From 86ca8ce6117043c23d18f374055d5effc2a3cf9d Mon Sep 17 00:00:00 2001
From: tedu <tedu@openbsd.org>
Date: Thu, 8 Oct 2015 16:45:50 +0000
Subject: [PATCH] add some tame calls. we may need a bunch of permissions to
 create files and manipulate the tty for readpassphrase, but once we've parsed
 options and have some idea of what's going to happen next, we can reduce down
 quite a bit more. particular use case of "signify | patch" is limited to
 feeding garbage to patch.

---
 usr.bin/signify/signify.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/usr.bin/signify/signify.c b/usr.bin/signify/signify.c
index 06d28dae022..ec80973a5b0 100644
--- a/usr.bin/signify/signify.c
+++ b/usr.bin/signify/signify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: signify.c,v 1.100 2015/01/16 06:16:12 tedu Exp $ */
+/* $OpenBSD: signify.c,v 1.101 2015/10/08 16:45:50 tedu Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
  *
@@ -663,6 +663,8 @@ main(int argc, char **argv)
 		VERIFY
 	} verb = NONE;
 
+	if (tame("stdio rpath wpath cpath tty", NULL) == -1)
+		err(1, "tame");
 
 	rounds = 42;
 
@@ -722,6 +724,30 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;
 
+	switch (verb) {
+	case GENERATE:
+	case SIGN:
+		/* keep it all */
+		break;
+	case CHECK:
+		if (tame("stdio rpath", NULL) == -1)
+			err(1, "tame");
+		break;
+	case VERIFY:
+		if (embedded && (!msgfile || strcmp(msgfile, "-") != 0)) {
+			if (tame("stdio rpath wpath cpath", NULL) == -1)
+				err(1, "tame");
+		} else {
+			if (tame("stdio rpath", NULL) == -1)
+				err(1, "tame");
+		}
+		break;
+	default:
+		if (tame("stdio", NULL) == -1)
+			err(1, "tame");
+		break;
+	}
+
 #ifndef VERIFYONLY
 	if (verb == CHECK) {
 		if (!sigfile)
-- 
2.20.1