preservation modes can adjust setugid bits, so no pledge is possible.

Otherwise, lay the groundwork for whether a gzip program may be run or not.
After such a gzip program is started, pledge the program will not exec
again.  Took a few iterations to get this going... it is looking good.
with guenther.

diff --git a/bin/pax/ar_io.c b/bin/pax/ar_io.c
index 15d94ec..1d9717c 100644 (file)
--- a/bin/pax/ar_io.c
+++ b/bin/pax/ar_io.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ar_io.c,v 1.50 2015/03/22 03:15:00 guenther Exp $     */
+/*     $OpenBSD: ar_io.c,v 1.51 2015/10/12 05:05:24 deraadt Exp $      */
 /*     $NetBSD: ar_io.c,v 1.5 1996/03/26 23:54:13 mrg Exp $    */
 
 /*-
@@ -1260,6 +1260,10 @@ ar_start_gzip(int fd, const char *path, int wr)
                        dup2(fds[0], fd);
                close(fds[0]);
                close(fds[1]);
+
+               if (pledge("stdio rpath wpath cpath fattr getpw ioctl proc",
+                   NULL) == -1)
+                       err(1, "pledge");
        } else {
                if (wr) {
                        dup2(fds[0], STDIN_FILENO);

diff --git a/bin/pax/pax.c b/bin/pax/pax.c
index edb08ca..fd39924 100644 (file)
--- a/bin/pax/pax.c
+++ b/bin/pax/pax.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pax.c,v 1.41 2015/03/09 04:23:29 guenther Exp $       */
+/*     $OpenBSD: pax.c,v 1.42 2015/10/12 05:05:24 deraadt Exp $        */
 /*     $NetBSD: pax.c,v 1.5 1996/03/26 23:54:20 mrg Exp $      */
 
 /*-
@@ -256,6 +256,23 @@ main(int argc, char **argv)
        if ((gen_init() < 0) || (tty_init() < 0))
                return(exit_val);
 
+       /*
+        * pmode needs to restore setugid bits when extracting or copying,
+        * so can't tame at all then.
+        */
+       if (pmode == 0 || (act != EXTRACT && act != COPY)) {
+               if (pledge("stdio rpath wpath cpath fattr getpw ioctl proc exec",
+                   NULL) == -1)
+                       err(1, "pledge");
+
+               /* Copy mode, or no gzip -- don't need to fork/exec. */
+               if (gzip_program == NULL || act == COPY) {
+                       if (pledge("stdio rpath wpath fattr cpath getpw ioctl",
+                           NULL) == -1)
+                               err(1, "pledge");
+               }
+       }
+
        /*
         * select a primary operation mode
         */