From f4bcf7a13069cc8dbd4b203884cd22f2f9c8efa1 Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Fri, 10 Aug 2018 17:15:22 +0000
Subject: In typical swiss-army style, various modes and options cause
 different unveils.  Joint work with beck and florian. Let us know if you hit
 any corner cases.

---
 src/usr.bin/nc/netcat.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index e03199e528..8e7f7e1718 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.191 2018/04/27 15:17:53 beck Exp $ */
+/* $OpenBSD: netcat.c,v 1.192 2018/08/10 17:15:22 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -364,6 +364,29 @@ main(int argc, char *argv[])
 	} else
 		usage(1);
 
+	if (usetls) {
+		if (Cflag && unveil(Cflag, "r") == -1)
+			err(1, "unveil");
+		if (unveil(Rflag, "r") == -1)
+			err(1, "unveil");
+		if (Kflag && unveil(Kflag, "r") == -1)
+			err(1, "unveil");
+		if (oflag && unveil(oflag, "r") == -1)
+			err(1, "unveil");
+	} else {
+		if (family == AF_UNIX) {
+			if (unveil(host, "rwc") == -1)
+				err(1, "unveil");
+			if (uflag && !lflag) {
+				if (unveil(sflag ? sflag : "/tmp", "rwc") == -1)
+					err(1, "unveil");
+			}
+		} else {
+			if (unveil("/", "") == -1)
+				err(1, "unveil");
+		}
+	}
+
 	if (family == AF_UNIX) {
 		if (pledge("stdio rpath wpath cpath tmppath unix", NULL) == -1)
 			err(1, "pledge");
-- 
cgit v1.2.3-55-g6feb