whois uses dns to lookup whois servers, and then opens sockets to them.

it does not need to open any files, so we can tame with "stdio dns inet". i think florian and i did this about 2 months ago.
author: deraadt <deraadt@openbsd.org> 2015-10-03 01:33:20 +0000
committer: deraadt <deraadt@openbsd.org> 2015-10-03 01:33:20 +0000
commit: ba0f1efa8c5d7712b713ba4b885b1e208484a6c8 (patch)
tree: d2d8e7a93b1b9e6cfd07347529343c573745a1c3 /usr.bin
parent: even before it reaches getopt(), this program will never do more than (diff)
download: wireguard-openbsd-ba0f1efa8c5d7712b713ba4b885b1e208484a6c8.tar.xz
wireguard-openbsd-ba0f1efa8c5d7712b713ba4b885b1e208484a6c8.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/usr.bin/whois/whois.c b/usr.bin/whois/whois.c
index 18b9a8c8c07..a88660c757b 100644
--- a/usr.bin/whois/whois.c
+++ b/usr.bin/whois/whois.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: whois.c,v 1.48 2015/08/17 10:48:10 sthen Exp $   */
+/*      $OpenBSD: whois.c,v 1.49 2015/10/03 01:33:20 deraadt Exp $   */
 
 /*
  * Copyright (c) 1980, 1993
@@ -138,6 +138,9 @@ main(int argc, char *argv[])
 	if (!argc || (country != NULL && host != NULL))
 		usage();
 
+	if (tame("stdio dns inet", NULL) == -1)
+		err(1, "tame");
+
 	if (host == NULL && country == NULL && !(flags & WHOIS_QUICK))
 		flags |= WHOIS_RECURSE;
 	for (name = *argv; (name = *argv) != NULL; argv++)
author	deraadt <deraadt@openbsd.org>	2015-10-03 01:33:20 +0000
committer	deraadt <deraadt@openbsd.org>	2015-10-03 01:33:20 +0000
commit	ba0f1efa8c5d7712b713ba4b885b1e208484a6c8 (patch)
tree	d2d8e7a93b1b9e6cfd07347529343c573745a1c3 /usr.bin
parent	even before it reaches getopt(), this program will never do more than (diff)
download	wireguard-openbsd-ba0f1efa8c5d7712b713ba4b885b1e208484a6c8.tar.xz wireguard-openbsd-ba0f1efa8c5d7712b713ba4b885b1e208484a6c8.zip