From: deraadt <deraadt@openbsd.org>
Date: Wed, 8 Aug 2018 22:59:33 +0000 (+0000)
Subject: lockspool only plays with files in _PATH_MAILDIR, so unveil that path.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=3f17513ba25378f9929a8bd35042003be3f0f209;p=openbsd

lockspool only plays with files in _PATH_MAILDIR, so unveil that path.
---

diff --git a/libexec/lockspool/lockspool.c b/libexec/lockspool/lockspool.c
index 4192929f47f..6f21c08b100 100644
--- a/libexec/lockspool/lockspool.c
+++ b/libexec/lockspool/lockspool.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lockspool.c,v 1.18 2015/11/24 00:19:29 deraadt Exp $	*/
+/*	$OpenBSD: lockspool.c,v 1.19 2018/08/08 22:59:33 deraadt Exp $	*/
 
 /*
  * Copyright (c) 1998 Theo de Raadt <deraadt@theos.com>
@@ -32,6 +32,7 @@
 #include <unistd.h>
 #include <errno.h>
 #include <stdio.h>
+#include <paths.h>
 #include <stdlib.h>
 #include <poll.h>
 #include <err.h>
@@ -52,6 +53,8 @@ main(int argc, char *argv[])
 	char *from, c;
 	int holdfd;
 
+	if (unveil(_PATH_MAILDIR, "rwc") == -1)
+		err(1, "unveil");
 	if (pledge("stdio rpath wpath getpw cpath fattr", NULL) == -1)
 		err(1, "pledge");