From: deraadt <deraadt@openbsd.org>
Date: Fri, 9 Oct 2015 03:50:40 +0000 (+0000)
Subject: Once the constraint engine process is running, it only needs
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d2f9ff44a45d9074406d6472b1311c0e9d77e94d;p=openbsd

Once the constraint engine process is running, it only needs
"stdio inet".  It took weeks to get to this point...
---

diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c
index cf924416cdd..8fc2cca84b1 100644
--- a/usr.sbin/ntpd/constraint.c
+++ b/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.17 2015/09/10 13:49:48 beck Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.18 2015/10/09 03:50:40 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -38,6 +38,7 @@
 #include <unistd.h>
 #include <time.h>
 #include <tls.h>
+#include <err.h>
 
 #include "log.h"
 #include "ntpd.h"
@@ -197,6 +198,9 @@ constraint_query(struct constraint *cstr)
 	case 0:
 		setproctitle("constraint from %s", hname);
 
+		if (pledge("stdio inet", NULL) == -1)
+			err(1, "pledge");
+
 		/* Child process */
 		if (dup2(pipes[1], CONSTRAINT_PASSFD) == -1)
 			fatal("%s dup2 CONSTRAINT_PASSFD", __func__);