whitelist resolv.conf for stat. go dns library does this.

author tedu <tedu@openbsd.org>

Fri, 4 Feb 2022 17:50:28 +0000 (17:50 +0000)

committer tedu <tedu@openbsd.org>

Fri, 4 Feb 2022 17:50:28 +0000 (17:50 +0000)
author tedu <tedu@openbsd.org>
Fri, 4 Feb 2022 17:50:28 +0000 (17:50 +0000)
committer tedu <tedu@openbsd.org>
Fri, 4 Feb 2022 17:50:28 +0000 (17:50 +0000)
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c

index 6687bf9..b876b91 100644 (file)
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_pledge.c,v 1.278 2022/01/20 03:43:30 jsg Exp $   */
+/*     $OpenBSD: kern_pledge.c,v 1.279 2022/02/04 17:50:28 tedu Exp $  */
  
  /*
   * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -733,12 +733,17 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath)
  
                 break;
         case SYS_stat:
-               /* DNS needs /etc/resolv.conf. */
+               /* DNS needs /etc/{resolv.conf,hosts}. */
                 if ((ni->ni_pledge == PLEDGE_RPATH) &&
-                   (pledge & PLEDGE_DNS) &&
-                   strcmp(path, "/etc/resolv.conf") == 0) {
-                       ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
-                       return (0);
+                   (pledge & PLEDGE_DNS)) {
+                       if (strcmp(path, "/etc/resolv.conf") == 0) {
+                               ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
+                               return (0);
+                       }
+                       if (strcmp(path, "/etc/hosts") == 0) {
+                               ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
+                               return (0);
+                       }
                 }
                 break;
         }
author	tedu <tedu@openbsd.org>
	Fri, 4 Feb 2022 17:50:28 +0000 (17:50 +0000)
committer	tedu <tedu@openbsd.org>
	Fri, 4 Feb 2022 17:50:28 +0000 (17:50 +0000)