diff options
-rw-r--r-- | clientloop.c | 32 | ||||
-rw-r--r-- | mux.c | 11 |
2 files changed, 41 insertions, 2 deletions
diff --git a/clientloop.c b/clientloop.c index 1e05cba2..e6e1a565 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */ +/* $OpenBSD: clientloop.c,v 1.277 2015/12/03 17:00:18 semarie Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1485,6 +1485,36 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) debug("Entering interactive session."); + if (options.forward_x11 || options.permit_local_command) { + debug("pledge: exec"); + if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty", + NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else if (options.update_hostkeys) { + debug("pledge: filesystem full"); + if (pledge("stdio rpath wpath cpath unix inet dns proc tty", + NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else if (! option_clear_or_none(options.proxy_command)) { + debug("pledge: proc"); + if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else if (options.control_master && + ! option_clear_or_none(options.control_path)) { + debug("pledge: filesystem create"); + if (pledge("stdio cpath unix inet dns tty", + NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + + } else { + debug("pledge: network"); + if (pledge("stdio unix inet dns tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + } + start_time = get_current_time(); /* Initialize variables. */ @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.55 2015/10/15 23:51:40 djm Exp $ */ +/* $OpenBSD: mux.c,v 1.56 2015/12/03 17:00:18 semarie Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> * @@ -1851,6 +1851,9 @@ mux_client_request_session(int fd) mm_send_fd(fd, STDERR_FILENO) == -1) fatal("%s: send fds failed", __func__); + if (pledge("stdio proc tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + debug3("%s: session request sent", __func__); /* Read their reply */ @@ -1996,6 +1999,9 @@ mux_client_request_stdio_fwd(int fd) mm_send_fd(fd, STDOUT_FILENO) == -1) fatal("%s: send fds failed", __func__); + if (pledge("stdio proc tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + debug3("%s: stdio forward request sent", __func__); /* Read their reply */ @@ -2159,6 +2165,9 @@ muxclient(const char *path) } set_nonblock(sock); + if (pledge("stdio sendfd proc tty", NULL) == -1) + fatal("%s pledge(): %s", __func__, strerror(errno)); + if (mux_client_hello_exchange(sock) != 0) { error("%s: master hello exchange failed", __func__); close(sock); |