perror(3) is being used instead of err(3) in a few places; is
that on purpose? If it's an oversight, I also noticed the same
in patch(1).
On 10/04/15 01:34, Theo de Raadt wrote:
> 42 tame calls have been commited to 28 userland programs so far.
> For instance gzip, md5, ping, traceroute, tcpdump, script, arp,
> whois, ntpd, sshd...
>
> Below is a tree of roughly a hundred more programs. Not all are
> fully verified yet, but they being placed in snapshots.
>
> Some of these I did myself, but others were contributed. I am trying
> to focus on the programs which do either file or socket behaviour, but
> not both. Or, on the programs which do their fd setup early.
>
> I appreciate the feedback I've received so far.
>
> Index: bin/dd/dd.c
> ===================================================================
> RCS file: /cvs/src/bin/dd/dd.c,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 dd.c
> --- bin/dd/dd.c 16 Jan 2015 06:39:31 -0000 1.21
> +++ bin/dd/dd.c 28 Sep 2015 20:15:11 -0000
> @@ -149,6 +149,9 @@ setup(void)
> if (out.offset)
> pos_out();
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> /*
> * Truncate the output file; ignore errors because it fails on some
> * kinds of output files, tapes, for example.
> Index: bin/df/df.c
> ===================================================================
> RCS file: /cvs/src/bin/df/df.c,v
> retrieving revision 1.52
> diff -u -p -u -r1.52 df.c
> --- bin/df/df.c 16 Jan 2015 06:39:31 -0000 1.52
> +++ bin/df/df.c 2 Oct 2015 00:19:01 -0000
> @@ -79,6 +79,9 @@ main(int argc, char *argv[])
> int width, maxwidth;
> char *mntpt;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "hiklnPt:")) != -1)
> switch (ch) {
> case 'h':
> Index: bin/expr/expr.c
> ===================================================================
> RCS file: /cvs/src/bin/expr/expr.c,v
> retrieving revision 1.20
> diff -u -p -u -r1.20 expr.c
> --- bin/expr/expr.c 11 Aug 2015 17:15:46 -0000 1.20
> +++ bin/expr/expr.c 28 Sep 2015 20:15:11 -0000
> @@ -12,6 +12,7 @@
> #include <limits.h>
> #include <locale.h>
> #include <ctype.h>
> +#include <unistd.h>
> #include <regex.h>
> #include <err.h>
>
> @@ -499,6 +500,9 @@ main(int argc, char *argv[])
> struct val *vp;
>
> (void) setlocale(LC_ALL, "");
> +
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> if (argc > 1 && !strcmp(argv[1], "--"))
> argv++;
> Index: bin/ls/ls.c
> ===================================================================
> RCS file: /cvs/src/bin/ls/ls.c,v
> retrieving revision 1.41
> diff -u -p -u -r1.41 ls.c
> --- bin/ls/ls.c 25 Jun 2015 02:04:07 -0000 1.41
> +++ bin/ls/ls.c 28 Sep 2015 20:15:11 -0000
> @@ -123,6 +123,9 @@ ls_main(int argc, char *argv[])
> termwidth = width;
> }
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> /* Root is -A automatically. */
> if (!getuid())
> f_listdot = 1;
> Index: bin/mkdir/mkdir.c
> ===================================================================
> RCS file: /cvs/src/bin/mkdir/mkdir.c,v
> retrieving revision 1.25
> diff -u -p -u -r1.25 mkdir.c
> --- bin/mkdir/mkdir.c 2 Apr 2013 20:26:17 -0000 1.25
> +++ bin/mkdir/mkdir.c 3 Oct 2015 03:32:46 -0000
> @@ -55,6 +55,9 @@ main(int argc, char *argv[])
>
> setlocale(LC_ALL, "");
>
> + if (tame("stdio cpath rpath fattr", NULL) == -1)
> + err(1, "tame");
> +
> /*
> * The default file mode is a=rwx (0777) with selected permissions
> * removed in accordance with the file mode creation mask. For
> Index: bin/pax/ar_io.c
> ===================================================================
> RCS file: /cvs/src/bin/pax/ar_io.c,v
> retrieving revision 1.50
> diff -u -p -u -r1.50 ar_io.c
> --- bin/pax/ar_io.c 22 Mar 2015 03:15:00 -0000 1.50
> +++ bin/pax/ar_io.c 3 Oct 2015 23:42:07 -0000
> @@ -75,6 +75,7 @@ static int wr_trail = 1; /* trailer was
> static int can_unlnk = 0; /* do we unlink null archives? */
> const char *arcname; /* printable name of archive */
> const char *gzip_program; /* name of gzip program */
> +const char *delayed_tame; /* tame request for after forking gzip_program
> */
> static pid_t zpid = -1; /* pid of child process */
> int force_one_volume; /* 1 if we ignore volume
> changes */
>
> @@ -1276,4 +1277,6 @@ ar_start_gzip(int fd, const char *path,
> err(1, "could not exec %s", path);
> /* NOTREACHED */
> }
> + if (delayed_tame != NULL && tame(delayed_tame, NULL) == -1)
> + err(1, "tame");
> }
> Index: bin/pax/extern.h
> ===================================================================
> RCS file: /cvs/src/bin/pax/extern.h,v
> retrieving revision 1.53
> diff -u -p -u -r1.53 extern.h
> --- bin/pax/extern.h 19 Mar 2015 05:14:24 -0000 1.53
> +++ bin/pax/extern.h 3 Oct 2015 23:42:07 -0000
> @@ -45,6 +45,7 @@
> */
> extern const char *arcname;
> extern const char *gzip_program;
> +extern const char *delayed_tame;
> extern int force_one_volume;
> int ar_open(const char *);
> void ar_close(int _in_sig);
> Index: bin/pax/pax.c
> ===================================================================
> RCS file: /cvs/src/bin/pax/pax.c,v
> retrieving revision 1.41
> diff -u -p -u -r1.41 pax.c
> --- bin/pax/pax.c 9 Mar 2015 04:23:29 -0000 1.41
> +++ bin/pax/pax.c 3 Oct 2015 23:42:07 -0000
> @@ -257,6 +257,30 @@ main(int argc, char **argv)
> return(exit_val);
>
> /*
> + * pmode needs to restore setugid bits when extracting or copying,
> + * so can't tame at all then.
> + */
> + if (pmode == 0 || (act != EXTRACT && act != COPY)) {
> + /*
> + * If we need to fork/exec gzip_program, then delay the
> + * tame() call. (Copy mode ignores gzip_program)
> + */
> + if (gzip_program == NULL || act == COPY) {
> + if (tame("stdio getpw ioctl cpath wpath rpath fattr",
> + NULL) == -1)
> + err(1, "tame");
> + } else if (gzip_program != NULL) {
> + /*
> + * If nflag, then add "proc" to the above, for
> + * kill() of zpid
> + */
> + delayed_tame =
> + nflag? "stdio getpw ioctl cpath wpath rpath fattr"
> + : "proc stdio getpw ioctl cpath wpath rpath fattr";
> + }
> + }
> +
> + /*
> * select a primary operation mode
> */
> switch (act) {
> Index: bin/pwd/pwd.c
> ===================================================================
> RCS file: /cvs/src/bin/pwd/pwd.c,v
> retrieving revision 1.12
> diff -u -p -u -r1.12 pwd.c
> --- bin/pwd/pwd.c 28 May 2014 06:55:58 -0000 1.12
> +++ bin/pwd/pwd.c 28 Sep 2015 20:15:11 -0000
> @@ -47,6 +47,9 @@ main(int argc, char *argv[])
> int ch, lFlag = 0;
> const char *p;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "LP")) != -1) {
> switch (ch) {
> case 'L':
> Index: sbin/dmesg/dmesg.c
> ===================================================================
> RCS file: /cvs/src/sbin/dmesg/dmesg.c,v
> retrieving revision 1.25
> diff -u -p -u -r1.25 dmesg.c
> --- sbin/dmesg/dmesg.c 16 Jan 2015 06:39:57 -0000 1.25
> +++ sbin/dmesg/dmesg.c 3 Oct 2015 01:13:02 -0000
> @@ -108,6 +108,9 @@ main(int argc, char *argv[])
> if (sysctl(mib, 2, bufdata, &len, NULL, 0))
> err(1, "sysctl: KERN_MSGBUF");
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> memcpy(&cur, bufdata, sizeof(cur));
> bufdata = ((struct msgbuf *)bufdata)->msg_bufc;
> } else {
> @@ -119,6 +122,9 @@ main(int argc, char *argv[])
> if ((kd = kvm_open(nlistf, memf, NULL, O_RDONLY,
> "dmesg")) == NULL)
> return (1);
> +
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> if (kvm_nlist(kd, nl) == -1)
> errx(1, "kvm_nlist: %s", kvm_geterr(kd));
> Index: usr.bin/arch/arch.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/arch/arch.c,v
> retrieving revision 1.16
> diff -u -p -u -r1.16 arch.c
> --- usr.bin/arch/arch.c 25 Sep 2015 16:19:26 -0000 1.16
> +++ usr.bin/arch/arch.c 28 Sep 2015 20:15:11 -0000
> @@ -30,6 +30,7 @@
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> +#include <err.h>
>
> static void __dead usage(void);
>
> @@ -43,6 +44,9 @@ main(int argc, char *argv[])
> char *arch, *opts;
>
> setlocale(LC_ALL, "");
> +
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> machine = strcmp(__progname, "machine") == 0;
> if (machine) {
> Index: usr.bin/banner/banner.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/banner/banner.c,v
> retrieving revision 1.9
> diff -u -p -u -r1.9 banner.c
> --- usr.bin/banner/banner.c 27 Oct 2009 23:59:35 -0000 1.9
> +++ usr.bin/banner/banner.c 28 Sep 2015 20:15:11 -0000
> @@ -53,6 +53,7 @@
> #include <unistd.h>
> #include <stdlib.h>
> #include <string.h>
> +#include <err.h>
>
> #include "banner.h"
>
> @@ -152,6 +153,8 @@ main(int argc, char *argv[])
> {
> char word[10+1]; /* strings limited to 10 chars
> */
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> while (*++argv) {
> (void)strlcpy(word, *argv, sizeof (word));
> scan_out(1, word, '\0');
> Index: usr.bin/cal/cal.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/cal/cal.c,v
> retrieving revision 1.28
> diff -u -p -u -r1.28 cal.c
> --- usr.bin/cal/cal.c 17 Mar 2015 19:31:30 -0000 1.28
> +++ usr.bin/cal/cal.c 28 Sep 2015 20:15:11 -0000
> @@ -150,6 +150,9 @@ main(int argc, char *argv[])
> int ch, month, year, yflag;
> const char *errstr;
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> yflag = year = 0;
> while ((ch = getopt(argc, argv, "jmwy")) != -1)
> switch(ch) {
> Index: usr.bin/col/col.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/col/col.c,v
> retrieving revision 1.17
> diff -u -p -u -r1.17 col.c
> --- usr.bin/col/col.c 9 May 2015 20:36:18 -0000 1.17
> +++ usr.bin/col/col.c 28 Sep 2015 20:15:11 -0000
> @@ -113,6 +113,9 @@ main(int argc, char *argv[])
> int adjust, opt, warned;
> const char *errstr;
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> max_bufd_lines = 256;
> compress_spaces = 1; /* compress spaces into tabs */
> while ((opt = getopt(argc, argv, "bfhl:x")) != -1)
> Index: usr.bin/colrm/colrm.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/colrm/colrm.c,v
> retrieving revision 1.9
> diff -u -p -u -r1.9 colrm.c
> --- usr.bin/colrm/colrm.c 27 Oct 2009 23:59:36 -0000 1.9
> +++ usr.bin/colrm/colrm.c 28 Sep 2015 20:15:11 -0000
> @@ -52,6 +52,9 @@ main(int argc, char *argv[])
> int ch;
> char *p;
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "")) != -1)
> switch(ch) {
> case '?':
> Index: usr.bin/column/column.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/column/column.c,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 column.c
> --- usr.bin/column/column.c 22 May 2014 19:50:34 -0000 1.19
> +++ usr.bin/column/column.c 4 Oct 2015 05:00:55 -0000
> @@ -76,6 +76,9 @@ main(int argc, char *argv[])
> } else
> termwidth = win.ws_col;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> tflag = xflag = 0;
> while ((ch = getopt(argc, argv, "c:s:tx")) != -1)
> switch(ch) {
> @@ -100,16 +103,21 @@ main(int argc, char *argv[])
> argc -= optind;
> argv += optind;
>
> - if (!*argv)
> + if (!*argv) {
> input(stdin);
> - else for (; *argv; ++argv)
> - if ((fp = fopen(*argv, "r"))) {
> - input(fp);
> - (void)fclose(fp);
> - } else {
> - warn("%s", *argv);
> - eval = 1;
> + } else {
> + for (; *argv; ++argv) {
> + if ((fp = fopen(*argv, "r"))) {
> + input(fp);
> + (void)fclose(fp);
> + } else {
> + warn("%s", *argv);
> + eval = 1;
> + }
> }
> + }
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> if (!entries)
> exit(eval);
> Index: usr.bin/comm/comm.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/comm/comm.c,v
> retrieving revision 1.8
> diff -u -p -u -r1.8 comm.c
> --- usr.bin/comm/comm.c 27 Oct 2009 23:59:37 -0000 1.8
> +++ usr.bin/comm/comm.c 28 Sep 2015 20:15:11 -0000
> @@ -61,6 +61,9 @@ main(int argc, char *argv[])
>
> setlocale(LC_ALL, "");
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> flag1 = flag2 = flag3 = 1;
> compare = strcoll;
> while ((ch = getopt(argc, argv, "123f")) != -1)
> Index: usr.bin/csplit/csplit.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/csplit/csplit.c,v
> retrieving revision 1.5
> diff -u -p -u -r1.5 csplit.c
> --- usr.bin/csplit/csplit.c 20 May 2014 01:25:23 -0000 1.5
> +++ usr.bin/csplit/csplit.c 4 Oct 2015 05:00:49 -0000
> @@ -103,6 +103,9 @@ main(int argc, char *argv[])
>
> setlocale(LC_ALL, "");
>
> + if (tame("stdio rpath wpath cpath", NULL) == -1)
> + err(1, "tame");
> +
> kflag = sflag = 0;
> prefix = "xx";
> sufflen = 2;
> @@ -140,6 +143,8 @@ main(int argc, char *argv[])
> if (strcmp(infn, "-") == 0) {
> infile = stdin;
> infn = "stdin";
> + if (tame("stdio wpath cpath", NULL) == -1)
> + err(1, "tame");
> } else if ((infile = fopen(infn, "r")) == NULL)
> err(1, "%s", infn);
>
> Index: usr.bin/cut/cut.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/cut/cut.c,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 cut.c
> --- usr.bin/cut/cut.c 18 Aug 2015 17:10:48 -0000 1.19
> +++ usr.bin/cut/cut.c 28 Sep 2015 20:15:11 -0000
> @@ -63,6 +63,9 @@ main(int argc, char *argv[])
>
> setlocale (LC_ALL, "");
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> dchar = '\t'; /* default delimiter is \t */
>
> /* Since we don't support multi-byte characters, the -c and -b
> Index: usr.bin/deroff/deroff.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/deroff/deroff.c,v
> retrieving revision 1.11
> diff -u -p -u -r1.11 deroff.c
> --- usr.bin/deroff/deroff.c 9 Feb 2015 11:39:17 -0000 1.11
> +++ usr.bin/deroff/deroff.c 4 Oct 2015 05:00:40 -0000
> @@ -260,6 +260,9 @@ main(int ac, char **av)
> int errflg = 0;
> int kflag = NO;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> iflag = NO;
> wordflag = NO;
> msflag = NO;
> @@ -331,6 +334,8 @@ main(int ac, char **av)
> #endif /* DEBUG */
> if (argc == 0) {
> infile = stdin;
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> } else {
> infile = opn(argv[0]);
> --argc;
> Index: usr.bin/diff/diff.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/diff/diff.c,v
> retrieving revision 1.59
> diff -u -p -u -r1.59 diff.c
> --- usr.bin/diff/diff.c 29 Apr 2015 04:00:25 -0000 1.59
> +++ usr.bin/diff/diff.c 28 Sep 2015 20:15:11 -0000
> @@ -217,6 +217,10 @@ main(int argc, char **argv)
> argc -= optind;
> argv += optind;
>
> + if (lflag == 0) {
> + if (tame("stdio wpath rpath tmppath", NULL) == -1)
> + err(1, "tame");
> + }
> /*
> * Do sanity checks, fill in stb1 and stb2 and call the appropriate
> * driver routine. Both drivers use the contents of stb1 and stb2.
> Index: usr.bin/diff3/diff3prog.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/diff3/diff3prog.c,v
> retrieving revision 1.15
> diff -u -p -u -r1.15 diff3prog.c
> --- usr.bin/diff3/diff3prog.c 5 Sep 2015 09:47:08 -0000 1.15
> +++ usr.bin/diff3/diff3prog.c 28 Sep 2015 20:15:11 -0000
> @@ -145,6 +145,9 @@ main(int argc, char **argv)
> {
> int ch, i, m, n;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> eflag = 0;
> oflag = 0;
> while ((ch = getopt(argc, argv, "EeXx3")) != -1) {
> Index: usr.bin/dirname/dirname.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/dirname/dirname.c,v
> retrieving revision 1.13
> diff -u -p -u -r1.13 dirname.c
> --- usr.bin/dirname/dirname.c 10 Aug 2010 22:05:36 -0000 1.13
> +++ usr.bin/dirname/dirname.c 28 Sep 2015 20:15:11 -0000
> @@ -33,6 +33,9 @@ main(int argc, char *argv[])
>
> setlocale(LC_ALL, "");
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "")) != -1) {
> switch (ch) {
> default:
> Index: usr.bin/expand/expand.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/expand/expand.c,v
> retrieving revision 1.12
> diff -u -p -u -r1.12 expand.c
> --- usr.bin/expand/expand.c 26 Nov 2013 13:18:55 -0000 1.12
> +++ usr.bin/expand/expand.c 28 Sep 2015 20:15:11 -0000
> @@ -51,6 +51,9 @@ main(int argc, char *argv[])
> int c, column;
> int n;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> /* handle obsolete syntax */
> while (argc > 1 && argv[1][0] == '-' &&
> isdigit((unsigned char)argv[1][1])) {
> Index: usr.bin/fgen/fgen.l
> ===================================================================
> RCS file: /cvs/src/usr.bin/fgen/fgen.l,v
> retrieving revision 1.10
> diff -u -p -u -r1.10 fgen.l
> --- usr.bin/fgen/fgen.l 30 Dec 2013 21:52:21 -0000 1.10
> +++ usr.bin/fgen/fgen.l 28 Sep 2015 20:15:11 -0000
> @@ -960,6 +960,9 @@ main(argc, argv)
> char *hdrtype = "version1";
> int i;
>
> + if (tame("stdio rpath wpath cpath", NULL) == -1)
> + err(1, "tame");
> +
> outf = 1; /* stdout */
> myname = argv[0];
>
> Index: usr.bin/file/Makefile
> ===================================================================
> RCS file: /cvs/src/usr.bin/file/Makefile,v
> retrieving revision 1.15
> diff -u -p -u -r1.15 Makefile
> --- usr.bin/file/Makefile 27 Apr 2015 13:52:17 -0000 1.15
> +++ usr.bin/file/Makefile 28 Sep 2015 20:15:11 -0000
> @@ -1,7 +1,7 @@
> # $OpenBSD: Makefile,v 1.15 2015/04/27 13:52:17 nicm Exp $
>
> PROG= file
> -SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c
> sandbox.c \
> +SRCS= file.c magic-dump.c magic-load.c magic-test.c magic-common.c \
> text.c xmalloc.c
> MAN= file.1 magic.5
>
> Index: usr.bin/file/file.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/file/file.c,v
> retrieving revision 1.48
> diff -u -p -u -r1.48 file.c
> --- usr.bin/file/file.c 2 Oct 2015 18:06:27 -0000 1.48
> +++ usr.bin/file/file.c 2 Oct 2015 18:10:55 -0000
> @@ -116,7 +116,7 @@ usage(void)
> int
> main(int argc, char **argv)
> {
> - int opt, pair[2], fd, idx;
> + int opt, pair[2], fd, idx, mode;
> char *home;
> struct passwd *pw;
> struct imsgbuf ibuf;
> @@ -192,8 +192,10 @@ main(int argc, char **argv)
> parent = getpid();
> if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pair) != 0)
> err(1, "socketpair");
> - pid = sandbox_fork(FILE_USER);
> - if (pid == 0) {
> + switch (pid = fork()) {
> + case -1:
> + err(1, "fork");
> + case 0:
> close(pair[0]);
> child(pair[1], parent, argc, argv);
> }
> @@ -220,10 +222,21 @@ main(int argc, char **argv)
> fd = -1;
> msg.error = errno;
> } else {
> - fd = open(argv[idx], O_RDONLY|O_NONBLOCK);
> - if (fd == -1 && (errno == ENFILE || errno == EMFILE))
> - err(1, "open");
> - if (S_ISLNK(msg.sb.st_mode))
> + /*
> + * tame(2) doesn't let us pass directory file
> + * descriptors around but we don't need them, so don't
> + * open directories or symlinks (which could be to
> + * directories).
> + */
> + mode = msg.sb.st_mode;
> + if (!S_ISDIR(mode) && !S_ISLNK(mode)) {
> + fd = open(argv[idx], O_RDONLY|O_NONBLOCK);
> + if (fd == -1 &&
> + (errno == ENFILE || errno == EMFILE))
> + err(1, "open");
> + } else
> + fd = -1;
> + if (S_ISLNK(mode))
> read_link(&msg, argv[idx]);
> }
> send_message(&ibuf, &msg, sizeof msg, fd);
> @@ -328,6 +341,7 @@ read_link(struct input_msg *msg, const c
> static __dead void
> child(int fd, pid_t parent, int argc, char **argv)
> {
> + struct passwd *pw;
> struct magic *m;
> struct imsgbuf ibuf;
> struct imsg imsg;
> @@ -336,6 +350,24 @@ child(int fd, pid_t parent, int argc, ch
> struct input_file inf;
> int i, idx;
> size_t len, width = 0;
> +
> + if (tame("stdio cmsg getpw proc", NULL) == -1)
> + err(1, "tame");
> +
> + if (geteuid() == 0) {
> + pw = getpwnam(FILE_USER);
> + if (pw == NULL)
> + errx(1, "unknown user %s", FILE_USER);
> + if (setgroups(1, &pw->pw_gid) != 0)
> + err(1, "setgroups");
> + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
> + err(1, "setresgid");
> + if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
> + err(1, "setresuid");
> + }
> +
> + if (tame("stdio cmsg", NULL) == -1)
> + err(1, "tame");
>
> m = magic_load(magicfp, magicpath, cflag || Wflag);
> if (cflag) {
> Index: usr.bin/file/sandbox.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/file/sandbox.c,v
> retrieving revision 1.9
> diff -u -p -u -r1.9 sandbox.c
> --- usr.bin/file/sandbox.c 23 Aug 2015 18:31:41 -0000 1.9
> +++ usr.bin/file/sandbox.c 28 Sep 2015 20:15:11 -0000
> @@ -1,158 +0,0 @@
> -/* $OpenBSD: sandbox.c,v 1.9 2015/08/23 18:31:41 guenther Exp $ */
> -
> -/*
> - * Copyright (c) 2015 Nicholas Marriott <n...@openbsd.org>
> - *
> - * Permission to use, copy, modify, and distribute this software for any
> - * purpose with or without fee is hereby granted, provided that the above
> - * copyright notice and this permission notice appear in all copies.
> - *
> - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> - * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
> - * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
> - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> - */
> -
> -#include <sys/types.h>
> -#include <sys/ioctl.h>
> -#include <sys/syscall.h>
> -#include <sys/wait.h>
> -
> -#include <dev/systrace.h>
> -
> -#include <errno.h>
> -#include <fcntl.h>
> -#include <pwd.h>
> -#include <signal.h>
> -#include <unistd.h>
> -
> -#include "file.h"
> -#include "magic.h"
> -#include "xmalloc.h"
> -
> -static const struct
> -{
> - int syscallnum;
> - int action;
> -} allowed_syscalls[] = {
> - { SYS_open, SYSTR_POLICY_NEVER }, /* for strerror */
> -
> - { SYS_close, SYSTR_POLICY_PERMIT },
> - { SYS_exit, SYSTR_POLICY_PERMIT },
> - { SYS_fcntl, SYSTR_POLICY_PERMIT },
> - { SYS_fstat, SYSTR_POLICY_PERMIT },
> - { SYS_getdtablecount, SYSTR_POLICY_PERMIT },
> - { SYS_getentropy, SYSTR_POLICY_PERMIT },
> - { SYS_getpid, SYSTR_POLICY_PERMIT },
> - { SYS_getrlimit, SYSTR_POLICY_PERMIT },
> - { SYS_issetugid, SYSTR_POLICY_PERMIT },
> - { SYS_kbind, SYSTR_POLICY_PERMIT },
> - { SYS_madvise, SYSTR_POLICY_PERMIT },
> - { SYS_mmap, SYSTR_POLICY_PERMIT },
> - { SYS_mprotect, SYSTR_POLICY_PERMIT },
> - { SYS_mquery, SYSTR_POLICY_PERMIT },
> - { SYS_munmap, SYSTR_POLICY_PERMIT },
> - { SYS_read, SYSTR_POLICY_PERMIT },
> - { SYS_recvmsg, SYSTR_POLICY_PERMIT },
> - { SYS_sendmsg, SYSTR_POLICY_PERMIT },
> - { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
> - { SYS_write, SYSTR_POLICY_PERMIT },
> -
> - { -1, -1 }
> -};
> -
> -static int
> -sandbox_find(int syscallnum)
> -{
> - int i;
> -
> - for (i = 0; allowed_syscalls[i].syscallnum != -1; i++) {
> - if (allowed_syscalls[i].syscallnum == syscallnum)
> - return (allowed_syscalls[i].action);
> - }
> - return (SYSTR_POLICY_KILL);
> -}
> -
> -static int
> -sandbox_child(const char *user)
> -{
> - struct passwd *pw;
> -
> - if (geteuid() == 0) {
> - pw = getpwnam(user);
> - if (pw == NULL)
> - errx(1, "unknown user %s", user);
> - if (setgroups(1, &pw->pw_gid) != 0)
> - err(1, "setgroups");
> - if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
> - err(1, "setresgid");
> - if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0)
> - err(1, "setresuid");
> - }
> -
> - if (kill(getpid(), SIGSTOP) != 0)
> - err(1, "kill(SIGSTOP)");
> - return (0);
> -}
> -
> -int
> -sandbox_fork(const char *user)
> -{
> - pid_t pid;
> - int status, devfd, fd, i;
> - struct systrace_policy policy;
> -
> - switch (pid = fork()) {
> - case -1:
> - err(1, "fork");
> - case 0:
> - return (sandbox_child(user));
> - }
> -
> - /*
> - * Wait for the child to stop itself with SIGSTOP before assigning the
> - * policy, before that it might still be calling syscalls the policy
> - * would block.
> - */
> - do {
> - pid = waitpid(pid, &status, WUNTRACED);
> - } while (pid == -1 && errno == EINTR);
> - if (!WIFSTOPPED(status))
> - errx(1, "child not stopped");
> -
> - devfd = open("/dev/systrace", O_RDONLY);
> - if (devfd == -1)
> - err(1, "open(\"/dev/systrace\")");
> - if (ioctl(devfd, STRIOCCLONE, &fd) == -1)
> - err(1, "ioctl(STRIOCCLONE)");
> - close(devfd);
> -
> - if (ioctl(fd, STRIOCATTACH, &pid) == -1)
> - goto out;
> -
> - memset(&policy, 0, sizeof policy);
> - policy.strp_op = SYSTR_POLICY_NEW;
> - policy.strp_maxents = SYS_MAXSYSCALL;
> - if (ioctl(fd, STRIOCPOLICY, &policy) == -1)
> - err(1, "ioctl(STRIOCPOLICY/NEW)");
> - policy.strp_op = SYSTR_POLICY_ASSIGN;
> - policy.strp_pid = pid;
> - if (ioctl(fd, STRIOCPOLICY, &policy) == -1)
> - err(1, "ioctl(STRIOCPOLICY/ASSIGN)");
> -
> - for (i = 0; i < SYS_MAXSYSCALL; i++) {
> - policy.strp_op = SYSTR_POLICY_MODIFY;
> - policy.strp_code = i;
> - policy.strp_policy = sandbox_find(i);
> - if (ioctl(fd, STRIOCPOLICY, &policy) == -1)
> - err(1, "ioctl(STRIOCPOLICY/MODIFY)");
> - }
> -
> -out:
> - if (kill(pid, SIGCONT) != 0)
> - err(1, "kill(SIGCONT)");
> - return (pid);
> -}
> Index: usr.bin/fmt/fmt.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/fmt/fmt.c,v
> retrieving revision 1.30
> diff -u -p -u -r1.30 fmt.c
> --- usr.bin/fmt/fmt.c 26 Nov 2013 13:18:55 -0000 1.30
> +++ usr.bin/fmt/fmt.c 4 Oct 2015 05:00:34 -0000
> @@ -255,6 +255,9 @@ main(int argc, char *argv[])
>
> (void)setlocale(LC_CTYPE, "");
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> /* 1. Grok parameters. */
> while ((ch = getopt(argc, argv, "0123456789cd:hl:mnpst:w:")) != -1) {
> switch (ch) {
> @@ -337,6 +340,8 @@ main(int argc, char *argv[])
> while (argc-- > 0)
> process_named_file(*argv++);
> } else {
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> process_stream(stdin, "standard input");
> }
>
> Index: usr.bin/fold/fold.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/fold/fold.c,v
> retrieving revision 1.15
> diff -u -p -u -r1.15 fold.c
> --- usr.bin/fold/fold.c 6 Feb 2015 09:10:55 -0000 1.15
> +++ usr.bin/fold/fold.c 4 Oct 2015 05:00:27 -0000
> @@ -56,6 +56,9 @@ main(int argc, char *argv[])
> unsigned int width;
> const char *errstr;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> width = 0;
> lastch = '\0';
> prevoptind = 1;
> @@ -99,14 +102,19 @@ main(int argc, char *argv[])
> if (width == 0)
> width = DEFLINEWIDTH;
>
> - if (!*argv)
> + if (!*argv) {
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> fold(width);
> - else for (; *argv; ++argv)
> - if (!freopen(*argv, "r", stdin)) {
> - err(1, "%s", *argv);
> - /* NOTREACHED */
> - } else
> - fold(width);
> + } else {
> + for (; *argv; ++argv) {
> + if (!freopen(*argv, "r", stdin))
> + err(1, "%s", *argv);
> + /* NOTREACHED */
> + else
> + fold(width);
> + }
> + }
> exit(0);
> }
>
> Index: usr.bin/from/from.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/from/from.c,v
> retrieving revision 1.20
> diff -u -p -u -r1.20 from.c
> --- usr.bin/from/from.c 3 Jun 2015 18:08:54 -0000 1.20
> +++ usr.bin/from/from.c 4 Oct 2015 05:00:21 -0000
> @@ -80,6 +80,8 @@ main(int argc, char *argv[])
> exit(EXIT_SUCCESS);
> err(1, "%s", file);
> }
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> for (newline = 1; (linelen = getline(&line, &linesize, fp)) != -1;) {
> if (*line == '\n') {
> newline = 1;
> @@ -98,6 +100,9 @@ char *
> mail_spool(char *file, const char *user)
> {
> struct passwd *pwd;
> +
> + if (tame("stdio rpath getpw", NULL) == -1)
> + err(1, "tame");
>
> /*
> * We find the mailbox by:
> Index: usr.bin/getopt/getopt.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/getopt/getopt.c,v
> retrieving revision 1.8
> diff -u -p -u -r1.8 getopt.c
> --- usr.bin/getopt/getopt.c 27 Oct 2009 23:59:38 -0000 1.8
> +++ usr.bin/getopt/getopt.c 28 Sep 2015 20:15:11 -0000
> @@ -8,6 +8,7 @@
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> +#include <err.h>
>
> int
> main(int argc, char *argv[])
> @@ -16,6 +17,9 @@ main(int argc, char *argv[])
> extern char *optarg;
> int c;
> int status = 0;
> +
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> optind = 2; /* Past the program name and the option letters. */
> while ((c = getopt(argc, argv, argv[1])) != -1)
> Index: usr.bin/head/head.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/head/head.c,v
> retrieving revision 1.18
> diff -u -p -u -r1.18 head.c
> --- usr.bin/head/head.c 8 Oct 2014 08:31:53 -0000 1.18
> +++ usr.bin/head/head.c 4 Oct 2015 05:00:14 -0000
> @@ -55,6 +55,9 @@ main(int argc, char *argv[])
> char *p = NULL;
> int status = 0;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> /* handle obsolete -number syntax */
> if (argc > 1 && argv[1][0] == '-' &&
> isdigit((unsigned char)argv[1][1])) {
> @@ -87,6 +90,8 @@ main(int argc, char *argv[])
> if (!firsttime)
> exit(status);
> fp = stdin;
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> } else {
> if ((fp = fopen(*argv, "r")) == NULL) {
> warn("%s", *argv++);
> Index: usr.bin/hexdump/hexdump.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/hexdump/hexdump.c,v
> retrieving revision 1.17
> diff -u -p -u -r1.17 hexdump.c
> --- usr.bin/hexdump/hexdump.c 16 Jan 2015 06:40:08 -0000 1.17
> +++ usr.bin/hexdump/hexdump.c 28 Sep 2015 20:15:11 -0000
> @@ -33,6 +33,7 @@
> #include <err.h>
> #include <stdio.h>
> #include <stdlib.h>
> +#include <unistd.h>
> #include <string.h>
> #include "hexdump.h"
>
> @@ -52,6 +53,9 @@ main(int argc, char *argv[])
> {
> FS *tfs;
> char *p;
> +
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
>
> if (!(p = strrchr(argv[0], 'o')) || strcmp(p, "od"))
> newsyntax(argc, &argv);
> Index: usr.bin/id/id.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/id/id.c,v
> retrieving revision 1.23
> diff -u -p -u -r1.23 id.c
> --- usr.bin/id/id.c 19 May 2015 16:03:19 -0000 1.23
> +++ usr.bin/id/id.c 28 Sep 2015 20:15:11 -0000
> @@ -105,6 +105,9 @@ main(int argc, char *argv[])
> argc -= optind;
> argv += optind;
>
> + if (tame("stdio getpw", NULL) == -1)
> + err(1, "tame");
> +
> switch (cflag + Gflag + gflag + pflag + uflag) {
> case 1:
> break;
> Index: usr.bin/indent/indent.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/indent/indent.c,v
> retrieving revision 1.27
> diff -u -p -u -r1.27 indent.c
> --- usr.bin/indent/indent.c 20 Aug 2015 22:32:41 -0000 1.27
> +++ usr.bin/indent/indent.c 28 Sep 2015 20:15:11 -0000
> @@ -78,6 +78,8 @@ main(int argc, char **argv)
>
> int last_else = 0; /* true iff last keyword was an else */
>
> + if (tame("stdio rpath wpath cpath tmppath", NULL) == -1)
> + err(1, "tame");
>
> /*-----------------------------------------------*\
> | INITIALIZATION |
> Index: usr.bin/infocmp/infocmp.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/infocmp/infocmp.c,v
> retrieving revision 1.20
> diff -u -p -u -r1.20 infocmp.c
> --- usr.bin/infocmp/infocmp.c 12 Jan 2010 23:22:13 -0000 1.20
> +++ usr.bin/infocmp/infocmp.c 28 Sep 2015 20:15:11 -0000
> @@ -1282,6 +1282,9 @@ main(int argc, char *argv[])
> bool init_analyze = FALSE;
> bool suppress_untranslatable = FALSE;
>
> + if (tame("stdio rpath", NULL) == -1)
> + perror("tame");
> +
> /* where is the terminfo database location going to default to? */
> restdir = firstdir = 0;
>
> Index: usr.bin/join/join.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/join/join.c,v
> retrieving revision 1.25
> diff -u -p -u -r1.25 join.c
> --- usr.bin/join/join.c 21 Jul 2015 04:42:59 -0000 1.25
> +++ usr.bin/join/join.c 28 Sep 2015 20:15:11 -0000
> @@ -104,6 +104,9 @@ main(int argc, char *argv[])
> int aflag, ch, cval, vflag;
> char *end;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> F1 = &input1;
> F2 = &input2;
>
> Index: usr.bin/jot/jot.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/jot/jot.c,v
> retrieving revision 1.24
> diff -u -p -u -r1.24 jot.c
> --- usr.bin/jot/jot.c 21 Jul 2015 04:04:06 -0000 1.24
> +++ usr.bin/jot/jot.c 28 Sep 2015 20:15:11 -0000
> @@ -84,6 +84,9 @@ main(int argc, char *argv[])
> int ch;
> const char *errstr;
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "rb:w:cs:np:")) != -1)
> switch (ch) {
> case 'r':
> Index: usr.bin/lam/lam.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/lam/lam.c,v
> retrieving revision 1.17
> diff -u -p -u -r1.17 lam.c
> --- usr.bin/lam/lam.c 16 Jan 2015 06:40:09 -0000 1.17
> +++ usr.bin/lam/lam.c 28 Sep 2015 20:15:11 -0000
> @@ -71,6 +71,9 @@ main(int argc, char *argv[])
> {
> int i;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> /* Process arguments, set numfiles to file argument count. */
> getargs(argc, argv);
> if (numfiles == 0)
> Index: usr.bin/lastcomm/lastcomm.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/lastcomm/lastcomm.c,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 lastcomm.c
> --- usr.bin/lastcomm/lastcomm.c 15 Mar 2015 00:41:28 -0000 1.21
> +++ usr.bin/lastcomm/lastcomm.c 28 Sep 2015 20:15:11 -0000
> @@ -69,6 +69,9 @@ main(int argc, char *argv[])
> int ch;
> char *acctfile;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> acctfile = _PATH_ACCT;
> while ((ch = getopt(argc, argv, "f:")) != -1)
> switch(ch) {
> Index: usr.bin/logger/logger.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/logger/logger.c,v
> retrieving revision 1.14
> diff -u -p -u -r1.14 logger.c
> --- usr.bin/logger/logger.c 18 Apr 2015 18:28:37 -0000 1.14
> +++ usr.bin/logger/logger.c 28 Sep 2015 20:15:11 -0000
> @@ -37,6 +37,7 @@
> #include <stdio.h>
> #include <ctype.h>
> #include <string.h>
> +#include <err.h>
>
> #define SYSLOG_NAMES
> #include <syslog.h>
> @@ -91,6 +92,9 @@ main(int argc, char *argv[])
> /* setup for logging */
> openlog(tag ? tag : getlogin(), logflags, 0);
> (void) fclose(stdout);
> +
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> /* log input line if appropriate */
> if (argc > 0) {
> Index: usr.bin/logname/logname.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/logname/logname.c,v
> retrieving revision 1.7
> diff -u -p -u -r1.7 logname.c
> --- usr.bin/logname/logname.c 27 Oct 2009 23:59:40 -0000 1.7
> +++ usr.bin/logname/logname.c 28 Sep 2015 20:15:11 -0000
> @@ -46,6 +46,9 @@ main(int argc, char *argv[])
>
> setlocale(LC_ALL, "");
>
> + if (tame("stdio getpw", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "")) != -1)
> switch (ch) {
> case '?':
> Index: usr.bin/look/look.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/look/look.c,v
> retrieving revision 1.16
> diff -u -p -u -r1.16 look.c
> --- usr.bin/look/look.c 6 Feb 2015 23:21:59 -0000 1.16
> +++ usr.bin/look/look.c 28 Sep 2015 20:15:11 -0000
> @@ -88,6 +88,9 @@ main(int argc, char *argv[])
> int ch, fd, termchar;
> char *back, *file, *front, *string, *p;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> file = _PATH_WORDS;
> termchar = '\0';
> while ((ch = getopt(argc, argv, "dft:")) != -1)
> Index: usr.bin/mktemp/mktemp.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/mktemp/mktemp.c,v
> retrieving revision 1.20
> diff -u -p -u -r1.20 mktemp.c
> --- usr.bin/mktemp/mktemp.c 6 Aug 2013 21:56:51 -0000 1.20
> +++ usr.bin/mktemp/mktemp.c 28 Sep 2015 20:15:11 -0000
> @@ -38,6 +38,9 @@ main(int argc, char *argv[])
> char *cp, *template, *tempfile, *prefix = _PATH_TMP;
> size_t len;
>
> + if (tame("stdio wpath cpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "dp:qtu")) != -1)
> switch(ch) {
> case 'd':
> Index: usr.bin/nl/nl.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/nl/nl.c,v
> retrieving revision 1.4
> diff -u -p -u -r1.4 nl.c
> --- usr.bin/nl/nl.c 21 Jan 2015 22:28:09 -0000 1.4
> +++ usr.bin/nl/nl.c 4 Oct 2015 05:00:06 -0000
> @@ -118,6 +118,9 @@ main(int argc, char *argv[])
>
> (void)setlocale(LC_ALL, "");
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((c = getopt(argc, argv, "pb:d:f:h:i:l:n:s:v:w:")) != -1) {
> switch (c) {
> case 'p':
> @@ -204,10 +207,15 @@ main(int argc, char *argv[])
>
> switch (argc) {
> case 0:
> + /* Read from stdin. */
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> break;
> case 1:
> - if (strcmp(argv[0], "-") != 0 &&
> - freopen(argv[0], "r", stdin) == NULL)
> + if (strcmp(argv[0], "-") == 0)
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> + else if (freopen(argv[0], "r", stdin) == NULL)
> err(EXIT_FAILURE, "%s", argv[0]);
> break;
> default:
> Index: usr.bin/nm/nm.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/nm/nm.c,v
> retrieving revision 1.47
> diff -u -p -u -r1.47 nm.c
> --- usr.bin/nm/nm.c 13 Aug 2015 19:13:28 -0000 1.47
> +++ usr.bin/nm/nm.c 3 Oct 2015 04:25:11 -0000
> @@ -211,6 +211,10 @@ main(int argc, char *argv[])
> posix_radix, posix_radix);
> if (demangle)
> pipe2cppfilt();
> +
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> argv += optind;
> argc -= optind;
>
> Index: usr.bin/paste/paste.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/paste/paste.c,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 paste.c
> --- usr.bin/paste/paste.c 25 Nov 2014 10:20:24 -0000 1.19
> +++ usr.bin/paste/paste.c 28 Sep 2015 20:15:11 -0000
> @@ -57,6 +57,9 @@ main(int argc, char *argv[])
> extern int optind;
> int ch, seq;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> seq = 0;
> while ((ch = getopt(argc, argv, "d:s")) != -1) {
> switch (ch) {
> Index: usr.bin/pr/pr.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/pr/pr.c,v
> retrieving revision 1.36
> diff -u -p -u -r1.36 pr.c
> --- usr.bin/pr/pr.c 20 Aug 2015 22:32:41 -0000 1.36
> +++ usr.bin/pr/pr.c 28 Sep 2015 20:15:11 -0000
> @@ -140,6 +140,9 @@ main(int argc, char *argv[])
> {
> int ret_val;
>
> + if (tame("stdio rpath", NULL) == -1)
> + perror("tame");
> +
> if (signal(SIGINT, SIG_IGN) != SIG_IGN)
> (void)signal(SIGINT, terminate);
> ret_val = setup(argc, argv);
> Index: usr.bin/printenv/printenv.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/printenv/printenv.c,v
> retrieving revision 1.6
> diff -u -p -u -r1.6 printenv.c
> --- usr.bin/printenv/printenv.c 27 Oct 2009 23:59:41 -0000 1.6
> +++ usr.bin/printenv/printenv.c 28 Sep 2015 20:15:11 -0000
> @@ -32,6 +32,8 @@
> #include <stdio.h>
> #include <string.h>
> #include <stdlib.h>
> +#include <unistd.h>
> +#include <err.h>
>
> /*
> * printenv
> @@ -45,6 +47,9 @@ main(int argc, char *argv[])
> extern char **environ;
> char *cp, **ep;
> int len;
> +
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> if (argc < 2) {
> for (ep = environ; *ep; ep++)
> Index: usr.bin/printf/printf.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/printf/printf.c,v
> retrieving revision 1.22
> diff -u -p -u -r1.22 printf.c
> --- usr.bin/printf/printf.c 25 May 2014 07:36:36 -0000 1.22
> +++ usr.bin/printf/printf.c 28 Sep 2015 20:15:11 -0000
> @@ -32,6 +32,7 @@
> #include <ctype.h>
> #include <stdio.h>
> #include <stdlib.h>
> +#include <unistd.h>
> #include <string.h>
> #include <limits.h>
> #include <locale.h>
> @@ -80,6 +81,9 @@ main(int argc, char *argv[])
> char *format;
>
> setlocale (LC_ALL, "");
> +
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
>
> /* Need to accept/ignore "--" option. */
> if (argc > 1 && strcmp(argv[1], "--") == 0) {
> Index: usr.bin/readlink/readlink.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/readlink/readlink.c,v
> retrieving revision 1.25
> diff -u -p -u -r1.25 readlink.c
> --- usr.bin/readlink/readlink.c 1 May 2009 10:36:48 -0000 1.25
> +++ usr.bin/readlink/readlink.c 28 Sep 2015 20:15:11 -0000
> @@ -44,6 +44,9 @@ main(int argc, char *argv[])
> int n, ch, nflag = 0, fflag = 0;
> extern int optind;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "fn")) != -1)
> switch (ch) {
> case 'f':
> Index: usr.bin/rev/rev.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/rev/rev.c,v
> retrieving revision 1.10
> diff -u -p -u -r1.10 rev.c
> --- usr.bin/rev/rev.c 27 Oct 2009 23:59:42 -0000 1.10
> +++ usr.bin/rev/rev.c 28 Sep 2015 20:15:11 -0000
> @@ -49,6 +49,9 @@ main(int argc, char *argv[])
> size_t len;
> int ch, rval;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "")) != -1)
> switch(ch) {
> case '?':
> @@ -71,6 +74,9 @@ main(int argc, char *argv[])
> continue;
> }
> filename = *argv++;
> + } else {
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> }
> while ((p = fgetln(fp, &len)) != NULL) {
> if (p[len - 1] == '\n')
> Index: usr.bin/rs/rs.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/rs/rs.c,v
> retrieving revision 1.25
> diff -u -p -u -r1.25 rs.c
> --- usr.bin/rs/rs.c 20 Aug 2015 22:32:41 -0000 1.25
> +++ usr.bin/rs/rs.c 28 Sep 2015 20:15:11 -0000
> @@ -93,6 +93,9 @@ void putfile(void);
> int
> main(int argc, char *argv[])
> {
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> getargs(argc, argv);
> getfile();
> if (flags & SHAPEONLY) {
> Index: usr.bin/split/split.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/split/split.c,v
> retrieving revision 1.18
> diff -u -p -u -r1.18 split.c
> --- usr.bin/split/split.c 16 Jan 2015 06:40:12 -0000 1.18
> +++ usr.bin/split/split.c 28 Sep 2015 20:15:11 -0000
> @@ -68,6 +68,9 @@ main(int argc, char *argv[])
> char *ep, *p;
> const char *errstr;
>
> + if (tame("stdio rpath wpath cpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "0123456789a:b:l:p:-")) != -1)
> switch (ch) {
> case '0': case '1': case '2': case '3': case '4':
> Index: usr.bin/stat/stat.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/stat/stat.c,v
> retrieving revision 1.18
> diff -u -p -u -r1.18 stat.c
> --- usr.bin/stat/stat.c 26 Nov 2013 21:08:12 -0000 1.18
> +++ usr.bin/stat/stat.c 28 Sep 2015 20:15:11 -0000
> @@ -158,6 +158,9 @@ main(int argc, char *argv[])
> int lsF, fmtchar, usestat, fn, nonl, quiet;
> char *statfmt, *options, *synopsis;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> lsF = 0;
> fmtchar = '\0';
> usestat = 0;
> Index: usr.bin/tail/tail.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/tail/tail.c,v
> retrieving revision 1.17
> diff -u -p -u -r1.17 tail.c
> --- usr.bin/tail/tail.c 27 Oct 2009 23:59:44 -0000 1.17
> +++ usr.bin/tail/tail.c 28 Sep 2015 20:15:11 -0000
> @@ -61,6 +61,9 @@ main(int argc, char *argv[])
> int ch, first;
> char *p;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> /*
> * Tail's options are weird. First, -n10 is the same as -n-10, not
> * -n+10. Second, the number options are 1 based and not offsets,
> Index: usr.bin/tee/tee.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/tee/tee.c,v
> retrieving revision 1.8
> diff -u -p -u -r1.8 tee.c
> --- usr.bin/tee/tee.c 23 Apr 2013 17:48:17 -0000 1.8
> +++ usr.bin/tee/tee.c 28 Sep 2015 20:15:11 -0000
> @@ -74,6 +74,9 @@ main(int argc, char *argv[])
>
> setlocale(LC_ALL, "");
>
> + if (tame("stdio rpath wpath cpath", NULL) == -1)
> + err(1, "tame");
> +
> append = 0;
> while ((ch = getopt(argc, argv, "ai")) != -1) {
> switch(ch) {
> Index: usr.bin/tic/tic.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/tic/tic.c,v
> retrieving revision 1.31
> diff -u -p -u -r1.31 tic.c
> --- usr.bin/tic/tic.c 28 Nov 2013 18:24:55 -0000 1.31
> +++ usr.bin/tic/tic.c 30 Sep 2015 18:03:04 -0000
> @@ -499,6 +499,9 @@ main(int argc, char *argv[])
> bool check_only = FALSE;
> bool suppress_untranslatable = FALSE;
>
> + if (tame("stdio rpath cpath", NULL) == -1)
> + perror("tame");
> +
> log_fp = stderr;
>
> _nc_progname = _nc_rootname(argv[0]);
> Index: usr.bin/touch/touch.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/touch/touch.c,v
> retrieving revision 1.23
> diff -u -p -u -r1.23 touch.c
> --- usr.bin/touch/touch.c 17 Mar 2015 19:31:30 -0000 1.23
> +++ usr.bin/touch/touch.c 3 Oct 2015 04:37:51 -0000
> @@ -60,6 +60,9 @@ main(int argc, char *argv[])
>
> (void)setlocale(LC_ALL, "");
>
> + if (tame("stdio rpath wpath cpath fattr", NULL) == -1)
> + err(1, "tame");
> +
> aflag = cflag = mflag = timeset = 0;
> while ((ch = getopt(argc, argv, "acd:fmr:t:")) != -1)
> switch (ch) {
> Index: usr.bin/tr/tr.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/tr/tr.c,v
> retrieving revision 1.17
> diff -u -p -u -r1.17 tr.c
> --- usr.bin/tr/tr.c 3 Jun 2014 20:57:23 -0000 1.17
> +++ usr.bin/tr/tr.c 28 Sep 2015 20:15:11 -0000
> @@ -87,6 +87,9 @@ main(int argc, char *argv[])
> int ch, cnt, lastch, *p;
> int cflag, dflag, sflag, isstring2;
>
> + if (tame("stdio", NULL) == -1)
> + err(1, "tame");
> +
> cflag = dflag = sflag = 0;
> while ((ch = getopt(argc, argv, "Ccds")) != -1)
> switch(ch) {
> Index: usr.bin/units/units.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/units/units.c,v
> retrieving revision 1.20
> diff -u -p -u -r1.20 units.c
> --- usr.bin/units/units.c 27 Nov 2013 00:13:24 -0000 1.20
> +++ usr.bin/units/units.c 28 Sep 2015 20:15:11 -0000
> @@ -23,6 +23,7 @@
> #include <string.h>
> #include <stdlib.h>
> #include <unistd.h>
> +#include <err.h>
>
> #define UNITSFILE "/usr/share/misc/units.lib"
>
> @@ -630,6 +631,9 @@ main(int argc, char **argv)
>
> extern char *optarg;
> extern int optind;
> +
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
>
> while ((optchar = getopt(argc, argv, "vqf:")) != -1) {
> switch (optchar) {
> Index: usr.bin/unvis/unvis.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/unvis/unvis.c,v
> retrieving revision 1.12
> diff -u -p -u -r1.12 unvis.c
> --- usr.bin/unvis/unvis.c 22 Jan 2014 09:45:21 -0000 1.12
> +++ usr.bin/unvis/unvis.c 28 Sep 2015 20:15:11 -0000
> @@ -43,6 +43,9 @@ main(int argc, char *argv[])
> FILE *fp;
> int ch;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "")) != -1)
> switch(ch) {
> case '?':
> Index: usr.bin/users/users.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/users/users.c,v
> retrieving revision 1.11
> diff -u -p -u -r1.11 users.c
> --- usr.bin/users/users.c 8 Oct 2014 04:11:28 -0000 1.11
> +++ usr.bin/users/users.c 28 Sep 2015 20:15:11 -0000
> @@ -53,6 +53,9 @@ main(int argc, char *argv[])
> struct utmp utmp;
> int ch;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "")) != -1)
> switch(ch) {
> case '?':
> Index: usr.bin/vacation/vacation.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/vacation/vacation.c,v
> retrieving revision 1.37
> diff -u -p -u -r1.37 vacation.c
> --- usr.bin/vacation/vacation.c 20 Aug 2015 22:32:42 -0000 1.37
> +++ usr.bin/vacation/vacation.c 3 Oct 2015 04:23:59 -0000
> @@ -49,6 +49,7 @@
> #include <stdlib.h>
> #include <string.h>
> #include <paths.h>
> +#include <err.h>
>
> /*
> * VACATION -- return a message to the sender when on vacation.
> Index: usr.bin/vis/vis.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/vis/vis.c,v
> retrieving revision 1.17
> diff -u -p -u -r1.17 vis.c
> --- usr.bin/vis/vis.c 18 Apr 2015 18:28:38 -0000 1.17
> +++ usr.bin/vis/vis.c 28 Sep 2015 20:15:11 -0000
> @@ -55,6 +55,9 @@ main(int argc, char *argv[])
> FILE *fp;
> int ch;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> while ((ch = getopt(argc, argv, "anwctsobfF:ld")) != -1)
> switch(ch) {
> case 'a':
> Index: usr.bin/what/what.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/what/what.c,v
> retrieving revision 1.13
> diff -u -p -u -r1.13 what.c
> --- usr.bin/what/what.c 22 Jan 2015 19:10:17 -0000 1.13
> +++ usr.bin/what/what.c 28 Sep 2015 20:15:11 -0000
> @@ -58,6 +58,9 @@ main(int argc, char *argv[])
> char match[256];
> int c;
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> matches = sflag = 0;
> while ((c = getopt(argc, argv, "s")) != -1) {
> switch (c) {
> Index: usr.bin/who/who.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/who/who.c,v
> retrieving revision 1.20
> diff -u -p -u -r1.20 who.c
> --- usr.bin/who/who.c 22 Aug 2013 04:43:41 -0000 1.20
> +++ usr.bin/who/who.c 28 Sep 2015 20:15:11 -0000
> @@ -72,6 +72,9 @@ main(int argc, char *argv[])
>
> setlocale(LC_ALL, "");
>
> + if (tame("stdio rpath", NULL) == -1)
> + err(1, "tame");
> +
> only_current_term = show_term = show_idle = show_labels = 0;
> show_quick = 0;
> while ((c = getopt(argc, argv, "HmqTu")) != -1) {
> Index: usr.bin/yes/yes.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/yes/yes.c,v
> retrieving revision 1.8
> diff -u -p -u -r1.8 yes.c
> --- usr.bin/yes/yes.c 27 Oct 2009 23:59:50 -0000 1.8
> +++ usr.bin/yes/yes.c 28 Sep 2015 20:15:11 -0000
> @@ -30,11 +30,15 @@
> * SUCH DAMAGE.
> */
>
> +#include <unistd.h>
> #include <stdio.h>
>
> int
> main(int argc, char *argv[])
> {
> + if (tame("stdio", NULL) == -1)
> + perror("tame");
> +
> if (argc > 1)
> for (;;)
> puts(argv[1]);
> Index: usr.sbin/bgpd/rde.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.339
> diff -u -p -u -r1.339 rde.c
> --- usr.sbin/bgpd/rde.c 21 Sep 2015 09:47:15 -0000 1.339
> +++ usr.sbin/bgpd/rde.c 28 Sep 2015 20:15:11 -0000
> @@ -30,6 +30,7 @@
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> +#include <err.h>
>
> #include "bgpd.h"
> #include "mrt.h"
> @@ -185,6 +186,9 @@ rde_main(int debug, int verbose)
> setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> fatal("can't drop privileges");
> +
> + if (tame("malloc unix cmsg", NULL) == -1)
> + err(1, "tame");
>
> signal(SIGTERM, rde_sighdlr);
> signal(SIGINT, rde_sighdlr);
> Index: usr.sbin/bgpd/session.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
> retrieving revision 1.340
> diff -u -p -u -r1.340 session.c
> --- usr.sbin/bgpd/session.c 4 Aug 2015 14:46:38 -0000 1.340
> +++ usr.sbin/bgpd/session.c 28 Sep 2015 20:15:11 -0000
> @@ -219,6 +219,9 @@ session_main(int debug, int verbose)
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> fatal("can't drop privileges");
>
> + if (tame("malloc inet cmsg", NULL) == -1)
> + err(1, "tame");
> +
> signal(SIGTERM, session_sighdlr);
> signal(SIGINT, session_sighdlr);
> signal(SIGPIPE, SIG_IGN);
> Index: usr.sbin/httpd/httpd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
> retrieving revision 1.39
> diff -u -p -u -r1.39 httpd.c
> --- usr.sbin/httpd/httpd.c 20 Aug 2015 13:00:23 -0000 1.39
> +++ usr.sbin/httpd/httpd.c 29 Sep 2015 09:34:57 -0000
> @@ -247,6 +247,9 @@ main(int argc, char *argv[])
>
> setproctitle("parent");
>
> + if (tame("malloc inet cmsg cpath rpath wpath proc ioctl", NULL) == -1)
> + err(1, "tame");
> +
> event_init();
>
> signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
> Index: usr.sbin/httpd/logger.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/logger.c,v
> retrieving revision 1.13
> diff -u -p -u -r1.13 logger.c
> --- usr.sbin/httpd/logger.c 20 Aug 2015 13:00:23 -0000 1.13
> +++ usr.sbin/httpd/logger.c 28 Sep 2015 20:15:11 -0000
> @@ -26,6 +26,7 @@
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> +#include <err.h>
> #include <fcntl.h>
> #include <imsg.h>
>
> @@ -70,6 +71,9 @@ logger_shutdown(void)
> void
> logger_init(struct privsep *ps, struct privsep_proc *p, void *arg)
> {
> + if (tame("malloc cmsg", NULL) == -1)
> + err(1, "tame");
> +
> if (config_init(ps->ps_env) == -1)
> fatal("failed to initialize configuration");
>
> Index: usr.sbin/httpd/server.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server.c,v
> retrieving revision 1.80
> diff -u -p -u -r1.80 server.c
> --- usr.sbin/httpd/server.c 11 Sep 2015 13:21:09 -0000 1.80
> +++ usr.sbin/httpd/server.c 3 Oct 2015 02:52:35 -0000
> @@ -38,6 +38,7 @@
> #include <string.h>
> #include <syslog.h>
> #include <unistd.h>
> +#include <err.h>
> #include <event.h>
> #include <imsg.h>
> #include <tls.h>
> @@ -243,6 +244,15 @@ server_init(struct privsep *ps, struct p
>
> /* Unlimited file descriptors (use system limits) */
> socket_rlimit(-1);
> +
> + /*
> + * XXX "inet" and "unix" are only needed for fcgi, however
> + * whether fcgi is used or not can change when the config is
> + * reloaded. should the parent retain these abilities, but
> + * re-fork the children and properly tame them again on reload?
> + */
> + if (tame("malloc cmsg rpath proc inet unix ioctl", NULL) == -1)
> + err(1, "tame");
>
> #if 0
> /* Schedule statistics timer */
> Index: usr.sbin/ntpd/ntp.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ntpd/ntp.c,v
> retrieving revision 1.135
> diff -u -p -u -r1.135 ntp.c
> --- usr.sbin/ntpd/ntp.c 14 Aug 2015 02:00:18 -0000 1.135
> +++ usr.sbin/ntpd/ntp.c 28 Sep 2015 20:15:11 -0000
> @@ -30,6 +30,7 @@
> #include <string.h>
> #include <time.h>
> #include <unistd.h>
> +#include <err.h>
> #include <tls.h>
>
> #include "ntpd.h"
> @@ -164,6 +165,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, s
> fatal("can't drop privileges");
>
> endservent();
> +
> + /* XXX "dns" for constraint.c, which is forked off wrong parent? */
> + if (tame("stdio inet dns proc", NULL) == -1)
> + err(1, "tame");
>
> signal(SIGTERM, ntp_sighdlr);
> signal(SIGINT, ntp_sighdlr);
> Index: usr.sbin/ntpd/ntpd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ntpd/ntpd.c,v
> retrieving revision 1.95
> diff -u -p -u -r1.95 ntpd.c
> --- usr.sbin/ntpd/ntpd.c 3 Oct 2015 02:47:15 -0000 1.95
> +++ usr.sbin/ntpd/ntpd.c 3 Oct 2015 02:47:28 -0000
> @@ -196,6 +196,10 @@ main(int argc, char *argv[])
> setproctitle("[priv]");
> readfreq();
>
> +// XXX missing: adjtime() to change time
> +// if (tame("stdio unix proc", NULL) == -1)
> +// err(1, "tame");
> +
> signal(SIGTERM, sighdlr);
> signal(SIGINT, sighdlr);
> signal(SIGHUP, sighdlr);
> Index: usr.sbin/portmap/portmap.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/portmap/portmap.c,v
> retrieving revision 1.45
> diff -u -p -u -r1.45 portmap.c
> --- usr.sbin/portmap/portmap.c 13 Sep 2015 15:44:47 -0000 1.45
> +++ usr.sbin/portmap/portmap.c 4 Oct 2015 01:00:35 -0000
> @@ -246,6 +246,9 @@ main(int argc, char *argv[])
> }
> endpwent();
>
> + if (tame("stdio rpath inet proc", NULL) == -1)
> + err(1, "tame");
> +
> if (svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE) == 0) {
> syslog(LOG_ERR, "svc_register failed.");
> exit(1);
> @@ -604,6 +607,10 @@ callit(struct svc_req *rqstp, SVCXPRT *x
> a.rmt_prog);
> return;
> }
> +
> + if (tame("stdio rpath inet", NULL) == -1)
> + err(1, "tame");
> +
> port = pml->pml_map.pm_port;
> get_myaddress(&me);
> me.sin_port = htons(port);
> Index: usr.sbin/relayd/ca.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/ca.c,v
> retrieving revision 1.13
> diff -u -p -u -r1.13 ca.c
> --- usr.sbin/relayd/ca.c 2 May 2015 13:15:24 -0000 1.13
> +++ usr.sbin/relayd/ca.c 28 Sep 2015 20:15:11 -0000
> @@ -23,6 +23,7 @@
> #include <unistd.h>
> #include <string.h>
> #include <stdlib.h>
> +#include <err.h>
> #include <imsg.h>
>
> #include <openssl/bio.h>
> @@ -73,6 +74,9 @@ ca(struct privsep *ps, struct privsep_pr
> void
> ca_init(struct privsep *ps, struct privsep_proc *p, void *arg)
> {
> + if (tame("malloc rw cmsg", NULL) == -1)
> + err(1, "tame");
> +
> if (config_init(ps->ps_env) == -1)
> fatal("failed to initialize configuration");
>
> Index: usr.sbin/syslogd/syslogd.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.190
> diff -u -p -u -r1.190 syslogd.c
> --- usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:19:23 -0000 1.190
> +++ usr.sbin/syslogd/syslogd.c 29 Sep 2015 03:42:24 -0000
> @@ -593,6 +593,9 @@ main(int argc, char *argv[])
> if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0)
> errx(1, "unable to privsep");
>
> + if (tame("malloc rpath unix inet cmsg", NULL) == -1)
> + err(1, "tame");
> +
> /* Process is now unprivileged and inside a chroot */
> event_init();
>
>
