diff options
| author | beck <> | 2015-10-23 05:27:17 +0000 | 
|---|---|---|
| committer | beck <> | 2015-10-23 05:27:17 +0000 | 
| commit | 8869dc1084b51ff195253b4868bfa4abb688ba9f (patch) | |
| tree | d1feb7c562430d12b6baf2dc50419fffb1a1fed5 /src/usr.bin/nc/netcat.c | |
| parent | f3219d6f98950c898ef82fe58e92354d7b9725ff (diff) | |
| download | openbsd-8869dc1084b51ff195253b4868bfa4abb688ba9f.tar.gz openbsd-8869dc1084b51ff195253b4868bfa4abb688ba9f.tar.bz2 openbsd-8869dc1084b51ff195253b4868bfa4abb688ba9f.zip | |
Initial pledge of netcat - unfortunately flawed because fiddling the rtableid
in a socket option can be pretty scary and there is no better interface for this.
so if the -V option is used you get no pledge at all.. Otherwise, do what
works for the various options.  Still needs refinement for tls to drop rpath,
and a better solution for the routing table stuff
Diffstat (limited to 'src/usr.bin/nc/netcat.c')
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 28 | 
1 files changed, 27 insertions, 1 deletions
| diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index 9fc825b5d8..df0aed9e38 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.139 2015/10/11 00:26:23 guenther Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.140 2015/10/23 05:27:17 beck Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 
| @@ -310,6 +310,28 @@ main(int argc, char *argv[]) | |||
| 310 | argc -= optind; | 310 | argc -= optind; | 
| 311 | argv += optind; | 311 | argv += optind; | 
| 312 | 312 | ||
| 313 | if (rtableid >= 0) { | ||
| 314 | /* | ||
| 315 | * XXX No pledge if doing rtable manipulation! | ||
| 316 | * XXX the routing table stuff is dangerous and can't be pledged. | ||
| 317 | * XXX rtable should really have a better interface than sockopt | ||
| 318 | */ | ||
| 319 | } | ||
| 320 | else if (family == AF_UNIX) { | ||
| 321 | if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1) | ||
| 322 | err(1, "pledge"); | ||
| 323 | } | ||
| 324 | else if (Fflag) { | ||
| 325 | if (pledge("stdio inet dns sendfd", NULL) == -1) | ||
| 326 | err(1, "pledge"); | ||
| 327 | } | ||
| 328 | else if (usetls) { | ||
| 329 | if (pledge("stdio rpath inet dns", NULL) == -1) | ||
| 330 | err(1, "pledge"); | ||
| 331 | } | ||
| 332 | else if (pledge("stdio inet dns", NULL) == -1) | ||
| 333 | err(1, "pledge"); | ||
| 334 | |||
| 313 | /* Cruft to make sure options are clean, and used properly. */ | 335 | /* Cruft to make sure options are clean, and used properly. */ | 
| 314 | if (argv[0] && !argv[1] && family == AF_UNIX) { | 336 | if (argv[0] && !argv[1] && family == AF_UNIX) { | 
| 315 | host = argv[0]; | 337 | host = argv[0]; | 
| @@ -337,6 +359,10 @@ main(int argc, char *argv[]) | |||
| 337 | errx(1, "cannot use -c and -u"); | 359 | errx(1, "cannot use -c and -u"); | 
| 338 | if ((family == AF_UNIX) && usetls) | 360 | if ((family == AF_UNIX) && usetls) | 
| 339 | errx(1, "cannot use -c and -U"); | 361 | errx(1, "cannot use -c and -U"); | 
| 362 | if ((family == AF_UNIX) && Fflag) | ||
| 363 | errx(1, "cannot use -F and -U"); | ||
| 364 | if (Fflag && usetls) | ||
| 365 | errx(1, "cannot use -c and -F"); | ||
| 340 | if (TLSopt && !usetls) | 366 | if (TLSopt && !usetls) | 
| 341 | errx(1, "you must specify -c to use TLS options"); | 367 | errx(1, "you must specify -c to use TLS options"); | 
| 342 | if (Cflag && !usetls) | 368 | if (Cflag && !usetls) | 
