From: tedu <tedu@openbsd.org>
Date: Thu, 8 Oct 2015 16:45:50 +0000 (+0000)
Subject: add some tame calls. we may need a bunch of permissions to create files
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=86ca8ce6117043c23d18f374055d5effc2a3cf9d;p=openbsd

add some tame calls. we may need a bunch of permissions to create files
and manipulate the tty for readpassphrase, but once we've parsed options
and have some idea of what's going to happen next, we can reduce down
quite a bit more. particular use case of "signify | patch" is limited to
feeding garbage to patch.
---

diff --git a/usr.bin/signify/signify.c b/usr.bin/signify/signify.c
index 06d28dae022..ec80973a5b0 100644
--- a/usr.bin/signify/signify.c
+++ b/usr.bin/signify/signify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: signify.c,v 1.100 2015/01/16 06:16:12 tedu Exp $ */
+/* $OpenBSD: signify.c,v 1.101 2015/10/08 16:45:50 tedu Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
  *
@@ -663,6 +663,8 @@ main(int argc, char **argv)
 		VERIFY
 	} verb = NONE;
 
+	if (tame("stdio rpath wpath cpath tty", NULL) == -1)
+		err(1, "tame");
 
 	rounds = 42;
 
@@ -722,6 +724,30 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;
 
+	switch (verb) {
+	case GENERATE:
+	case SIGN:
+		/* keep it all */
+		break;
+	case CHECK:
+		if (tame("stdio rpath", NULL) == -1)
+			err(1, "tame");
+		break;
+	case VERIFY:
+		if (embedded && (!msgfile || strcmp(msgfile, "-") != 0)) {
+			if (tame("stdio rpath wpath cpath", NULL) == -1)
+				err(1, "tame");
+		} else {
+			if (tame("stdio rpath", NULL) == -1)
+				err(1, "tame");
+		}
+		break;
+	default:
+		if (tame("stdio", NULL) == -1)
+			err(1, "tame");
+		break;
+	}
+
 #ifndef VERIFYONLY
 	if (verb == CHECK) {
 		if (!sigfile)