An early pledge takes away many risk factors during spool opening/parsing.

This is worthwhile keeping, so add "unveil" to defer unveil(2) calls.
After various special cases are handled (including files which are anywhere
in the filesystem), unveil() to the specific file only.

diff --git a/usr.bin/from/from.c b/usr.bin/from/from.c
index bd2bd69..9a185af 100644 (file)
--- a/usr.bin/from/from.c
+++ b/usr.bin/from/from.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: from.c,v 1.25 2017/05/31 19:41:30 millert Exp $       */
+/*     $OpenBSD: from.c,v 1.26 2018/08/08 17:52:46 deraadt Exp $       */
 /*     $NetBSD: from.c,v 1.6 1995/09/01 01:39:10 jtc Exp $     */
 
 /*
@@ -74,10 +74,16 @@ main(int argc, char *argv[])
        }
        argv += optind;
 
-       if (pledge("stdio rpath getpw", NULL) == -1)
+       if (pledge("stdio unveil rpath getpw", NULL) == -1)
                err(1, "pledge");
 
        file = mail_spool(file, *argv);
+
+       if (unveil(file, "r") == -1)
+               err(1, "unveil");
+       if (pledge("stdio rpath getpw", NULL) == -1)
+               err(1, "pledge");
+
        if ((fp = fopen(file, "r")) == NULL) {
                if (!fflag && errno == ENOENT)
                        exit(EXIT_SUCCESS);