Hi tech@,
spamdb(8) can pledge(2) for "stdio rpath wpath flock" and "flock"
permission can be dropped after "/var/db/spamd" is opened with dbopen(3).
Index: spamdb.c
===================================================================
RCS file: /cvs/src/usr.sbin/spamdb/spamdb.c,v
retrieving revision 1.29
diff -u -p -u -r1.29 spamdb.c
--- spamdb.c 24 Nov 2013 01:06:19 -0000 1.29
+++ spamdb.c 24 Oct 2015 20:23:24 -0000
@@ -276,6 +276,9 @@ main(int argc, char **argv)
HASHINFO hashinfo;
DB *db;
+ if (pledge("stdio rpath wpath flock", NULL) == -1)
+ err(1, "pledge");
+
while ((ch = getopt(argc, argv, "adtT")) != -1) {
switch (ch) {
case 'a':
@@ -307,6 +310,9 @@ main(int argc, char **argv)
err(1, "cannot open %s for %s", PATH_SPAMD_DB,
action ? "writing" : "reading");
}
+
+ if (pledge("stdio rpath wpath", NULL) == -1)
+ err(1, "pledge");
switch (action) {
case 0:
Best regards,
Ricardo Mestre
