portmap's main process can be tame "stdio rpath inet proc"; proc is

for the callit interface needing to fork, and parent needing to wait.
that child can drop to "stdio rpath inet".

It is possible some libc/rpc codepath has not yet been figured out, but
commiting it is the best way to get it tested. Tested what I could myself,
but noone answered my call for testing...

1 files changed, 8 insertions, 1 deletions

diff --git a/usr.sbin/portmap/portmap.c b/usr.sbin/portmap/portmap.c
index c5bf395eb3b..4259e357668 100644
--- a/usr.sbin/portmap/portmap.c
+++ b/usr.sbin/portmap/portmap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: portmap.c,v 1.45 2015/09/13 15:44:47 guenther Exp $	*/
+/*	$OpenBSD: portmap.c,v 1.46 2015/10/08 14:02:09 deraadt Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997 Theo de Raadt (OpenBSD). All rights reserved.
@@ -246,6 +246,9 @@ main(int argc, char *argv[])
 	}
 	endpwent();
 
+	if (tame("stdio rpath inet proc", NULL) == -1)
+		err(1, "tame");
+
 	if (svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE) == 0) {
 		syslog(LOG_ERR, "svc_register failed.");
 		exit(1);
@@ -604,6 +607,10 @@ callit(struct svc_req *rqstp, SVCXPRT *xprt)
 			    a.rmt_prog);
 		return;
 	}
+
+	if (tame("stdio rpath inet", NULL) == -1)
+		err(1, "tame");
+
 	port = pml->pml_map.pm_port;
 	get_myaddress(&me);
 	me.sin_port = htons(port);