add some tame calls. we may need a bunch of permissions to create files

and manipulate the tty for readpassphrase, but once we've parsed options
and have some idea of what's going to happen next, we can reduce down
quite a bit more. particular use case of "signify | patch" is limited to
feeding garbage to patch.

diff --git a/usr.bin/signify/signify.c b/usr.bin/signify/signify.c
index 06d28da..ec80973 100644 (file)
--- a/usr.bin/signify/signify.c
+++ b/usr.bin/signify/signify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: signify.c,v 1.100 2015/01/16 06:16:12 tedu Exp $ */
+/* $OpenBSD: signify.c,v 1.101 2015/10/08 16:45:50 tedu Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
  *
@@ -663,6 +663,8 @@ main(int argc, char **argv)
                VERIFY
        } verb = NONE;
 
+       if (tame("stdio rpath wpath cpath tty", NULL) == -1)
+               err(1, "tame");
 
        rounds = 42;
 
@@ -722,6 +724,30 @@ main(int argc, char **argv)
        argc -= optind;
        argv += optind;
 
+       switch (verb) {
+       case GENERATE:
+       case SIGN:
+               /* keep it all */
+               break;
+       case CHECK:
+               if (tame("stdio rpath", NULL) == -1)
+                       err(1, "tame");
+               break;
+       case VERIFY:
+               if (embedded && (!msgfile || strcmp(msgfile, "-") != 0)) {
+                       if (tame("stdio rpath wpath cpath", NULL) == -1)
+                               err(1, "tame");
+               } else {
+                       if (tame("stdio rpath", NULL) == -1)
+                               err(1, "tame");
+               }
+               break;
+       default:
+               if (tame("stdio", NULL) == -1)
+                       err(1, "tame");
+               break;
+       }
+
 #ifndef VERIFYONLY
        if (verb == CHECK) {
                if (!sigfile)