From 274633a250d07ee3e60b585100a6332e4c206592 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 4 Jan 2017 09:21:26 +0000
Subject: If find(1) may end up calling execve(2), it needs "proc exec" in
 addition to its other promises.  Previously, find ran unpledged if the
 -exec{,dir} or -ok primaries were specified: the tame(2) calls for find(1)
 were added a few days before the "exec" promise was implemented and these
 code paths were never revisited.

ok millert
---
 usr.bin/find/find.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/usr.bin/find/find.c b/usr.bin/find/find.c
index ace199bbb54..e8f3db9f046 100644
--- a/usr.bin/find/find.c
+++ b/usr.bin/find/find.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: find.c,v 1.21 2017/01/03 21:31:16 tedu Exp $	*/
+/*	$OpenBSD: find.c,v 1.22 2017/01/04 09:21:26 tb Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -162,6 +162,15 @@ find_execute(PLAN *plan,	/* search plan */
 			if (pledge("stdio rpath getpw", NULL) == -1)
 				err(1, "pledge");
 		}
+	} else {
+		if (isdelete) {
+			if (pledge("stdio rpath cpath getpw proc exec", NULL)
+			    == -1)
+				err(1, "pledge");
+		} else {
+			if (pledge("stdio rpath getpw proc exec", NULL) == -1)
+				err(1, "pledge");
+		}
 	}
 
 	rval = 0;
-- 
cgit v1.2.3-59-g8ed1b