Initial pledge of netcat - unfortunately flawed because fiddling the rtableid

in a socket option can be pretty scary and there is no better interface for this.
so if the -V option is used you get no pledge at all.. Otherwise, do what
works for the various options.  Still needs refinement for tls to drop rpath,
and a better solution for the routing table stuff

1 files changed, 27 insertions, 1 deletions

diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c
index 9fc825b5d8e..df0aed9e382 100644
--- a/usr.bin/nc/netcat.c
+++ b/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.139 2015/10/11 00:26:23 guenther Exp $ */
+/* $OpenBSD: netcat.c,v 1.140 2015/10/23 05:27:17 beck Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -310,6 +310,28 @@ main(int argc, char *argv[])
 	argc -= optind;
 	argv += optind;
 
+	if (rtableid >= 0) {
+		/*
+		 * XXX No pledge if doing rtable manipulation!
+		 * XXX the routing table stuff is dangerous and can't be pledged.
+		 * XXX rtable should really have a better interface than sockopt
+		 */
+	}
+	else if (family == AF_UNIX) {
+		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
+			err(1, "pledge");
+	}
+	else if (Fflag) {
+		if (pledge("stdio inet dns sendfd", NULL) == -1)
+			err(1, "pledge");
+	}
+	else if (usetls) {
+		if (pledge("stdio rpath inet dns", NULL) == -1)
+			err(1, "pledge");
+	}
+	else if (pledge("stdio inet dns", NULL) == -1)
+		err(1, "pledge");
+
 	/* Cruft to make sure options are clean, and used properly. */
 	if (argv[0] && !argv[1] && family == AF_UNIX) {
 		host = argv[0];
@@ -337,6 +359,10 @@ main(int argc, char *argv[])
 		errx(1, "cannot use -c and -u");
 	if ((family == AF_UNIX) && usetls)
 		errx(1, "cannot use -c and -U");
+	if ((family == AF_UNIX) && Fflag)
+		errx(1, "cannot use -F and -U");
+	if (Fflag && usetls)
+		errx(1, "cannot use -c and -F");
 	if (TLSopt && !usetls)
 		errx(1, "you must specify -c to use TLS options");
 	if (Cflag && !usetls)