From 583f2eaf559dc685b563c5e2327a61a2e1f2f1bd Mon Sep 17 00:00:00 2001
From: tedu <tedu@openbsd.org>
Date: Fri, 4 Feb 2022 17:50:28 +0000
Subject: [PATCH] whitelist resolv.conf for stat. go dns library does this. ok
 deraadt

---
 sys/kern/kern_pledge.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 6687bf91f09..b876b91a18a 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.278 2022/01/20 03:43:30 jsg Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.279 2022/02/04 17:50:28 tedu Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -733,12 +733,17 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath)
 
 		break;
 	case SYS_stat:
-		/* DNS needs /etc/resolv.conf. */
+		/* DNS needs /etc/{resolv.conf,hosts}. */
 		if ((ni->ni_pledge == PLEDGE_RPATH) &&
-		    (pledge & PLEDGE_DNS) &&
-		    strcmp(path, "/etc/resolv.conf") == 0) {
-			ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
-			return (0);
+		    (pledge & PLEDGE_DNS)) {
+			if (strcmp(path, "/etc/resolv.conf") == 0) {
+				ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
+				return (0);
+			}
+			if (strcmp(path, "/etc/hosts") == 0) {
+				ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
+				return (0);
+			}
 		}
 		break;
 	}
-- 
2.20.1