From b6f582f2a70ec725f2c20217044040eeb6a1627c Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Fri, 9 Oct 2015 03:50:40 +0000
Subject: [PATCH] Once the constraint engine process is running, it only needs
 "stdio inet".  It took weeks to get to this point...

---
 src/usr.sbin/ntpd/constraint.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
index cf924416..8fc2cca8 100644
--- a/src/usr.sbin/ntpd/constraint.c
+++ b/src/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.17 2015/09/10 13:49:48 beck Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.18 2015/10/09 03:50:40 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -38,6 +38,7 @@
 #include <unistd.h>
 #include <time.h>
 #include <tls.h>
+#include <err.h>
 
 #include "log.h"
 #include "ntpd.h"
@@ -197,6 +198,9 @@ constraint_query(struct constraint *cstr)
 	case 0:
 		setproctitle("constraint from %s", hname);
 
+		if (pledge("stdio inet", NULL) == -1)
+			err(1, "pledge");
+
 		/* Child process */
 		if (dup2(pipes[1], CONSTRAINT_PASSFD) == -1)
 			fatal("%s dup2 CONSTRAINT_PASSFD", __func__);