From df1d1c4144ea8db22b76db6b6f840156b37f4f70 Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Mon, 19 Oct 2015 16:20:56 +0000
Subject: [PATCH] Allow setpriority in "proc" as well, since a few shells have
 "nice" builtin.  make a note that setpriority() should be weakened, unless
 "id" is also present. pointed out by Theo Buehler

---
 sys/kern/kern_pledge.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 9bee9f336fd..7bff183f241 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.56 2015/10/19 12:55:32 nicm Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.57 2015/10/19 16:20:56 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -156,6 +156,9 @@ const u_int pledge_syscalls[SYS_MAXSYSCALL] = {
 	[SYS_setrlimit] = PLEDGE_PROC | PLEDGE_ID,
 	[SYS_getpriority] = PLEDGE_PROC | PLEDGE_ID,
 
+	/* XXX we should limit the power for the "proc"-only case */ 
+	[SYS_setpriority] = PLEDGE_PROC | PLEDGE_ID,
+
 	[SYS_setuid] = PLEDGE_ID,
 	[SYS_seteuid] = PLEDGE_ID,
 	[SYS_setresuid] = PLEDGE_ID,
@@ -164,7 +167,6 @@ const u_int pledge_syscalls[SYS_MAXSYSCALL] = {
 	[SYS_setresgid] = PLEDGE_ID,
 	[SYS_setgroups] = PLEDGE_ID,
 	[SYS_setlogin] = PLEDGE_ID,
-	[SYS_setpriority] = PLEDGE_ID,
 
 	[SYS_execve] = PLEDGE_EXEC,
 
-- 
2.20.1