CVS: cvs.openbsd.org: src

Fri, 27 Feb 2026 12:31:26 -0800 

CVSROOT:        /cvs
Module name:    src
Changes by:     [email protected]   2026/02/27 13:31:13

Modified files:
        gnu/usr.bin/binutils-2.17/binutils: Tag: OPENBSD_7_8 objdump.c 
        gnu/usr.bin/texinfo/util: Tag: OPENBSD_7_8 texindex.c 
        usr.bin/calendar: Tag: OPENBSD_7_8 calendar.c 
        usr.bin/diff   : Tag: OPENBSD_7_8 diff.c 
        usr.bin/htpasswd: Tag: OPENBSD_7_8 htpasswd.c 
        usr.bin/m4     : Tag: OPENBSD_7_8 main.c 
        usr.bin/mail   : Tag: OPENBSD_7_8 main.c 
        usr.bin/mandoc : Tag: OPENBSD_7_8 main.c 
        usr.bin/nc     : Tag: OPENBSD_7_8 netcat.c 
        usr.bin/patch  : Tag: OPENBSD_7_8 patch.c 
        usr.bin/sendbug: Tag: OPENBSD_7_8 sendbug.c 
        usr.sbin/smtpd : Tag: OPENBSD_7_8 smtpc.c smtpctl.c smtpd.c 

Log message:
replace pledge "stdio rpath tmppath" with unveil "/tmp" "rwc" to satisfy
mktemp(3) type operations, unveil "/" "r" for reading all over the tree,
and pledge "stdio rpath wpath cpath" to permit both unveils subject to
their own limitations.

pledge "rpath tmppath" is replace with unveil "/" "r", unveil "/tmp" "rwc",
and "rpath wpath cpath"
from deraadt@; ok semarie

This was using pledge "tmppath" with "rpath wpath cpath".
The "tmppath" is not needed.
from deraadt@; ok semarie and others

uses tmpfile(), which is why it used "tmppath", which is why it now
needs "rpath wpath cpath"
from deraadt@; spotted by brynet

Instead of pledge "tmppath rpath", setup a "rwc" unveil on "/tmp", a
"r" unveil on "/", and then pledge "rpath wpath cpath".
from deraadt@; ok semarie and others

This is using pledge "tmppath" with "rpath wpath cpath".
The "tmppath" is not needed.
from deraadt@; ok semarie and others

These programs are using pledge "tmppath" with "rpath wpath cpath".
The "tmppath" is not needed.
from deraadt@; ok semarie and others

Use unveil() instead of pledge "tmppath".  There is a bit of bulldozering
here to handle the many codeflows regarding output files, and I hope ingo
improves it later.
from deraadt@; Some help with regression validation from job

nc(1) has the more crazy unveil + pledge configuration based upon
argument flags.  I think this correctly replaces "tmppath" with an
unveil.
from deraadt@

Since this program is "rpath wpath cpath", it does not need to use
"tmppath"
from deraadt@; ok op

replace pledge "tmppath" with unveil "/tmp" "rwc" and "rpath wpath cpath".
from deraadt@; ok ok

this is errata/7.8/015_tmppath.patch.sig

Reply via email to