From 872aa40061f74843b17033e4a5e03135e58206d1 Mon Sep 17 00:00:00 2001 From: deraadt Date: Mon, 8 Aug 2022 01:53:01 +0000 Subject: [PATCH] Before ypconnect(2) addition, "getpw" was a horrible "hole" that triggered on libc trying to open /var/run/ypbind.lock, so pledge had to BYPASSUNVEIL accesses to this file. We accepted the opening of that file for a small period for build cross-over, but that waiting period ends now. --- sys/kern/kern_pledge.c | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index d3bbe227cf6..f2378fc07d4 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.291 2022/08/02 11:04:25 deraadt Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.292 2022/08/08 01:53:01 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -656,16 +656,6 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath) ni->ni_cnd.cn_flags |= BYPASSUNVEIL; return (0); } - /* - * XXX delete before 7.2. - * Old static binaries may try this file in getpwent and friends - */ - if ((ni->ni_pledge == PLEDGE_RPATH) && - (pledge & PLEDGE_GETPW) && - strcmp(path, "/var/run/ypbind.lock") == 0) { - ni->ni_cnd.cn_flags |= BYPASSUNVEIL; - return (0); - } break; case SYS_open: /* daemon(3) or other such functions */ @@ -723,17 +713,6 @@ pledge_namei(struct proc *p, struct nameidata *ni, char *origpath) } } - /* - * XXX delete before 7.2. - * Old static binaries may try this file in getpwent and friends - */ - if ((ni->ni_pledge == PLEDGE_RPATH) && - (pledge & PLEDGE_GETPW) && - strcmp(path, "/var/run/ypbind.lock") == 0) { - ni->ni_cnd.cn_flags |= BYPASSUNVEIL; - return (0); - } - /* tzset() needs these. */ if ((ni->ni_pledge == PLEDGE_RPATH) && strncmp(path, "/usr/share/zoneinfo/", -- 2.20.1