From: deraadt <deraadt@openbsd.org>
Date: Thu, 8 Oct 2015 14:02:09 +0000 (+0000)
Subject: portmap's main process can be tame "stdio rpath inet proc"; proc is
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a828131d9d6ce41785bc8cfec20e7459b52e3378;p=openbsd

portmap's main process can be tame "stdio rpath inet proc"; proc is
for the callit interface needing to fork, and parent needing to wait.
that child can drop to "stdio rpath inet".

It is possible some libc/rpc codepath has not yet been figured out, but
commiting it is the best way to get it tested. Tested what I could myself,
but noone answered my call for testing...
---

diff --git a/usr.sbin/portmap/portmap.c b/usr.sbin/portmap/portmap.c
index c5bf395eb3b..4259e357668 100644
--- a/usr.sbin/portmap/portmap.c
+++ b/usr.sbin/portmap/portmap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: portmap.c,v 1.45 2015/09/13 15:44:47 guenther Exp $	*/
+/*	$OpenBSD: portmap.c,v 1.46 2015/10/08 14:02:09 deraadt Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997 Theo de Raadt (OpenBSD). All rights reserved.
@@ -246,6 +246,9 @@ main(int argc, char *argv[])
 	}
 	endpwent();
 
+	if (tame("stdio rpath inet proc", NULL) == -1)
+		err(1, "tame");
+
 	if (svc_register(xprt, PMAPPROG, PMAPVERS, reg_service, FALSE) == 0) {
 		syslog(LOG_ERR, "svc_register failed.");
 		exit(1);
@@ -604,6 +607,10 @@ callit(struct svc_req *rqstp, SVCXPRT *xprt)
 			    a.rmt_prog);
 		return;
 	}
+
+	if (tame("stdio rpath inet", NULL) == -1)
+		err(1, "tame");
+
 	port = pml->pml_map.pm_port;
 	get_myaddress(&me);
 	me.sin_port = htons(port);