After calling getaddrinfo(3) both on rfc868 and ntp cases we can drop the "dns"

promise and only pledge("stdio inet") since from here until the end of the
program we will only exchange packets through sockets.

After a discussion with deraadt@ about adding privdrop to it we came to the
conclusion that the easiest and sane solution is just to reduce pledge(2)
instead of adding a ton of code to chroot the child that is already forbidden
to access the filesystem anyway.

diff --git a/usr.sbin/rdate/ntp.c b/usr.sbin/rdate/ntp.c
index 688436a..547bdd9 100644 (file)
--- a/usr.sbin/rdate/ntp.c
+++ b/usr.sbin/rdate/ntp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ntp.c,v 1.33 2015/01/16 06:40:20 deraadt Exp $        */
+/*     $OpenBSD: ntp.c,v 1.34 2018/08/18 15:25:20 mestre Exp $ */
 
 /*
  * Copyright (c) 1996, 1997 by N.M. Maclaren. All rights reserved.
@@ -136,6 +136,9 @@ ntp_client(const char *hostname, int family, struct timeval *new,
                /*NOTREACHED*/
        }
 
+       if (pledge("stdio inet", NULL) == -1)
+               err(1, "pledge");
+
        corrleaps = leapflag;
        if (corrleaps)
                ntpleaps_init();

diff --git a/usr.sbin/rdate/rfc868time.c b/usr.sbin/rdate/rfc868time.c
index be97fcd..2158fb6 100644 (file)
--- a/usr.sbin/rdate/rfc868time.c
+++ b/usr.sbin/rdate/rfc868time.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: rfc868time.c,v 1.10 2015/01/16 06:40:20 deraadt Exp $ */
+/*     $OpenBSD: rfc868time.c,v 1.11 2018/08/18 15:25:20 mestre Exp $  */
 /*     $NetBSD: rdate.c,v 1.4 1996/03/16 12:37:45 pk Exp $     */
 
 /*
@@ -82,6 +82,9 @@ rfc868time_client(const char *hostname, int family, struct timeval *new,
                /*NOTREACHED*/
        }
 
+       if (pledge("stdio inet", NULL) == -1)
+               err(1, "pledge");
+
        s = -1;
        for (res = res0; res; res = res->ai_next) {
                s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);