From 5c94ac0a208933b6c3eb0fd2dadba23dbb0cc137 Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Tue, 13 Oct 2015 15:43:19 +0000
Subject: [PATCH] oops, a chown appears late on the code.  to satisfy this
 pledge "stdio rpath wpath cpath getpw fattr proc" early on; "proc fattr"
 allows doing work with other uids on the file.  after opening the db, do the
 chown (replace with fchown since we know fd) and then pledge "stdio rpath";
 "rpath" due to tmpfile rename() at the end. mistake spotted by mpi

---
 usr.sbin/kvm_mkdb/kvm_mkdb.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/usr.sbin/kvm_mkdb/kvm_mkdb.c b/usr.sbin/kvm_mkdb/kvm_mkdb.c
index 156cd5711c2..6fc60649ff1 100644
--- a/usr.sbin/kvm_mkdb/kvm_mkdb.c
+++ b/usr.sbin/kvm_mkdb/kvm_mkdb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kvm_mkdb.c,v 1.21 2015/10/12 16:01:53 deraadt Exp $	*/
+/*	$OpenBSD: kvm_mkdb.c,v 1.22 2015/10/13 15:43:19 deraadt Exp $	*/
 
 /*-
  * Copyright (c) 1990, 1993
@@ -75,7 +75,8 @@ main(int argc, char *argv[])
 			warn("can't set rlimit data size");
 	}
 
-	if (pledge("stdio rpath wpath cpath getpw", NULL) == -1)
+	/* getpwnam() and fchown() later */
+	if (pledge("stdio rpath wpath cpath getpw fattr proc", NULL) == -1)
 		err(1, "pledge");
 
 	strlcpy(dbdir, _PATH_VARDB, sizeof(dbdir));
@@ -163,6 +164,19 @@ kvm_mkdb(int fd, const char *dbdir, char *nlistpath, char *nlistname,
 		warn("can't dbopen %s", dbtemp);
 		return(1);
 	}
+
+	if ((gr = getgrnam("kmem")) == NULL) {
+		warn("can't find kmem group");
+	} else if (fchown(db->fd(db), -1, gr->gr_gid)) {
+		warn("can't chown %s", dbtemp);
+		(void)unlink(dbtemp);
+		return(1);
+	}
+
+	/* rename() later */
+	if (pledge("stdio cpath", NULL) == -1)
+		err(1, "pledge");
+
 	if (create_knlist(nlistpath, fd, db) != 0) {
 		warn("cannot determine executable type of %s", nlistpath);
 		(void)unlink(dbtemp);
@@ -174,13 +188,6 @@ kvm_mkdb(int fd, const char *dbdir, char *nlistpath, char *nlistname,
 		return(1);
 	}
 
-	if ((gr = getgrnam("kmem")) == NULL) {
-		warn("can't find kmem group");
-	} else if (chown(dbtemp, -1, gr->gr_gid)) {
-		warn("can't chown %s", dbtemp);
-		(void)unlink(dbtemp);
-		return(1);
-	}
 	if (rename(dbtemp, dbname)) {
 		warn("rename %s to %s", dbtemp, dbname);
 		(void)unlink(dbtemp);
-- 
2.20.1