diff options
-rw-r--r-- | clientloop.c | 32 | ||||
-rw-r--r-- | mux.c | 11 |
2 files changed, 41 insertions, 2 deletions
diff --git a/clientloop.c b/clientloop.c index 1e05cba2e..e6e1a5657 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.277 2015/12/03 17:00:18 semarie Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1485,6 +1485,36 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | |||
1485 | 1485 | ||
1486 | debug("Entering interactive session."); | 1486 | debug("Entering interactive session."); |
1487 | 1487 | ||
1488 | if (options.forward_x11 || options.permit_local_command) { | ||
1489 | debug("pledge: exec"); | ||
1490 | if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty", | ||
1491 | NULL) == -1) | ||
1492 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
1493 | |||
1494 | } else if (options.update_hostkeys) { | ||
1495 | debug("pledge: filesystem full"); | ||
1496 | if (pledge("stdio rpath wpath cpath unix inet dns proc tty", | ||
1497 | NULL) == -1) | ||
1498 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
1499 | |||
1500 | } else if (! option_clear_or_none(options.proxy_command)) { | ||
1501 | debug("pledge: proc"); | ||
1502 | if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1) | ||
1503 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
1504 | |||
1505 | } else if (options.control_master && | ||
1506 | ! option_clear_or_none(options.control_path)) { | ||
1507 | debug("pledge: filesystem create"); | ||
1508 | if (pledge("stdio cpath unix inet dns tty", | ||
1509 | NULL) == -1) | ||
1510 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
1511 | |||
1512 | } else { | ||
1513 | debug("pledge: network"); | ||
1514 | if (pledge("stdio unix inet dns tty", NULL) == -1) | ||
1515 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
1516 | } | ||
1517 | |||
1488 | start_time = get_current_time(); | 1518 | start_time = get_current_time(); |
1489 | 1519 | ||
1490 | /* Initialize variables. */ | 1520 | /* Initialize variables. */ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: mux.c,v 1.55 2015/10/15 23:51:40 djm Exp $ */ | 1 | /* $OpenBSD: mux.c,v 1.56 2015/12/03 17:00:18 semarie Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> | 3 | * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> |
4 | * | 4 | * |
@@ -1851,6 +1851,9 @@ mux_client_request_session(int fd) | |||
1851 | mm_send_fd(fd, STDERR_FILENO) == -1) | 1851 | mm_send_fd(fd, STDERR_FILENO) == -1) |
1852 | fatal("%s: send fds failed", __func__); | 1852 | fatal("%s: send fds failed", __func__); |
1853 | 1853 | ||
1854 | if (pledge("stdio proc tty", NULL) == -1) | ||
1855 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
1856 | |||
1854 | debug3("%s: session request sent", __func__); | 1857 | debug3("%s: session request sent", __func__); |
1855 | 1858 | ||
1856 | /* Read their reply */ | 1859 | /* Read their reply */ |
@@ -1996,6 +1999,9 @@ mux_client_request_stdio_fwd(int fd) | |||
1996 | mm_send_fd(fd, STDOUT_FILENO) == -1) | 1999 | mm_send_fd(fd, STDOUT_FILENO) == -1) |
1997 | fatal("%s: send fds failed", __func__); | 2000 | fatal("%s: send fds failed", __func__); |
1998 | 2001 | ||
2002 | if (pledge("stdio proc tty", NULL) == -1) | ||
2003 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
2004 | |||
1999 | debug3("%s: stdio forward request sent", __func__); | 2005 | debug3("%s: stdio forward request sent", __func__); |
2000 | 2006 | ||
2001 | /* Read their reply */ | 2007 | /* Read their reply */ |
@@ -2159,6 +2165,9 @@ muxclient(const char *path) | |||
2159 | } | 2165 | } |
2160 | set_nonblock(sock); | 2166 | set_nonblock(sock); |
2161 | 2167 | ||
2168 | if (pledge("stdio sendfd proc tty", NULL) == -1) | ||
2169 | fatal("%s pledge(): %s", __func__, strerror(errno)); | ||
2170 | |||
2162 | if (mux_client_hello_exchange(sock) != 0) { | 2171 | if (mux_client_hello_exchange(sock) != 0) { |
2163 | error("%s: master hello exchange failed", __func__); | 2172 | error("%s: master hello exchange failed", __func__); |
2164 | close(sock); | 2173 | close(sock); |