From a27b872488f9bbe671a431695ba79ff440d598b4 Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Wed, 8 Aug 2018 22:56:42 +0000
Subject: [PATCH] ntpd unveils the cert.pem "r" file (which is
 passed-over-socket to the constraints process), and /usr/sbin/ntpd "x" to
 perform fork+exec operations.

---
 src/usr.sbin/ntpd/ntpd.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
index 664fff4b..cb6bc137 100644
--- a/src/usr.sbin/ntpd/ntpd.c
+++ b/src/usr.sbin/ntpd/ntpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.c,v 1.115 2018/08/04 11:07:14 mestre Exp $ */
+/*	$OpenBSD: ntpd.c,v 1.116 2018/08/08 22:56:42 deraadt Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -244,6 +244,10 @@ main(int argc, char *argv[])
 	 * Constraint processes are forked with certificates in memory,
 	 * then privdrop into chroot before speaking to the outside world.
 	 */
+	if (unveil("/etc/ssl/cert.pem", "r") == -1)
+		err(1, "unveil");
+	if (unveil("/usr/sbin/ntpd", "x") == -1)
+		err(1, "unveil");
 	if (pledge("stdio rpath inet settime proc exec id", NULL) == -1)
 		err(1, "pledge");