Theo Buehler wrote: > tedu's -delete diff reminded me of a patch I've had in one of my trees > for quite a while: find(1) was tamed a few days before execve(2) was > added to kern_tame.c and I think it was simply forgotten that everything > was already prepared for this. Now it's slightly more complicated than > before because of the -delete option.
Yeah. I had to fiddle because I was adding something. I wasn't sure if it would be better to add a switch? Pick a string and then call pledge(perms). We don't typically do that, but is there a tipping point where the if/err dance gets too repititive? > > Index: find.c > =================================================================== > RCS file: /cvs/src/usr.bin/find/find.c,v > retrieving revision 1.21 > diff -u -p -r1.21 find.c > --- find.c 3 Jan 2017 21:31:16 -0000 1.21 > +++ find.c 3 Jan 2017 21:44:50 -0000 > @@ -162,6 +162,15 @@ find_execute(PLAN *plan, /* search plan > if (pledge("stdio rpath getpw", NULL) == -1) > err(1, "pledge"); > } > + } else { > + if (isdelete) { > + if (pledge("stdio rpath cpath getpw proc exec", NULL) > + == -1) > + err(1, "pledge"); > + } else { > + if (pledge("stdio rpath getpw proc exec", NULL) == -1) > + err(1, "pledge"); > + } > } > > rval = 0; >