unveil(2) is easy since this only uses one directory tree

(containing no exterior pointing symlinks), and a file. In snaps for about 2 months.
author: deraadt <deraadt@openbsd.org> 2018-09-24 22:55:50 +0000
committer: deraadt <deraadt@openbsd.org> 2018-09-24 22:55:50 +0000
commit: 0d7a8dda145c7ee2b6bf27eb32ba006661795181 (patch)
tree: b98ad297913ccceddf79ad2db2b3a307f89b63e4 /usr.sbin/makefs
parent: unveil(2) in getty. This has been in snaps for more than 2 months, (diff)
download: wireguard-openbsd-0d7a8dda145c7ee2b6bf27eb32ba006661795181.tar.xz
wireguard-openbsd-0d7a8dda145c7ee2b6bf27eb32ba006661795181.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/makefs/makefs.c b/usr.sbin/makefs/makefs.c
index 8946e424926..5b8b4ed823b 100644
--- a/usr.sbin/makefs/makefs.c
+++ b/usr.sbin/makefs/makefs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: makefs.c,v 1.19 2016/12/17 16:12:15 krw Exp $	*/
+/*	$OpenBSD: makefs.c,v 1.20 2018/09/24 22:55:50 deraadt Exp $	*/
 /*	$NetBSD: makefs.c,v 1.53 2015/11/27 15:10:32 joerg Exp $	*/
 
 /*
@@ -198,6 +198,10 @@ main(int argc, char *argv[])
 	if (argc != 2)
 		usage();
 
+	if (unveil(argv[0], "rwc") == -1)
+		err(1, "unveil");
+	if (unveil(argv[1], "rw") == -1)
+		err(1, "unveil");
 	if (pledge("stdio rpath wpath cpath", NULL) == -1)
 		err(1, "pledge");
author	deraadt <deraadt@openbsd.org>	2018-09-24 22:55:50 +0000
committer	deraadt <deraadt@openbsd.org>	2018-09-24 22:55:50 +0000
commit	0d7a8dda145c7ee2b6bf27eb32ba006661795181 (patch)
tree	b98ad297913ccceddf79ad2db2b3a307f89b63e4 /usr.sbin/makefs
parent	unveil(2) in getty. This has been in snaps for more than 2 months, (diff)
download	wireguard-openbsd-0d7a8dda145c7ee2b6bf27eb32ba006661795181.tar.xz wireguard-openbsd-0d7a8dda145c7ee2b6bf27eb32ba006661795181.zip