pledge() pony and lookup

ok deraadt@

diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index eacbc05..fd127ad 100644 (file)
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: lka.c,v 1.176 2015/10/02 00:28:30 gilles Exp $        */
+/*     $OpenBSD: lka.c,v 1.177 2015/10/14 19:39:16 gilles Exp $        */
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -514,6 +514,9 @@ lka(void)
        /* Ignore them until we get our config */
        mproc_disable(p_pony);
 
+       if (pledge("stdio rpath inet dns getpw recvfd", NULL) == -1)
+               err(1, "pledge");
+
        if (event_dispatch() < 0)
                fatal("event_dispatch");
        lka_shutdown();

diff --git a/usr.sbin/smtpd/pony.c b/usr.sbin/smtpd/pony.c
index 0b04986..ca12d05 100644 (file)
--- a/usr.sbin/smtpd/pony.c
+++ b/usr.sbin/smtpd/pony.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pony.c,v 1.7 2015/01/20 17:37:54 deraadt Exp $        */
+/*     $OpenBSD: pony.c,v 1.8 2015/10/14 19:39:16 gilles Exp $ */
 
 /*
  * Copyright (c) 2014 Gilles Chehade <gilles@poolp.org>
@@ -215,6 +215,9 @@ pony(void)
 
        ca_engine_init();
 
+       if (pledge("stdio inet unix recvfd sendfd", NULL) == -1)
+               err(1, "pledge");
+
        if (event_dispatch() < 0)
                fatal("event_dispatch");
        pony_shutdown();