The first unveil userland commit!

unveil _PATH_LOGIN_CONF (/etc/login.conf) which is used by
login_getclass(3) and family before doing password encode.  This
is the only filename used by the program during runtime, everything
else happens on stdin/stdout.

diff --git a/usr.bin/encrypt/encrypt.c b/usr.bin/encrypt/encrypt.c
index 797bf39..48e1d54 100644 (file)
--- a/usr.bin/encrypt/encrypt.c
+++ b/usr.bin/encrypt/encrypt.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: encrypt.c,v 1.48 2018/08/03 04:19:34 deraadt Exp $    */
+/*     $OpenBSD: encrypt.c,v 1.49 2018/08/03 04:47:56 deraadt Exp $    */
 
 /*
  * Copyright (c) 1996, Jason Downs.  All rights reserved.
@@ -95,6 +95,8 @@ main(int argc, char **argv)
        char *extra = NULL;     /* Store login class or number of rounds */
        const char *errstr;
 
+       if (unveil(_PATH_LOGIN_CONF, "r") == -1)
+               err(1, "unveil");
        if (pledge("stdio rpath tty", NULL) == -1)
                err(1, "pledge");