd... > > Below is a tree of roughly a hundred more programs. Not all are > fully verified yet, but they being placed in snapshots. > > Some of these I did myself, but others were contributed. I am trying > to focus on the programs which do either file or socket behaviour, but > not both. Or, on the programs which do their fd setup early. > > I appreciate the feedback I've received so far. > > Index: bin/dd/dd.c > =================================================================== > RCS file: /cvs/src/bin/dd/dd.c,v > retrieving revision 1.21 > diff -u -p -u -r1.21 dd.c > --- bin/dd/dd.c 16 Jan 2015 06:39:31 -0000 1.21 > +++ bin/dd/dd.c 28 Sep 2015 20:15:11 -0000 > @@ -149,6 +149,9 @@ setup(void) > if (out.offset) > pos_out(); > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > /* > * Truncate the output file; ignore errors because it fails on some > * kinds of output files, tapes, for example. > Index: bin/df/df.c > =================================================================== > RCS file: /cvs/src/bin/df/df.c,v > retrieving revision 1.52 > diff -u -p -u -r1.52 df.c > --- bin/df/df.c 16 Jan 2015 06:39:31 -0000 1.52 > +++ bin/df/df.c 2 Oct 2015 00:19:01 -0000 > @@ -79,6 +79,9 @@ main(int argc, char *argv[]) > int width, maxwidth; > char *mntpt; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "hiklnPt:")) != -1) > switch (ch) { > case 'h': > Index: bin/expr/expr.c > =================================================================== > RCS file: /cvs/src/bin/expr/expr.c,v > retrieving revision 1.20 > diff -u -p -u -r1.20 expr.c > --- bin/expr/expr.c 11 Aug 2015 17:15:46 -0000 1.20 > +++ bin/expr/expr.c 28 Sep 2015 20:15:11 -0000 > @@ -12,6 +12,7 @@ > #include <limits.h> > #include <locale.h> > #include <ctype.h> > +#include <unistd.h> > #include <regex.h> > #include <err.h> > > @@ -499,6 +500,9 @@ main(int argc, char *argv[]) > struct val *vp; > > (void) setlocale(LC_ALL, ""); > + > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > if (argc > 1 && !strcmp(argv[1], "--")) > argv++; > Index: bin/ls/ls.c > =================================================================== > RCS file: /cvs/src/bin/ls/ls.c,v > retrieving revision 1.41 > diff -u -p -u -r1.41 ls.c > --- bin/ls/ls.c 25 Jun 2015 02:04:07 -0000 1.41 > +++ bin/ls/ls.c 28 Sep 2015 20:15:11 -0000 > @@ -123,6 +123,9 @@ ls_main(int argc, char *argv[]) > termwidth = width; > } > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > /* Root is -A automatically. */ > if (!getuid()) > f_listdot = 1; > Index: bin/mkdir/mkdir.c > =================================================================== > RCS file: /cvs/src/bin/mkdir/mkdir.c,v > retrieving revision 1.25 > diff -u -p -u -r1.25 mkdir.c > --- bin/mkdir/mkdir.c 2 Apr 2013 20:26:17 -0000 1.25 > +++ bin/mkdir/mkdir.c 3 Oct 2015 03:32:46 -0000 > @@ -55,6 +55,9 @@ main(int argc, char *argv[]) > > setlocale(LC_ALL, ""); > > + if (tame("stdio cpath rpath fattr", NULL) == -1) > + err(1, "tame"); > + > /* > * The default file mode is a=rwx (0777) with selected permissions > * removed in accordance with the file mode creation mask. For > Index: bin/pax/ar_io.c > =================================================================== > RCS file: /cvs/src/bin/pax/ar_io.c,v > retrieving revision 1.50 > diff -u -p -u -r1.50 ar_io.c > --- bin/pax/ar_io.c 22 Mar 2015 03:15:00 -0000 1.50 > +++ bin/pax/ar_io.c 3 Oct 2015 23:42:07 -0000 > @@ -75,6 +75,7 @@ static int wr_trail = 1; /* trailer was > static int can_unlnk = 0; /* do we unlink null archives? */ > const char *arcname; /* printable name of archive */ > const char *gzip_program; /* name of gzip program */ > +const char *delayed_tame; /* tame request for after forking gzip_program > */ > static pid_t zpid = -1; /* pid of child process */ > int force_one_volume; /* 1 if we ignore volume > changes */ > > @@ -1276,4 +1277,6 @@ ar_start_gzip(int fd, const char *path, > err(1, "could not exec %s", path); > /* NOTREACHED */ > } > + if (delayed_tame != NULL && tame(delayed_tame, NULL) == -1) > + err(1, "tame"); > } > Index: bin/pax/extern.h > =================================================================== > RCS file: /cvs/src/bin/pax/extern.h,v > retrieving revision 1.53 > diff -u -p -u -r1.53 extern.h > --- bin/pax/extern.h 19 Mar 2015 05:14:24 -0000 1.53 > +++ bin/pax/extern.h 3 Oct 2015 23:42:07 -0000 > @@ -45,6 +45,7 @@ > */ > extern const char *arcname; > extern const char *gzip_program; > +extern const char *delayed_tame; > extern int force_one_volume; > int ar_open(const char *); > void ar_close(int _in_sig); > Index: bin/pax/pax.c > =================================================================== > RCS file: /cvs/src/bin/pax/pax.c,v > retrieving revision 1.41 > diff -u -p -u -r1.41 pax.c > --- bin/pax/pax.c 9 Mar 2015 04:23:29 -0000 1.41 > +++ bin/pax/pax.c 3 Oct 2015 23:42:07 -0000 > @@ -257,6 +257,30 @@ main(int argc, char **argv) > return(exit_val); > > /* > + * pmode needs to restore setugid bits when extracting or copying, > + * so can't tame at all then. > + */ > + if (pmode == 0 || (act != EXTRACT && act != COPY)) { > + /* > + * If we need to fork/exec gzip_program, then delay the > + * tame() call. (Copy mode ignores gzip_program) > + */ > + if (gzip_program == NULL || act == COPY) { > + if (tame("stdio getpw ioctl cpath wpath rpath fattr", > + NULL) == -1) > + err(1, "tame"); > + } else if (gzip_program != NULL) { > + /* > + * If nflag, then add "proc" to the above, for > + * kill() of zpid > + */ > + delayed_tame = > + nflag? "stdio getpw ioctl cpath wpath rpath fattr" > + : "proc stdio getpw ioctl cpath wpath rpath fattr"; > + } > + } > + > + /* > * select a primary operation mode > */ > switch (act) { > Index: bin/pwd/pwd.c > =================================================================== > RCS file: /cvs/src/bin/pwd/pwd.c,v > retrieving revision 1.12 > diff -u -p -u -r1.12 pwd.c > --- bin/pwd/pwd.c 28 May 2014 06:55:58 -0000 1.12 > +++ bin/pwd/pwd.c 28 Sep 2015 20:15:11 -0000 > @@ -47,6 +47,9 @@ main(int argc, char *argv[]) > int ch, lFlag = 0; > const char *p; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "LP")) != -1) { > switch (ch) { > case 'L': > Index: sbin/dmesg/dmesg.c > =================================================================== > RCS file: /cvs/src/sbin/dmesg/dmesg.c,v > retrieving revision 1.25 > diff -u -p -u -r1.25 dmesg.c > --- sbin/dmesg/dmesg.c 16 Jan 2015 06:39:57 -0000 1.25 > +++ sbin/dmesg/dmesg.c 3 Oct 2015 01:13:02 -0000 > @@ -108,6 +108,9 @@ main(int argc, char *argv[]) > if (sysctl(mib, 2, bufdata, &len, NULL, 0)) > err(1, "sysctl: KERN_MSGBUF"); > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > memcpy(&cur, bufdata, sizeof(cur)); > bufdata = ((struct msgbuf *)bufdata)->msg_bufc; > } else { > @@ -119,6 +122,9 @@ main(int argc, char *argv[]) > if ((kd = kvm_open(nlistf, memf, NULL, O_RDONLY, > "dmesg")) == NULL) > return (1); > + > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > if (kvm_nlist(kd, nl) == -1) > errx(1, "kvm_nlist: %s", kvm_geterr(kd)); > Index: usr.bin/arch/arch.c > =================================================================== > RCS file: /cvs/src/usr.bin/arch/arch.c,v > retrieving revision 1.16 > diff -u -p -u -r1.16 arch.c > --- usr.bin/arch/arch.c 25 Sep 2015 16:19:26 -0000 1.16 > +++ usr.bin/arch/arch.c 28 Sep 2015 20:15:11 -0000 > @@ -30,6 +30,7 @@ > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > +#include <err.h> > > static void __dead usage(void); > > @@ -43,6 +44,9 @@ main(int argc, char *argv[]) > char *arch, *opts; > > setlocale(LC_ALL, ""); > + > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > machine = strcmp(__progname, "machine") == 0; > if (machine) { > Index: usr.bin/banner/banner.c > =================================================================== > RCS file: /cvs/src/usr.bin/banner/banner.c,v > retrieving revision 1.9 > diff -u -p -u -r1.9 banner.c > --- usr.bin/banner/banner.c 27 Oct 2009 23:59:35 -0000 1.9 > +++ usr.bin/banner/banner.c 28 Sep 2015 20:15:11 -0000 > @@ -53,6 +53,7 @@ > #include <unistd.h> > #include <stdlib.h> > #include <string.h> > +#include <err.h> > > #include "banner.h" > > @@ -152,6 +153,8 @@ main(int argc, char *argv[]) > { > char word[10+1]; /* strings limited to 10 chars > */ > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > while (*++argv) { > (void)strlcpy(word, *argv, sizeof (word)); > scan_out(1, word, '\0'); > Index: usr.bin/cal/cal.c > =================================================================== > RCS file: /cvs/src/usr.bin/cal/cal.c,v > retrieving revision 1.28 > diff -u -p -u -r1.28 cal.c > --- usr.bin/cal/cal.c 17 Mar 2015 19:31:30 -0000 1.28 > +++ usr.bin/cal/cal.c 28 Sep 2015 20:15:11 -0000 > @@ -150,6 +150,9 @@ main(int argc, char *argv[]) > int ch, month, year, yflag; > const char *errstr; > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > yflag = year = 0; > while ((ch = getopt(argc, argv, "jmwy")) != -1) > switch(ch) { > Index: usr.bin/col/col.c > =================================================================== > RCS file: /cvs/src/usr.bin/col/col.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 col.c > --- usr.bin/col/col.c 9 May 2015 20:36:18 -0000 1.17 > +++ usr.bin/col/col.c 28 Sep 2015 20:15:11 -0000 > @@ -113,6 +113,9 @@ main(int argc, char *argv[]) > int adjust, opt, warned; > const char *errstr; > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > max_bufd_lines = 256; > compress_spaces = 1; /* compress spaces into tabs */ > while ((opt = getopt(argc, argv, "bfhl:x")) != -1) > Index: usr.bin/colrm/colrm.c > =================================================================== > RCS file: /cvs/src/usr.bin/colrm/colrm.c,v > retrieving revision 1.9 > diff -u -p -u -r1.9 colrm.c > --- usr.bin/colrm/colrm.c 27 Oct 2009 23:59:36 -0000 1.9 > +++ usr.bin/colrm/colrm.c 28 Sep 2015 20:15:11 -0000 > @@ -52,6 +52,9 @@ main(int argc, char *argv[]) > int ch; > char *p; > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "")) != -1) > switch(ch) { > case '?': > Index: usr.bin/column/column.c > =================================================================== > RCS file: /cvs/src/usr.bin/column/column.c,v > retrieving revision 1.19 > diff -u -p -u -r1.19 column.c > --- usr.bin/column/column.c 22 May 2014 19:50:34 -0000 1.19 > +++ usr.bin/column/column.c 4 Oct 2015 05:00:55 -0000 > @@ -76,6 +76,9 @@ main(int argc, char *argv[]) > } else > termwidth = win.ws_col; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > tflag = xflag = 0; > while ((ch = getopt(argc, argv, "c:s:tx")) != -1) > switch(ch) { > @@ -100,16 +103,21 @@ main(int argc, char *argv[]) > argc -= optind; > argv += optind; > > - if (!*argv) > + if (!*argv) { > input(stdin); > - else for (; *argv; ++argv) > - if ((fp = fopen(*argv, "r"))) { > - input(fp); > - (void)fclose(fp); > - } else { > - warn("%s", *argv); > - eval = 1; > + } else { > + for (; *argv; ++argv) { > + if ((fp = fopen(*argv, "r"))) { > + input(fp); > + (void)fclose(fp); > + } else { > + warn("%s", *argv); > + eval = 1; > + } > } > + } > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > if (!entries) > exit(eval); > Index: usr.bin/comm/comm.c > =================================================================== > RCS file: /cvs/src/usr.bin/comm/comm.c,v > retrieving revision 1.8 > diff -u -p -u -r1.8 comm.c > --- usr.bin/comm/comm.c 27 Oct 2009 23:59:37 -0000 1.8 > +++ usr.bin/comm/comm.c 28 Sep 2015 20:15:11 -0000 > @@ -61,6 +61,9 @@ main(int argc, char *argv[]) > > setlocale(LC_ALL, ""); > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > flag1 = flag2 = flag3 = 1; > compare = strcoll; > while ((ch = getopt(argc, argv, "123f")) != -1) > Index: usr.bin/csplit/csplit.c > =================================================================== > RCS file: /cvs/src/usr.bin/csplit/csplit.c,v > retrieving revision 1.5 > diff -u -p -u -r1.5 csplit.c > --- usr.bin/csplit/csplit.c 20 May 2014 01:25:23 -0000 1.5 > +++ usr.bin/csplit/csplit.c 4 Oct 2015 05:00:49 -0000 > @@ -103,6 +103,9 @@ main(int argc, char *argv[]) > > setlocale(LC_ALL, ""); > > + if (tame("stdio rpath wpath cpath", NULL) == -1) > + err(1, "tame"); > + > kflag = sflag = 0; > prefix = "xx"; > sufflen = 2; > @@ -140,6 +143,8 @@ main(int argc, char *argv[]) > if (strcmp(infn, "-") == 0) { > infile = stdin; > infn = "stdin"; > + if (tame("stdio wpath cpath", NULL) == -1) > + err(1, "tame"); > } else if ((infile = fopen(infn, "r")) == NULL) > err(1, "%s", infn); > > Index: usr.bin/cut/cut.c > =================================================================== > RCS file: /cvs/src/usr.bin/cut/cut.c,v > retrieving revision 1.19 > diff -u -p -u -r1.19 cut.c > --- usr.bin/cut/cut.c 18 Aug 2015 17:10:48 -0000 1.19 > +++ usr.bin/cut/cut.c 28 Sep 2015 20:15:11 -0000 > @@ -63,6 +63,9 @@ main(int argc, char *argv[]) > > setlocale (LC_ALL, ""); > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > dchar = '\t'; /* default delimiter is \t */ > > /* Since we don't support multi-byte characters, the -c and -b > Index: usr.bin/deroff/deroff.c > =================================================================== > RCS file: /cvs/src/usr.bin/deroff/deroff.c,v > retrieving revision 1.11 > diff -u -p -u -r1.11 deroff.c > --- usr.bin/deroff/deroff.c 9 Feb 2015 11:39:17 -0000 1.11 > +++ usr.bin/deroff/deroff.c 4 Oct 2015 05:00:40 -0000 > @@ -260,6 +260,9 @@ main(int ac, char **av) > int errflg = 0; > int kflag = NO; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > iflag = NO; > wordflag = NO; > msflag = NO; > @@ -331,6 +334,8 @@ main(int ac, char **av) > #endif /* DEBUG */ > if (argc == 0) { > infile = stdin; > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > } else { > infile = opn(argv[0]); > --argc; > Index: usr.bin/diff/diff.c > =================================================================== > RCS file: /cvs/src/usr.bin/diff/diff.c,v > retrieving revision 1.59 > diff -u -p -u -r1.59 diff.c > --- usr.bin/diff/diff.c 29 Apr 2015 04:00:25 -0000 1.59 > +++ usr.bin/diff/diff.c 28 Sep 2015 20:15:11 -0000 > @@ -217,6 +217,10 @@ main(int argc, char **argv) > argc -= optind; > argv += optind; > > + if (lflag == 0) { > + if (tame("stdio wpath rpath tmppath", NULL) == -1) > + err(1, "tame"); > + } > /* > * Do sanity checks, fill in stb1 and stb2 and call the appropriate > * driver routine. Both drivers use the contents of stb1 and stb2. > Index: usr.bin/diff3/diff3prog.c > =================================================================== > RCS file: /cvs/src/usr.bin/diff3/diff3prog.c,v > retrieving revision 1.15 > diff -u -p -u -r1.15 diff3prog.c > --- usr.bin/diff3/diff3prog.c 5 Sep 2015 09:47:08 -0000 1.15 > +++ usr.bin/diff3/diff3prog.c 28 Sep 2015 20:15:11 -0000 > @@ -145,6 +145,9 @@ main(int argc, char **argv) > { > int ch, i, m, n; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > eflag = 0; > oflag = 0; > while ((ch = getopt(argc, argv, "EeXx3")) != -1) { > Index: usr.bin/dirname/dirname.c > =================================================================== > RCS file: /cvs/src/usr.bin/dirname/dirname.c,v > retrieving revision 1.13 > diff -u -p -u -r1.13 dirname.c > --- usr.bin/dirname/dirname.c 10 Aug 2010 22:05:36 -0000 1.13 > +++ usr.bin/dirname/dirname.c 28 Sep 2015 20:15:11 -0000 > @@ -33,6 +33,9 @@ main(int argc, char *argv[]) > > setlocale(LC_ALL, ""); > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "")) != -1) { > switch (ch) { > default: > Index: usr.bin/expand/expand.c > =================================================================== > RCS file: /cvs/src/usr.bin/expand/expand.c,v > retrieving revision 1.12 > diff -u -p -u -r1.12 expand.c > --- usr.bin/expand/expand.c 26 Nov 2013 13:18:55 -0000 1.12 > +++ usr.bin/expand/expand.c 28 Sep 2015 20:15:11 -0000 > @@ -51,6 +51,9 @@ main(int argc, char *argv[]) > int c, column; > int n; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > /* handle obsolete syntax */ > while (argc > 1 && argv[1][0] == '-' && > isdigit((unsigned char)argv[1][1])) { > Index: usr.bin/fgen/fgen.l > =================================================================== > RCS file: /cvs/src/usr.bin/fgen/fgen.l,v > retrieving revision 1.10 > diff -u -p -u -r1.10 fgen.l > --- usr.bin/fgen/fgen.l 30 Dec 2013 21:52:21 -0000 1.10 > +++ usr.bin/fgen/fgen.l 28 Sep 2015 20:15:11 -0000 > @@ -960,6 +960,9 @@ main(argc, argv) > char *hdrtype = "version1"; > int i; > > + if (tame("stdio rpath wpath cpath", NULL) == -1) > + err(1, "tame"); > + > outf = 1; /* stdout */ > myname = argv[0]; > > Index: usr.bin/file/Makefile > =================================================================== > RCS file: /cvs/src/usr.bin/file/Makefile,v > retrieving revision 1.15 > diff -u -p -u -r1.15 Makefile > --- usr.bin/file/Makefile 27 Apr 2015 13:52:17 -0000 1.15 > +++ usr.bin/file/Makefile 28 Sep 2015 20:15:11 -0000 > @@ -1,7 +1,7 @@ > # $OpenBSD: Makefile,v 1.15 2015/04/27 13:52:17 nicm Exp $ > > PROG= file > -SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c > sandbox.c \ > +SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c \ > text.c xmalloc.c > MAN= file.1 magic.5 > > Index: usr.bin/file/file.c > =================================================================== > RCS file: /cvs/src/usr.bin/file/file.c,v > retrieving revision 1.48 > diff -u -p -u -r1.48 file.c > --- usr.bin/file/file.c 2 Oct 2015 18:06:27 -0000 1.48 > +++ usr.bin/file/file.c 2 Oct 2015 18:10:55 -0000 > @@ -116,7 +116,7 @@ usage(void) > int > main(int argc, char **argv) > { > - int opt, pair[2], fd, idx; > + int opt, pair[2], fd, idx, mode; > char *home; > struct passwd *pw; > struct imsgbuf ibuf; > @@ -192,8 +192,10 @@ main(int argc, char **argv) > parent = getpid(); > if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pair) != 0) > err(1, "socketpair"); > - pid = sandbox_fork(FILE_USER); > - if (pid == 0) { > + switch (pid = fork()) { > + case -1: > + err(1, "fork"); > + case 0: > close(pair[0]); > child(pair[1], parent, argc, argv); > } > @@ -220,10 +222,21 @@ main(int argc, char **argv) > fd = -1; > msg.error = errno; > } else { > - fd = open(argv[idx], O_RDONLY|O_NONBLOCK); > - if (fd == -1 && (errno == ENFILE || errno == EMFILE)) > - err(1, "open"); > - if (S_ISLNK(msg.sb.st_mode)) > + /* > + * tame(2) doesn't let us pass directory file > + * descriptors around but we don't need them, so don't > + * open directories or symlinks (which could be to > + * directories). > + */ > + mode = msg.sb.st_mode; > + if (!S_ISDIR(mode) && !S_ISLNK(mode)) { > + fd = open(argv[idx], O_RDONLY|O_NONBLOCK); > + if (fd == -1 && > + (errno == ENFILE || errno == EMFILE)) > + err(1, "open"); > + } else > + fd = -1; > + if (S_ISLNK(mode)) > read_link(&msg, argv[idx]); > } > send_message(&ibuf, &msg, sizeof msg, fd); > @@ -328,6 +341,7 @@ read_link(struct input_msg *msg, const c > static __dead void > child(int fd, pid_t parent, int argc, char **argv) > { > + struct passwd *pw; > struct magic *m; > struct imsgbuf ibuf; > struct imsg imsg; > @@ -336,6 +350,24 @@ child(int fd, pid_t parent, int argc, ch > struct input_file inf; > int i, idx; > size_t len, width = 0; > + > + if (tame("stdio cmsg getpw proc", NULL) == -1) > + err(1, "tame"); > + > + if (geteuid() == 0) { > + pw = getpwnam(FILE_USER); > + if (pw == NULL) > + errx(1, "unknown user %s", FILE_USER); > + if (setgroups(1, &pw->pw_gid) != 0) > + err(1, "setgroups"); > + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) > + err(1, "setresgid"); > + if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) > + err(1, "setresuid"); > + } > + > + if (tame("stdio cmsg", NULL) == -1) > + err(1, "tame"); > > m = magic_load(magicfp, magicpath, cflag || Wflag); > if (cflag) { > Index: usr.bin/file/sandbox.c > =================================================================== > RCS file: /cvs/src/usr.bin/file/sandbox.c,v > retrieving revision 1.9 > diff -u -p -u -r1.9 sandbox.c > --- usr.bin/file/sandbox.c 23 Aug 2015 18:31:41 -0000 1.9 > +++ usr.bin/file/sandbox.c 28 Sep 2015 20:15:11 -0000 > @@ -1,158 +0,0 @@ > -/* $OpenBSD: sandbox.c,v 1.9 2015/08/23 18:31:41 guenther Exp $ */ > - > -/* > - * Copyright (c) 2015 Nicholas Marriott <n...@openbsd.org> > - * > - * Permission to use, copy, modify, and distribute this software for any > - * purpose with or without fee is hereby granted, provided that the above > - * copyright notice and this permission notice appear in all copies. > - * > - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES > - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR > - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > - * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER > - * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING > - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > - */ > - > -#include <sys/types.h> > -#include <sys/ioctl.h> > -#include <sys/syscall.h> > -#include <sys/wait.h> > - > -#include <dev/systrace.h> > - > -#include <errno.h> > -#include <fcntl.h> > -#include <pwd.h> > -#include <signal.h> > -#include <unistd.h> > - > -#include "file.h" > -#include "magic.h" > -#include "xmalloc.h" > - > -static const struct > -{ > - int syscallnum; > - int action; > -} allowed_syscalls[] = { > - { SYS_open, SYSTR_POLICY_NEVER }, /* for strerror */ > - > - { SYS_close, SYSTR_POLICY_PERMIT }, > - { SYS_exit, SYSTR_POLICY_PERMIT }, > - { SYS_fcntl, SYSTR_POLICY_PERMIT }, > - { SYS_fstat, SYSTR_POLICY_PERMIT }, > - { SYS_getdtablecount, SYSTR_POLICY_PERMIT }, > - { SYS_getentropy, SYSTR_POLICY_PERMIT }, > - { SYS_getpid, SYSTR_POLICY_PERMIT }, > - { SYS_getrlimit, SYSTR_POLICY_PERMIT }, > - { SYS_issetugid, SYSTR_POLICY_PERMIT }, > - { SYS_kbind, SYSTR_POLICY_PERMIT }, > - { SYS_madvise, SYSTR_POLICY_PERMIT }, > - { SYS_mmap, SYSTR_POLICY_PERMIT }, > - { SYS_mprotect, SYSTR_POLICY_PERMIT }, > - { SYS_mquery, SYSTR_POLICY_PERMIT }, > - { SYS_munmap, SYSTR_POLICY_PERMIT }, > - { SYS_read, SYSTR_POLICY_PERMIT }, > - { SYS_recvmsg, SYSTR_POLICY_PERMIT }, > - { SYS_sendmsg, SYSTR_POLICY_PERMIT }, > - { SYS_sigprocmask, SYSTR_POLICY_PERMIT }, > - { SYS_write, SYSTR_POLICY_PERMIT }, > - > - { -1, -1 } > -}; > - > -static int > -sandbox_find(int syscallnum) > -{ > - int i; > - > - for (i = 0; allowed_syscalls[i].syscallnum != -1; i++) { > - if (allowed_syscalls[i].syscallnum == syscallnum) > - return (allowed_syscalls[i].action); > - } > - return (SYSTR_POLICY_KILL); > -} > - > -static int > -sandbox_child(const char *user) > -{ > - struct passwd *pw; > - > - if (geteuid() == 0) { > - pw = getpwnam(user); > - if (pw == NULL) > - errx(1, "unknown user %s", user); > - if (setgroups(1, &pw->pw_gid) != 0) > - err(1, "setgroups"); > - if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) > - err(1, "setresgid"); > - if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) > - err(1, "setresuid"); > - } > - > - if (kill(getpid(), SIGSTOP) != 0) > - err(1, "kill(SIGSTOP)"); > - return (0); > -} > - > -int > -sandbox_fork(const char *user) > -{ > - pid_t pid; > - int status, devfd, fd, i; > - struct systrace_policy policy; > - > - switch (pid = fork()) { > - case -1: > - err(1, "fork"); > - case 0: > - return (sandbox_child(user)); > - } > - > - /* > - * Wait for the child to stop itself with SIGSTOP before assigning the > - * policy, before that it might still be calling syscalls the policy > - * would block. > - */ > - do { > - pid = waitpid(pid, &status, WUNTRACED); > - } while (pid == -1 && errno == EINTR); > - if (!WIFSTOPPED(status)) > - errx(1, "child not stopped"); > - > - devfd = open("/dev/systrace", O_RDONLY); > - if (devfd == -1) > - err(1, "open(\"/dev/systrace\")"); > - if (ioctl(devfd, STRIOCCLONE, &fd) == -1) > - err(1, "ioctl(STRIOCCLONE)"); > - close(devfd); > - > - if (ioctl(fd, STRIOCATTACH, &pid) == -1) > - goto out; > - > - memset(&policy, 0, sizeof policy); > - policy.strp_op = SYSTR_POLICY_NEW; > - policy.strp_maxents = SYS_MAXSYSCALL; > - if (ioctl(fd, STRIOCPOLICY, &policy) == -1) > - err(1, "ioctl(STRIOCPOLICY/NEW)"); > - policy.strp_op = SYSTR_POLICY_ASSIGN; > - policy.strp_pid = pid; > - if (ioctl(fd, STRIOCPOLICY, &policy) == -1) > - err(1, "ioctl(STRIOCPOLICY/ASSIGN)"); > - > - for (i = 0; i < SYS_MAXSYSCALL; i++) { > - policy.strp_op = SYSTR_POLICY_MODIFY; > - policy.strp_code = i; > - policy.strp_policy = sandbox_find(i); > - if (ioctl(fd, STRIOCPOLICY, &policy) == -1) > - err(1, "ioctl(STRIOCPOLICY/MODIFY)"); > - } > - > -out: > - if (kill(pid, SIGCONT) != 0) > - err(1, "kill(SIGCONT)"); > - return (pid); > -} > Index: usr.bin/fmt/fmt.c > =================================================================== > RCS file: /cvs/src/usr.bin/fmt/fmt.c,v > retrieving revision 1.30 > diff -u -p -u -r1.30 fmt.c > --- usr.bin/fmt/fmt.c 26 Nov 2013 13:18:55 -0000 1.30 > +++ usr.bin/fmt/fmt.c 4 Oct 2015 05:00:34 -0000 > @@ -255,6 +255,9 @@ main(int argc, char *argv[]) > > (void)setlocale(LC_CTYPE, ""); > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > /* 1. Grok parameters. */ > while ((ch = getopt(argc, argv, "0123456789cd:hl:mnpst:w:")) != -1) { > switch (ch) { > @@ -337,6 +340,8 @@ main(int argc, char *argv[]) > while (argc-- > 0) > process_named_file(*argv++); > } else { > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > process_stream(stdin, "standard input"); > } > > Index: usr.bin/fold/fold.c > =================================================================== > RCS file: /cvs/src/usr.bin/fold/fold.c,v > retrieving revision 1.15 > diff -u -p -u -r1.15 fold.c > --- usr.bin/fold/fold.c 6 Feb 2015 09:10:55 -0000 1.15 > +++ usr.bin/fold/fold.c 4 Oct 2015 05:00:27 -0000 > @@ -56,6 +56,9 @@ main(int argc, char *argv[]) > unsigned int width; > const char *errstr; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > width = 0; > lastch = '\0'; > prevoptind = 1; > @@ -99,14 +102,19 @@ main(int argc, char *argv[]) > if (width == 0) > width = DEFLINEWIDTH; > > - if (!*argv) > + if (!*argv) { > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > fold(width); > - else for (; *argv; ++argv) > - if (!freopen(*argv, "r", stdin)) { > - err(1, "%s", *argv); > - /* NOTREACHED */ > - } else > - fold(width); > + } else { > + for (; *argv; ++argv) { > + if (!freopen(*argv, "r", stdin)) > + err(1, "%s", *argv); > + /* NOTREACHED */ > + else > + fold(width); > + } > + } > exit(0); > } > > Index: usr.bin/from/from.c > =================================================================== > RCS file: /cvs/src/usr.bin/from/from.c,v > retrieving revision 1.20 > diff -u -p -u -r1.20 from.c > --- usr.bin/from/from.c 3 Jun 2015 18:08:54 -0000 1.20 > +++ usr.bin/from/from.c 4 Oct 2015 05:00:21 -0000 > @@ -80,6 +80,8 @@ main(int argc, char *argv[]) > exit(EXIT_SUCCESS); > err(1, "%s", file); > } > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > for (newline = 1; (linelen = getline(&line, &linesize, fp)) != -1;) { > if (*line == '\n') { > newline = 1; > @@ -98,6 +100,9 @@ char * > mail_spool(char *file, const char *user) > { > struct passwd *pwd; > + > + if (tame("stdio rpath getpw", NULL) == -1) > + err(1, "tame"); > > /* > * We find the mailbox by: > Index: usr.bin/getopt/getopt.c > =================================================================== > RCS file: /cvs/src/usr.bin/getopt/getopt.c,v > retrieving revision 1.8 > diff -u -p -u -r1.8 getopt.c > --- usr.bin/getopt/getopt.c 27 Oct 2009 23:59:38 -0000 1.8 > +++ usr.bin/getopt/getopt.c 28 Sep 2015 20:15:11 -0000 > @@ -8,6 +8,7 @@ > #include <stdio.h> > #include <stdlib.h> > #include <unistd.h> > +#include <err.h> > > int > main(int argc, char *argv[]) > @@ -16,6 +17,9 @@ main(int argc, char *argv[]) > extern char *optarg; > int c; > int status = 0; > + > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > optind = 2; /* Past the program name and the option letters. */ > while ((c = getopt(argc, argv, argv[1])) != -1) > Index: usr.bin/head/head.c > =================================================================== > RCS file: /cvs/src/usr.bin/head/head.c,v > retrieving revision 1.18 > diff -u -p -u -r1.18 head.c > --- usr.bin/head/head.c 8 Oct 2014 08:31:53 -0000 1.18 > +++ usr.bin/head/head.c 4 Oct 2015 05:00:14 -0000 > @@ -55,6 +55,9 @@ main(int argc, char *argv[]) > char *p = NULL; > int status = 0; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > /* handle obsolete -number syntax */ > if (argc > 1 && argv[1][0] == '-' && > isdigit((unsigned char)argv[1][1])) { > @@ -87,6 +90,8 @@ main(int argc, char *argv[]) > if (!firsttime) > exit(status); > fp = stdin; > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > } else { > if ((fp = fopen(*argv, "r")) == NULL) { > warn("%s", *argv++); > Index: usr.bin/hexdump/hexdump.c > =================================================================== > RCS file: /cvs/src/usr.bin/hexdump/hexdump.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 hexdump.c > --- usr.bin/hexdump/hexdump.c 16 Jan 2015 06:40:08 -0000 1.17 > +++ usr.bin/hexdump/hexdump.c 28 Sep 2015 20:15:11 -0000 > @@ -33,6 +33,7 @@ > #include <err.h> > #include <stdio.h> > #include <stdlib.h> > +#include <unistd.h> > #include <string.h> > #include "hexdump.h" > > @@ -52,6 +53,9 @@ main(int argc, char *argv[]) > { > FS *tfs; > char *p; > + > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > > if (!(p = strrchr(argv[0], 'o')) || strcmp(p, "od")) > newsyntax(argc, &argv); > Index: usr.bin/id/id.c > =================================================================== > RCS file: /cvs/src/usr.bin/id/id.c,v > retrieving revision 1.23 > diff -u -p -u -r1.23 id.c > --- usr.bin/id/id.c 19 May 2015 16:03:19 -0000 1.23 > +++ usr.bin/id/id.c 28 Sep 2015 20:15:11 -0000 > @@ -105,6 +105,9 @@ main(int argc, char *argv[]) > argc -= optind; > argv += optind; > > + if (tame("stdio getpw", NULL) == -1) > + err(1, "tame"); > + > switch (cflag + Gflag + gflag + pflag + uflag) { > case 1: > break; > Index: usr.bin/indent/indent.c > =================================================================== > RCS file: /cvs/src/usr.bin/indent/indent.c,v > retrieving revision 1.27 > diff -u -p -u -r1.27 indent.c > --- usr.bin/indent/indent.c 20 Aug 2015 22:32:41 -0000 1.27 > +++ usr.bin/indent/indent.c 28 Sep 2015 20:15:11 -0000 > @@ -78,6 +78,8 @@ main(int argc, char **argv) > > int last_else = 0; /* true iff last keyword was an else */ > > + if (tame("stdio rpath wpath cpath tmppath", NULL) == -1) > + err(1, "tame"); > > /*-----------------------------------------------*\ > | INITIALIZATION | > Index: usr.bin/infocmp/infocmp.c > =================================================================== > RCS file: /cvs/src/usr.bin/infocmp/infocmp.c,v > retrieving revision 1.20 > diff -u -p -u -r1.20 infocmp.c > --- usr.bin/infocmp/infocmp.c 12 Jan 2010 23:22:13 -0000 1.20 > +++ usr.bin/infocmp/infocmp.c 28 Sep 2015 20:15:11 -0000 > @@ -1282,6 +1282,9 @@ main(int argc, char *argv[]) > bool init_analyze = FALSE; > bool suppress_untranslatable = FALSE; > > + if (tame("stdio rpath", NULL) == -1) > + perror("tame"); > + > /* where is the terminfo database location going to default to? */ > restdir = firstdir = 0; > > Index: usr.bin/join/join.c > =================================================================== > RCS file: /cvs/src/usr.bin/join/join.c,v > retrieving revision 1.25 > diff -u -p -u -r1.25 join.c > --- usr.bin/join/join.c 21 Jul 2015 04:42:59 -0000 1.25 > +++ usr.bin/join/join.c 28 Sep 2015 20:15:11 -0000 > @@ -104,6 +104,9 @@ main(int argc, char *argv[]) > int aflag, ch, cval, vflag; > char *end; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > F1 = &input1; > F2 = &input2; > > Index: usr.bin/jot/jot.c > =================================================================== > RCS file: /cvs/src/usr.bin/jot/jot.c,v > retrieving revision 1.24 > diff -u -p -u -r1.24 jot.c > --- usr.bin/jot/jot.c 21 Jul 2015 04:04:06 -0000 1.24 > +++ usr.bin/jot/jot.c 28 Sep 2015 20:15:11 -0000 > @@ -84,6 +84,9 @@ main(int argc, char *argv[]) > int ch; > const char *errstr; > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "rb:w:cs:np:")) != -1) > switch (ch) { > case 'r': > Index: usr.bin/lam/lam.c > =================================================================== > RCS file: /cvs/src/usr.bin/lam/lam.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 lam.c > --- usr.bin/lam/lam.c 16 Jan 2015 06:40:09 -0000 1.17 > +++ usr.bin/lam/lam.c 28 Sep 2015 20:15:11 -0000 > @@ -71,6 +71,9 @@ main(int argc, char *argv[]) > { > int i; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > /* Process arguments, set numfiles to file argument count. */ > getargs(argc, argv); > if (numfiles == 0) > Index: usr.bin/lastcomm/lastcomm.c > =================================================================== > RCS file: /cvs/src/usr.bin/lastcomm/lastcomm.c,v > retrieving revision 1.21 > diff -u -p -u -r1.21 lastcomm.c > --- usr.bin/lastcomm/lastcomm.c 15 Mar 2015 00:41:28 -0000 1.21 > +++ usr.bin/lastcomm/lastcomm.c 28 Sep 2015 20:15:11 -0000 > @@ -69,6 +69,9 @@ main(int argc, char *argv[]) > int ch; > char *acctfile; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > acctfile = _PATH_ACCT; > while ((ch = getopt(argc, argv, "f:")) != -1) > switch(ch) { > Index: usr.bin/logger/logger.c > =================================================================== > RCS file: /cvs/src/usr.bin/logger/logger.c,v > retrieving revision 1.14 > diff -u -p -u -r1.14 logger.c > --- usr.bin/logger/logger.c 18 Apr 2015 18:28:37 -0000 1.14 > +++ usr.bin/logger/logger.c 28 Sep 2015 20:15:11 -0000 > @@ -37,6 +37,7 @@ > #include <stdio.h> > #include <ctype.h> > #include <string.h> > +#include <err.h> > > #define SYSLOG_NAMES > #include <syslog.h> > @@ -91,6 +92,9 @@ main(int argc, char *argv[]) > /* setup for logging */ > openlog(tag ? tag : getlogin(), logflags, 0); > (void) fclose(stdout); > + > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > /* log input line if appropriate */ > if (argc > 0) { > Index: usr.bin/logname/logname.c > =================================================================== > RCS file: /cvs/src/usr.bin/logname/logname.c,v > retrieving revision 1.7 > diff -u -p -u -r1.7 logname.c > --- usr.bin/logname/logname.c 27 Oct 2009 23:59:40 -0000 1.7 > +++ usr.bin/logname/logname.c 28 Sep 2015 20:15:11 -0000 > @@ -46,6 +46,9 @@ main(int argc, char *argv[]) > > setlocale(LC_ALL, ""); > > + if (tame("stdio getpw", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "")) != -1) > switch (ch) { > case '?': > Index: usr.bin/look/look.c > =================================================================== > RCS file: /cvs/src/usr.bin/look/look.c,v > retrieving revision 1.16 > diff -u -p -u -r1.16 look.c > --- usr.bin/look/look.c 6 Feb 2015 23:21:59 -0000 1.16 > +++ usr.bin/look/look.c 28 Sep 2015 20:15:11 -0000 > @@ -88,6 +88,9 @@ main(int argc, char *argv[]) > int ch, fd, termchar; > char *back, *file, *front, *string, *p; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > file = _PATH_WORDS; > termchar = '\0'; > while ((ch = getopt(argc, argv, "dft:")) != -1) > Index: usr.bin/mktemp/mktemp.c > =================================================================== > RCS file: /cvs/src/usr.bin/mktemp/mktemp.c,v > retrieving revision 1.20 > diff -u -p -u -r1.20 mktemp.c > --- usr.bin/mktemp/mktemp.c 6 Aug 2013 21:56:51 -0000 1.20 > +++ usr.bin/mktemp/mktemp.c 28 Sep 2015 20:15:11 -0000 > @@ -38,6 +38,9 @@ main(int argc, char *argv[]) > char *cp, *template, *tempfile, *prefix = _PATH_TMP; > size_t len; > > + if (tame("stdio wpath cpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "dp:qtu")) != -1) > switch(ch) { > case 'd': > Index: usr.bin/nl/nl.c > =================================================================== > RCS file: /cvs/src/usr.bin/nl/nl.c,v > retrieving revision 1.4 > diff -u -p -u -r1.4 nl.c > --- usr.bin/nl/nl.c 21 Jan 2015 22:28:09 -0000 1.4 > +++ usr.bin/nl/nl.c 4 Oct 2015 05:00:06 -0000 > @@ -118,6 +118,9 @@ main(int argc, char *argv[]) > > (void)setlocale(LC_ALL, ""); > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((c = getopt(argc, argv, "pb:d:f:h:i:l:n:s:v:w:")) != -1) { > switch (c) { > case 'p': > @@ -204,10 +207,15 @@ main(int argc, char *argv[]) > > switch (argc) { > case 0: > + /* Read from stdin. */ > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > break; > case 1: > - if (strcmp(argv[0], "-") != 0 && > - freopen(argv[0], "r", stdin) == NULL) > + if (strcmp(argv[0], "-") == 0) > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + else if (freopen(argv[0], "r", stdin) == NULL) > err(EXIT_FAILURE, "%s", argv[0]); > break; > default: > Index: usr.bin/nm/nm.c > =================================================================== > RCS file: /cvs/src/usr.bin/nm/nm.c,v > retrieving revision 1.47 > diff -u -p -u -r1.47 nm.c > --- usr.bin/nm/nm.c 13 Aug 2015 19:13:28 -0000 1.47 > +++ usr.bin/nm/nm.c 3 Oct 2015 04:25:11 -0000 > @@ -211,6 +211,10 @@ main(int argc, char *argv[]) > posix_radix, posix_radix); > if (demangle) > pipe2cppfilt(); > + > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > argv += optind; > argc -= optind; > > Index: usr.bin/paste/paste.c > =================================================================== > RCS file: /cvs/src/usr.bin/paste/paste.c,v > retrieving revision 1.19 > diff -u -p -u -r1.19 paste.c > --- usr.bin/paste/paste.c 25 Nov 2014 10:20:24 -0000 1.19 > +++ usr.bin/paste/paste.c 28 Sep 2015 20:15:11 -0000 > @@ -57,6 +57,9 @@ main(int argc, char *argv[]) > extern int optind; > int ch, seq; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > seq = 0; > while ((ch = getopt(argc, argv, "d:s")) != -1) { > switch (ch) { > Index: usr.bin/pr/pr.c > =================================================================== > RCS file: /cvs/src/usr.bin/pr/pr.c,v > retrieving revision 1.36 > diff -u -p -u -r1.36 pr.c > --- usr.bin/pr/pr.c 20 Aug 2015 22:32:41 -0000 1.36 > +++ usr.bin/pr/pr.c 28 Sep 2015 20:15:11 -0000 > @@ -140,6 +140,9 @@ main(int argc, char *argv[]) > { > int ret_val; > > + if (tame("stdio rpath", NULL) == -1) > + perror("tame"); > + > if (signal(SIGINT, SIG_IGN) != SIG_IGN) > (void)signal(SIGINT, terminate); > ret_val = setup(argc, argv); > Index: usr.bin/printenv/printenv.c > =================================================================== > RCS file: /cvs/src/usr.bin/printenv/printenv.c,v > retrieving revision 1.6 > diff -u -p -u -r1.6 printenv.c > --- usr.bin/printenv/printenv.c 27 Oct 2009 23:59:41 -0000 1.6 > +++ usr.bin/printenv/printenv.c 28 Sep 2015 20:15:11 -0000 > @@ -32,6 +32,8 @@ > #include <stdio.h> > #include <string.h> > #include <stdlib.h> > +#include <unistd.h> > +#include <err.h> > > /* > * printenv > @@ -45,6 +47,9 @@ main(int argc, char *argv[]) > extern char **environ; > char *cp, **ep; > int len; > + > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > if (argc < 2) { > for (ep = environ; *ep; ep++) > Index: usr.bin/printf/printf.c > =================================================================== > RCS file: /cvs/src/usr.bin/printf/printf.c,v > retrieving revision 1.22 > diff -u -p -u -r1.22 printf.c > --- usr.bin/printf/printf.c 25 May 2014 07:36:36 -0000 1.22 > +++ usr.bin/printf/printf.c 28 Sep 2015 20:15:11 -0000 > @@ -32,6 +32,7 @@ > #include <ctype.h> > #include <stdio.h> > #include <stdlib.h> > +#include <unistd.h> > #include <string.h> > #include <limits.h> > #include <locale.h> > @@ -80,6 +81,9 @@ main(int argc, char *argv[]) > char *format; > > setlocale (LC_ALL, ""); > + > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > > /* Need to accept/ignore "--" option. */ > if (argc > 1 && strcmp(argv[1], "--") == 0) { > Index: usr.bin/readlink/readlink.c > =================================================================== > RCS file: /cvs/src/usr.bin/readlink/readlink.c,v > retrieving revision 1.25 > diff -u -p -u -r1.25 readlink.c > --- usr.bin/readlink/readlink.c 1 May 2009 10:36:48 -0000 1.25 > +++ usr.bin/readlink/readlink.c 28 Sep 2015 20:15:11 -0000 > @@ -44,6 +44,9 @@ main(int argc, char *argv[]) > int n, ch, nflag = 0, fflag = 0; > extern int optind; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "fn")) != -1) > switch (ch) { > case 'f': > Index: usr.bin/rev/rev.c > =================================================================== > RCS file: /cvs/src/usr.bin/rev/rev.c,v > retrieving revision 1.10 > diff -u -p -u -r1.10 rev.c > --- usr.bin/rev/rev.c 27 Oct 2009 23:59:42 -0000 1.10 > +++ usr.bin/rev/rev.c 28 Sep 2015 20:15:11 -0000 > @@ -49,6 +49,9 @@ main(int argc, char *argv[]) > size_t len; > int ch, rval; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "")) != -1) > switch(ch) { > case '?': > @@ -71,6 +74,9 @@ main(int argc, char *argv[]) > continue; > } > filename = *argv++; > + } else { > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > } > while ((p = fgetln(fp, &len)) != NULL) { > if (p[len - 1] == '\n') > Index: usr.bin/rs/rs.c > =================================================================== > RCS file: /cvs/src/usr.bin/rs/rs.c,v > retrieving revision 1.25 > diff -u -p -u -r1.25 rs.c > --- usr.bin/rs/rs.c 20 Aug 2015 22:32:41 -0000 1.25 > +++ usr.bin/rs/rs.c 28 Sep 2015 20:15:11 -0000 > @@ -93,6 +93,9 @@ void putfile(void); > int > main(int argc, char *argv[]) > { > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > getargs(argc, argv); > getfile(); > if (flags & SHAPEONLY) { > Index: usr.bin/split/split.c > =================================================================== > RCS file: /cvs/src/usr.bin/split/split.c,v > retrieving revision 1.18 > diff -u -p -u -r1.18 split.c > --- usr.bin/split/split.c 16 Jan 2015 06:40:12 -0000 1.18 > +++ usr.bin/split/split.c 28 Sep 2015 20:15:11 -0000 > @@ -68,6 +68,9 @@ main(int argc, char *argv[]) > char *ep, *p; > const char *errstr; > > + if (tame("stdio rpath wpath cpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "0123456789a:b:l:p:-")) != -1) > switch (ch) { > case '0': case '1': case '2': case '3': case '4': > Index: usr.bin/stat/stat.c > =================================================================== > RCS file: /cvs/src/usr.bin/stat/stat.c,v > retrieving revision 1.18 > diff -u -p -u -r1.18 stat.c > --- usr.bin/stat/stat.c 26 Nov 2013 21:08:12 -0000 1.18 > +++ usr.bin/stat/stat.c 28 Sep 2015 20:15:11 -0000 > @@ -158,6 +158,9 @@ main(int argc, char *argv[]) > int lsF, fmtchar, usestat, fn, nonl, quiet; > char *statfmt, *options, *synopsis; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > lsF = 0; > fmtchar = '\0'; > usestat = 0; > Index: usr.bin/tail/tail.c > =================================================================== > RCS file: /cvs/src/usr.bin/tail/tail.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 tail.c > --- usr.bin/tail/tail.c 27 Oct 2009 23:59:44 -0000 1.17 > +++ usr.bin/tail/tail.c 28 Sep 2015 20:15:11 -0000 > @@ -61,6 +61,9 @@ main(int argc, char *argv[]) > int ch, first; > char *p; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > /* > * Tail's options are weird. First, -n10 is the same as -n-10, not > * -n+10. Second, the number options are 1 based and not offsets, > Index: usr.bin/tee/tee.c > =================================================================== > RCS file: /cvs/src/usr.bin/tee/tee.c,v > retrieving revision 1.8 > diff -u -p -u -r1.8 tee.c > --- usr.bin/tee/tee.c 23 Apr 2013 17:48:17 -0000 1.8 > +++ usr.bin/tee/tee.c 28 Sep 2015 20:15:11 -0000 > @@ -74,6 +74,9 @@ main(int argc, char *argv[]) > > setlocale(LC_ALL, ""); > > + if (tame("stdio rpath wpath cpath", NULL) == -1) > + err(1, "tame"); > + > append = 0; > while ((ch = getopt(argc, argv, "ai")) != -1) { > switch(ch) { > Index: usr.bin/tic/tic.c > =================================================================== > RCS file: /cvs/src/usr.bin/tic/tic.c,v > retrieving revision 1.31 > diff -u -p -u -r1.31 tic.c > --- usr.bin/tic/tic.c 28 Nov 2013 18:24:55 -0000 1.31 > +++ usr.bin/tic/tic.c 30 Sep 2015 18:03:04 -0000 > @@ -499,6 +499,9 @@ main(int argc, char *argv[]) > bool check_only = FALSE; > bool suppress_untranslatable = FALSE; > > + if (tame("stdio rpath cpath", NULL) == -1) > + perror("tame"); > + > log_fp = stderr; > > _nc_progname = _nc_rootname(argv[0]); > Index: usr.bin/touch/touch.c > =================================================================== > RCS file: /cvs/src/usr.bin/touch/touch.c,v > retrieving revision 1.23 > diff -u -p -u -r1.23 touch.c > --- usr.bin/touch/touch.c 17 Mar 2015 19:31:30 -0000 1.23 > +++ usr.bin/touch/touch.c 3 Oct 2015 04:37:51 -0000 > @@ -60,6 +60,9 @@ main(int argc, char *argv[]) > > (void)setlocale(LC_ALL, ""); > > + if (tame("stdio rpath wpath cpath fattr", NULL) == -1) > + err(1, "tame"); > + > aflag = cflag = mflag = timeset = 0; > while ((ch = getopt(argc, argv, "acd:fmr:t:")) != -1) > switch (ch) { > Index: usr.bin/tr/tr.c > =================================================================== > RCS file: /cvs/src/usr.bin/tr/tr.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 tr.c > --- usr.bin/tr/tr.c 3 Jun 2014 20:57:23 -0000 1.17 > +++ usr.bin/tr/tr.c 28 Sep 2015 20:15:11 -0000 > @@ -87,6 +87,9 @@ main(int argc, char *argv[]) > int ch, cnt, lastch, *p; > int cflag, dflag, sflag, isstring2; > > + if (tame("stdio", NULL) == -1) > + err(1, "tame"); > + > cflag = dflag = sflag = 0; > while ((ch = getopt(argc, argv, "Ccds")) != -1) > switch(ch) { > Index: usr.bin/units/units.c > =================================================================== > RCS file: /cvs/src/usr.bin/units/units.c,v > retrieving revision 1.20 > diff -u -p -u -r1.20 units.c > --- usr.bin/units/units.c 27 Nov 2013 00:13:24 -0000 1.20 > +++ usr.bin/units/units.c 28 Sep 2015 20:15:11 -0000 > @@ -23,6 +23,7 @@ > #include <string.h> > #include <stdlib.h> > #include <unistd.h> > +#include <err.h> > > #define UNITSFILE "/usr/share/misc/units.lib" > > @@ -630,6 +631,9 @@ main(int argc, char **argv) > > extern char *optarg; > extern int optind; > + > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > > while ((optchar = getopt(argc, argv, "vqf:")) != -1) { > switch (optchar) { > Index: usr.bin/unvis/unvis.c > =================================================================== > RCS file: /cvs/src/usr.bin/unvis/unvis.c,v > retrieving revision 1.12 > diff -u -p -u -r1.12 unvis.c > --- usr.bin/unvis/unvis.c 22 Jan 2014 09:45:21 -0000 1.12 > +++ usr.bin/unvis/unvis.c 28 Sep 2015 20:15:11 -0000 > @@ -43,6 +43,9 @@ main(int argc, char *argv[]) > FILE *fp; > int ch; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "")) != -1) > switch(ch) { > case '?': > Index: usr.bin/users/users.c > =================================================================== > RCS file: /cvs/src/usr.bin/users/users.c,v > retrieving revision 1.11 > diff -u -p -u -r1.11 users.c > --- usr.bin/users/users.c 8 Oct 2014 04:11:28 -0000 1.11 > +++ usr.bin/users/users.c 28 Sep 2015 20:15:11 -0000 > @@ -53,6 +53,9 @@ main(int argc, char *argv[]) > struct utmp utmp; > int ch; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "")) != -1) > switch(ch) { > case '?': > Index: usr.bin/vacation/vacation.c > =================================================================== > RCS file: /cvs/src/usr.bin/vacation/vacation.c,v > retrieving revision 1.37 > diff -u -p -u -r1.37 vacation.c > --- usr.bin/vacation/vacation.c 20 Aug 2015 22:32:42 -0000 1.37 > +++ usr.bin/vacation/vacation.c 3 Oct 2015 04:23:59 -0000 > @@ -49,6 +49,7 @@ > #include <stdlib.h> > #include <string.h> > #include <paths.h> > +#include <err.h> > > /* > * VACATION -- return a message to the sender when on vacation. > Index: usr.bin/vis/vis.c > =================================================================== > RCS file: /cvs/src/usr.bin/vis/vis.c,v > retrieving revision 1.17 > diff -u -p -u -r1.17 vis.c > --- usr.bin/vis/vis.c 18 Apr 2015 18:28:38 -0000 1.17 > +++ usr.bin/vis/vis.c 28 Sep 2015 20:15:11 -0000 > @@ -55,6 +55,9 @@ main(int argc, char *argv[]) > FILE *fp; > int ch; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > while ((ch = getopt(argc, argv, "anwctsobfF:ld")) != -1) > switch(ch) { > case 'a': > Index: usr.bin/what/what.c > =================================================================== > RCS file: /cvs/src/usr.bin/what/what.c,v > retrieving revision 1.13 > diff -u -p -u -r1.13 what.c > --- usr.bin/what/what.c 22 Jan 2015 19:10:17 -0000 1.13 > +++ usr.bin/what/what.c 28 Sep 2015 20:15:11 -0000 > @@ -58,6 +58,9 @@ main(int argc, char *argv[]) > char match[256]; > int c; > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > matches = sflag = 0; > while ((c = getopt(argc, argv, "s")) != -1) { > switch (c) { > Index: usr.bin/who/who.c > =================================================================== > RCS file: /cvs/src/usr.bin/who/who.c,v > retrieving revision 1.20 > diff -u -p -u -r1.20 who.c > --- usr.bin/who/who.c 22 Aug 2013 04:43:41 -0000 1.20 > +++ usr.bin/who/who.c 28 Sep 2015 20:15:11 -0000 > @@ -72,6 +72,9 @@ main(int argc, char *argv[]) > > setlocale(LC_ALL, ""); > > + if (tame("stdio rpath", NULL) == -1) > + err(1, "tame"); > + > only_current_term = show_term = show_idle = show_labels = 0; > show_quick = 0; > while ((c = getopt(argc, argv, "HmqTu")) != -1) { > Index: usr.bin/yes/yes.c > =================================================================== > RCS file: /cvs/src/usr.bin/yes/yes.c,v > retrieving revision 1.8 > diff -u -p -u -r1.8 yes.c > --- usr.bin/yes/yes.c 27 Oct 2009 23:59:50 -0000 1.8 > +++ usr.bin/yes/yes.c 28 Sep 2015 20:15:11 -0000 > @@ -30,11 +30,15 @@ > * SUCH DAMAGE. > */ > > +#include <unistd.h> > #include <stdio.h> > > int > main(int argc, char *argv[]) > { > + if (tame("stdio", NULL) == -1) > + perror("tame"); > + > if (argc > 1) > for (;;) > puts(argv[1]); > Index: usr.sbin/bgpd/rde.c > =================================================================== > RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v > retrieving revision 1.339 > diff -u -p -u -r1.339 rde.c > --- usr.sbin/bgpd/rde.c 21 Sep 2015 09:47:15 -0000 1.339 > +++ usr.sbin/bgpd/rde.c 28 Sep 2015 20:15:11 -0000 > @@ -30,6 +30,7 @@ > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > +#include <err.h> > > #include "bgpd.h" > #include "mrt.h" > @@ -185,6 +186,9 @@ rde_main(int debug, int verbose) > setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || > setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) > fatal("can't drop privileges"); > + > + if (tame("malloc unix cmsg", NULL) == -1) > + err(1, "tame"); > > signal(SIGTERM, rde_sighdlr); > signal(SIGINT, rde_sighdlr); > Index: usr.sbin/bgpd/session.c > =================================================================== > RCS file: /cvs/src/usr.sbin/bgpd/session.c,v > retrieving revision 1.340 > diff -u -p -u -r1.340 session.c > --- usr.sbin/bgpd/session.c 4 Aug 2015 14:46:38 -0000 1.340 > +++ usr.sbin/bgpd/session.c 28 Sep 2015 20:15:11 -0000 > @@ -219,6 +219,9 @@ session_main(int debug, int verbose) > setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) > fatal("can't drop privileges"); > > + if (tame("malloc inet cmsg", NULL) == -1) > + err(1, "tame"); > + > signal(SIGTERM, session_sighdlr); > signal(SIGINT, session_sighdlr); > signal(SIGPIPE, SIG_IGN); > Index: usr.sbin/httpd/httpd.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v > retrieving revision 1.39 > diff -u -p -u -r1.39 httpd.c > --- usr.sbin/httpd/httpd.c 20 Aug 2015 13:00:23 -0000 1.39 > +++ usr.sbin/httpd/httpd.c 29 Sep 2015 09:34:57 -0000 > @@ -247,6 +247,9 @@ main(int argc, char *argv[]) > > setproctitle("parent"); > > + if (tame("malloc inet cmsg cpath rpath wpath proc ioctl", NULL) == -1) > + err(1, "tame"); > + > event_init(); > > signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps); > Index: usr.sbin/httpd/logger.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/logger.c,v > retrieving revision 1.13 > diff -u -p -u -r1.13 logger.c > --- usr.sbin/httpd/logger.c 20 Aug 2015 13:00:23 -0000 1.13 > +++ usr.sbin/httpd/logger.c 28 Sep 2015 20:15:11 -0000 > @@ -26,6 +26,7 @@ > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > +#include <err.h> > #include <fcntl.h> > #include <imsg.h> > > @@ -70,6 +71,9 @@ logger_shutdown(void) > void > logger_init(struct privsep *ps, struct privsep_proc *p, void *arg) > { > + if (tame("malloc cmsg", NULL) == -1) > + err(1, "tame"); > + > if (config_init(ps->ps_env) == -1) > fatal("failed to initialize configuration"); > > Index: usr.sbin/httpd/server.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/server.c,v > retrieving revision 1.80 > diff -u -p -u -r1.80 server.c > --- usr.sbin/httpd/server.c 11 Sep 2015 13:21:09 -0000 1.80 > +++ usr.sbin/httpd/server.c 3 Oct 2015 02:52:35 -0000 > @@ -38,6 +38,7 @@ > #include <string.h> > #include <syslog.h> > #include <unistd.h> > +#include <err.h> > #include <event.h> > #include <imsg.h> > #include <tls.h> > @@ -243,6 +244,15 @@ server_init(struct privsep *ps, struct p > > /* Unlimited file descriptors (use system limits) */ > socket_rlimit(-1); > + > + /* > + * XXX "inet" and "unix" are only needed for fcgi, however > + * whether fcgi is used or not can change when the config is > + * reloaded. should the parent retain these abilities, but > + * re-fork the children and properly tame them again on reload? > + */ > + if (tame("malloc cmsg rpath proc inet unix ioctl", NULL) == -1) > + err(1, "tame"); > > #if 0 > /* Schedule statistics timer */ > Index: usr.sbin/ntpd/ntp.c > =================================================================== > RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v > retrieving revision 1.135 > diff -u -p -u -r1.135 ntp.c > --- usr.sbin/ntpd/ntp.c 14 Aug 2015 02:00:18 -0000 1.135 > +++ usr.sbin/ntpd/ntp.c 28 Sep 2015 20:15:11 -0000 > @@ -30,6 +30,7 @@ > #include <string.h> > #include <time.h> > #include <unistd.h> > +#include <err.h> > #include <tls.h> > > #include "ntpd.h" > @@ -164,6 +165,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, s > fatal("can't drop privileges"); > > endservent(); > + > + /* XXX "dns" for constraint.c, which is forked off wrong parent? */ > + if (tame("stdio inet dns proc", NULL) == -1) > + err(1, "tame"); > > signal(SIGTERM, ntp_sighdlr); > signal(SIGINT, ntp_sighdlr); > Index: usr.sbin/ntpd/ntpd.c > =================================================================== > RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v > retrieving revision 1.95 > diff -u -p -u -r1.95 ntpd.c > --- usr.sbin/ntpd/ntpd.c 3 Oct 2015 02:47:15 -0000 1.95 > +++ usr.sbin/ntpd/ntpd.c 3 Oct 2015 02:47:28 -0000 > @@ -196,6 +196,10 @@ main(int argc, char *argv[]) > setproctitle("[priv]"); > readfreq(); > > +// XXX missing: adjtime() to change time > +// if (tame("stdio unix proc", NULL) == -1) > +// err(1, "tame"); > + > signal(SIGTERM, sighdlr); > signal(SIGINT, sighdlr); > signal(SIGHUP, sighdlr); > Index: usr.sbin/portmap/portmap.c > =================================================================== > RCS file: /cvs/src/usr.sbin/portmap/portmap.c,v > retrieving revision 1.45 > diff -u -p -u -r1.45 portmap.c > --- usr.sbin/portmap/portmap.c 13 Sep 2015 15:44:47 -0000 1.45 > +++ usr.sbin/portmap/portmap.c 4 Oct 2015 01:00:35 -0000 > @@ -246,6 +246,9 @@ main(int argc, char *argv[]) > } > endpwent(); > > + if (tame("stdio rpath inet proc", NULL) == -1) > + err(1, "tame"); > + > if (svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE) == 0) { > syslog(LOG_ERR, "svc_register failed."); > exit(1); > @@ -604,6 +607,10 @@ callit(struct svc_req *rqstp, SVCXPRT *x > a.rmt_prog); > return; > } > + > + if (tame("stdio rpath inet", NULL) == -1) > + err(1, "tame"); > + > port = pml->pml_map.pm_port; > get_myaddress(&me); > me.sin_port = htons(port); > Index: usr.sbin/relayd/ca.c > =================================================================== > RCS file: /cvs/src/usr.sbin/relayd/ca.c,v > retrieving revision 1.13 > diff -u -p -u -r1.13 ca.c > --- usr.sbin/relayd/ca.c 2 May 2015 13:15:24 -0000 1.13 > +++ usr.sbin/relayd/ca.c 28 Sep 2015 20:15:11 -0000 > @@ -23,6 +23,7 @@ > #include <unistd.h> > #include <string.h> > #include <stdlib.h> > +#include <err.h> > #include <imsg.h> > > #include <openssl/bio.h> > @@ -73,6 +74,9 @@ ca(struct privsep *ps, struct privsep_pr > void > ca_init(struct privsep *ps, struct privsep_proc *p, void *arg) > { > + if (tame("malloc rw cmsg", NULL) == -1) > + err(1, "tame"); > + > if (config_init(ps->ps_env) == -1) > fatal("failed to initialize configuration"); > > Index: usr.sbin/syslogd/syslogd.c > =================================================================== > RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v > retrieving revision 1.190 > diff -u -p -u -r1.190 syslogd.c > --- usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:19:23 -0000 1.190 > +++ usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:42:24 -0000 > @@ -593,6 +593,9 @@ main(int argc, char *argv[]) > if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0) > errx(1, "unable to privsep"); > > + if (tame("malloc rpath unix inet cmsg", NULL) == -1) > + err(1, "tame"); > + > /* Process is now unprivileged and inside a chroot */ > event_init(); > >