Once the constraint engine process is running, it only needs

"stdio inet". It took weeks to get to this point...
author: deraadt <deraadt@openbsd.org> 2015-10-09 03:50:40 +0000
committer: deraadt <deraadt@openbsd.org> 2015-10-09 03:50:40 +0000
commit: d2f9ff44a45d9074406d6472b1311c0e9d77e94d (patch)
tree: 5a5d18b10ff9c0754f5e664da636bd4636c1b16f
parent: stardate 93370.16: a whitespace appears to have entered our quadrant... (diff)
download: wireguard-openbsd-d2f9ff44a45d9074406d6472b1311c0e9d77e94d.tar.xz
wireguard-openbsd-d2f9ff44a45d9074406d6472b1311c0e9d77e94d.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c
index cf924416cdd..8fc2cca84b1 100644
--- a/usr.sbin/ntpd/constraint.c
+++ b/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.17 2015/09/10 13:49:48 beck Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.18 2015/10/09 03:50:40 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -38,6 +38,7 @@
 #include <unistd.h>
 #include <time.h>
 #include <tls.h>
+#include <err.h>
 
 #include "log.h"
 #include "ntpd.h"
@@ -197,6 +198,9 @@ constraint_query(struct constraint *cstr)
 	case 0:
 		setproctitle("constraint from %s", hname);
 
+		if (pledge("stdio inet", NULL) == -1)
+			err(1, "pledge");
+
 		/* Child process */
 		if (dup2(pipes[1], CONSTRAINT_PASSFD) == -1)
 			fatal("%s dup2 CONSTRAINT_PASSFD", __func__);
author	deraadt <deraadt@openbsd.org>	2015-10-09 03:50:40 +0000
committer	deraadt <deraadt@openbsd.org>	2015-10-09 03:50:40 +0000
commit	d2f9ff44a45d9074406d6472b1311c0e9d77e94d (patch)
tree	5a5d18b10ff9c0754f5e664da636bd4636c1b16f
parent	stardate 93370.16: a whitespace appears to have entered our quadrant... (diff)
download	wireguard-openbsd-d2f9ff44a45d9074406d6472b1311c0e9d77e94d.tar.xz wireguard-openbsd-d2f9ff44a45d9074406d6472b1311c0e9d77e94d.zip