ntpd unveils the cert.pem "r" file (which is passed-over-socket to the

author deraadt <deraadt@openbsd.org>

Wed, 8 Aug 2018 22:56:42 +0000 (22:56 +0000)

committer deraadt <deraadt@openbsd.org>

Wed, 8 Aug 2018 22:56:42 +0000 (22:56 +0000)
author deraadt <deraadt@openbsd.org>
Wed, 8 Aug 2018 22:56:42 +0000 (22:56 +0000)
committer deraadt <deraadt@openbsd.org>
Wed, 8 Aug 2018 22:56:42 +0000 (22:56 +0000)
diff --git a/usr.sbin/ntpd/ntpd.c b/usr.sbin/ntpd/ntpd.c

index 664fff4..cb6bc13 100644 (file)
--- a/usr.sbin/ntpd/ntpd.c
+++ b/usr.sbin/ntpd/ntpd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ntpd.c,v 1.115 2018/08/04 11:07:14 mestre Exp $ */
+/*     $OpenBSD: ntpd.c,v 1.116 2018/08/08 22:56:42 deraadt Exp $ */
  
  /*
   * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -244,6 +244,10 @@ main(int argc, char *argv[])
          * Constraint processes are forked with certificates in memory,
          * then privdrop into chroot before speaking to the outside world.
          */
+       if (unveil("/etc/ssl/cert.pem", "r") == -1)
+               err(1, "unveil");
+       if (unveil("/usr/sbin/ntpd", "x") == -1)
+               err(1, "unveil");
         if (pledge("stdio rpath inet settime proc exec id", NULL) == -1)
                 err(1, "pledge");
author	deraadt <deraadt@openbsd.org>
	Wed, 8 Aug 2018 22:56:42 +0000 (22:56 +0000)
committer	deraadt <deraadt@openbsd.org>
	Wed, 8 Aug 2018 22:56:42 +0000 (22:56 +0000)