On Tue, Oct 13, 2015 at 05:29:37PM -0400, Rob Pierce wrote:
> More restrictive pledge(s) can be done if tmpdir is equal or subordinate to
> _PATH_TMP by using the "tmppath" request instead of the "wpath cpath" duo.
>
> For now just do the obvious repledge after the fork/execvp and drop proc
> and exec.
>
> Rob
>
> Index: sdiff.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/sdiff/sdiff.c,v
> retrieving revision 1.33
> diff -u -p -r1.33 sdiff.c
> --- sdiff.c 10 Oct 2015 19:03:08 -0000 1.33
> +++ sdiff.c 13 Oct 2015 21:16:47 -0000
> @@ -314,6 +314,9 @@ main(int argc, char **argv)
> err(2, "could not fork");
> }
>
> + if (pledge("stdio rpath wpath cpath", NULL) == -1)
> + err(1, "pledge");
> +
> /* parent */
> /* We don't write to the pipe. */
> close(fd[1]);
I forgot to mention that we also need to consider the location of the output
file if the "-o" option is specified when considering tmppath or wpath/cpath
in the pledge(s).
