These NDINIT run out of the context of the process doing execve,

so PS_PLEDGE is active.  PLEDGE_EXEC must be noted for the namei
operations, so that the action is understood by the namei check code.

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/compat/common/compat_util.c b/sys/compat/common/compat_util.c
index 9f188d154e4..4579891ba1a 100644
--- a/sys/compat/common/compat_util.c
+++ b/sys/compat/common/compat_util.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: compat_util.c,v 1.16 2015/03/14 03:38:46 jsg Exp $	*/
+/* 	$OpenBSD: compat_util.c,v 1.17 2015/11/05 23:43:33 deraadt Exp $	*/
 /* 	$NetBSD: compat_util.c,v 1.4 1996/03/14 19:31:45 christos Exp $	*/
 
 /*
@@ -41,6 +41,7 @@
 #include <sys/malloc.h>
 #include <sys/signalvar.h>
 #include <sys/vnode.h>
+#include <sys/pledge.h>
 
 #include <uvm/uvm_extern.h>
 
@@ -105,6 +106,7 @@ emul_find(struct proc *p, caddr_t *sgp, const char *prefix,
 		*cp = '\0';
 
 		NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, p);
+		nd.ni_pledge = PLEDGE_EXEC;
 
 		if ((error = namei(&nd)) != 0)
 			goto bad;
@@ -112,6 +114,7 @@ emul_find(struct proc *p, caddr_t *sgp, const char *prefix,
 		*cp = '/';
 	} else {
 		NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, p);
+		nd.ni_pledge = PLEDGE_EXEC;
 
 		if ((error = namei(&nd)) != 0)
 			goto bad;
@@ -126,6 +129,7 @@ emul_find(struct proc *p, caddr_t *sgp, const char *prefix,
 		 */
 		/* XXX: prototype should have const here for NDINIT */
 		NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix, p);
+		nd.ni_pledge = PLEDGE_EXEC;
 
 		if ((error = namei(&ndroot)) != 0)
 			goto bad2;