From bb9d77b9d0c88730b77147c83460923cc13fde99 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Fri, 9 Oct 2015 12:07:32 +0000
Subject: [PATCH] Tame syslogd privsep child with "stdio rpath unix inet
 recvfd". With and OK deraadt@

---
 usr.sbin/syslogd/syslogd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c
index dbb557c97e1..41d64df0c90 100644
--- a/usr.sbin/syslogd/syslogd.c
+++ b/usr.sbin/syslogd/syslogd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: syslogd.c,v 1.190 2015/09/29 03:19:23 guenther Exp $	*/
+/*	$OpenBSD: syslogd.c,v 1.191 2015/10/09 12:07:32 bluhm Exp $	*/
 
 /*
  * Copyright (c) 1983, 1988, 1993, 1994
@@ -593,6 +593,9 @@ main(int argc, char *argv[])
 	if (priv_init(ConfFile, NoDNS, lockpipe[1], nullfd, argv) < 0)
 		errx(1, "unable to privsep");
 
+	if (tame("stdio rpath unix inet recvfd", NULL) == -1)
+		err(1, "tame");
+
 	/* Process is now unprivileged and inside a chroot */
 	event_init();
 
-- 
2.20.1