From b75a4ace29fd2ad326ccc156a7669b8687b4ce54 Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Tue, 15 Aug 2023 13:50:53 +0000
Subject: [PATCH] ldd can pledge "stdio rpath proc exec prot_exec".  We can
 later bifurbicate at the dlopen vs execve split, dropping either "proc" or
 "prot_exec". ok gnezdo

---
 libexec/ld.so/ldd/ldd.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/libexec/ld.so/ldd/ldd.c b/libexec/ld.so/ldd/ldd.c
index f8f208652d2..375a646db36 100644
--- a/libexec/ld.so/ldd/ldd.c
+++ b/libexec/ld.so/ldd/ldd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ldd.c,v 1.25 2023/08/12 13:43:22 gnezdo Exp $	*/
+/*	$OpenBSD: ldd.c,v 1.26 2023/08/15 13:50:53 deraadt Exp $	*/
 /*
  * Copyright (c) 2001 Artur Grabowski <art@openbsd.org>
  * All rights reserved.
@@ -48,6 +48,9 @@ main(int argc, char **argv)
 {
 	int c, xflag, ret;
 
+	if (pledge("stdio rpath proc exec prot_exec", NULL) == -1)
+		err(1, "pledge");
+
 	xflag = 0;
 	while ((c = getopt(argc, argv, "x")) != -1) {
 		switch (c) {
@@ -163,6 +166,8 @@ doit(char *name)
 		err(1, "fork");
 	case 0:
 		if (ehdr.e_type == ET_DYN && !interp) {
+			if (pledge("stdio rpath prot_exec", NULL) == -1)
+				err(1, "pledge");
 			if (realpath(name, buf) == NULL) {
 				printf("realpath(%s): %s", name,
 				    strerror(errno));
@@ -178,14 +183,13 @@ doit(char *name)
 			_exit(0);
 		}
 
+		if (pledge("stdio rpath exec", "stdio rpath") == -1)
+			err(1, "pledge");
 		if (i == ehdr.e_phnum) {
 			printf("not a dynamic executable\n");
 			fflush(stdout);
 			_exit(0);
 		}
-
-		if (pledge(NULL, "stdio rpath") == -1)
-			err(1, "pledge");
 		execl(name, name, (char *)NULL);
 		perror(name);
 		_exit(1);
-- 
2.20.1