From 51f938311eff88d43414960acea6d92a89022362 Mon Sep 17 00:00:00 2001
From: semarie <semarie@openbsd.org>
Date: Sun, 11 Oct 2015 16:19:48 +0000
Subject: [PATCH] add a missed check for PLEDGE_RPATH when reading a file.

ok deraadt@
---
 sys/kern/kern_pledge.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 037ec1b4e09..cf6dbccc907 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.14 2015/10/11 16:01:06 deraadt Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.15 2015/10/11 16:19:48 semarie Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -600,6 +600,11 @@ pledge_namei(struct proc *p, char *origpath)
 		break;
 	}
 
+	/* ensure PLEDGE_RPATH request for doing read */	
+	if ((p->p_pledgenote & TMN_RPATH) &&
+	    (p->p_p->ps_pledge & PLEDGE_RPATH) == 0)
+		return (pledge_fail(p, EPERM, PLEDGE_RPATH));
+
 	/*
 	 * If a whitelist is set, compare canonical paths.  Anything
 	 * not on the whitelist gets ENOENT.
-- 
2.20.1