diff options
| author |   florian <florian@openbsd.org> | 2019-04-30 11:09:11 +0000 |
|---|---|---|
| committer | florian <florian@openbsd.org> | 2019-04-30 11:09:11 +0000 |
| commit | 585ff104d5c3c555f41551a82fe12b15f184dfec (patch) | |
| tree | 4df36121405fb2a903c9db5d6548c85e19bac0f5 | |
| parent | Don't redraw control clients, from George Nachman. (diff) | |
| download | wireguard-openbsd-585ff104d5c3c555f41551a82fe12b15f184dfec.tar.xz wireguard-openbsd-585ff104d5c3c555f41551a82fe12b15f184dfec.zip | |
Restrict file system access to /var/db for the dhclient lease files.
This and pledge("rpath") can go once we switch to RTM_PROPOSAL.
| -rw-r--r-- | sbin/unwind/unwind.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sbin/unwind/unwind.c b/sbin/unwind/unwind.c index 54d5e90fea3..d9e499286bd 100644 --- a/sbin/unwind/unwind.c +++ b/sbin/unwind/unwind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: unwind.c,v 1.23 2019/04/02 07:47:23 florian Exp $ */ +/* $OpenBSD: unwind.c,v 1.24 2019/04/30 11:09:11 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -307,6 +307,9 @@ main(int argc, char *argv[]) main_imsg_compose_frontend_fd(IMSG_ROUTESOCK, 0, frontend_routesock); main_imsg_send_config(main_conf); + if (unveil(LEASE_DB_DIR, "r") == -1) + fatal("unveil"); + if (pledge("stdio inet dns rpath sendfd", NULL) == -1) fatal("pledge"); |