1 files changed, 17 insertions, 0 deletions

diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index e536e31c..1390a03e 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -812,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz
 }
 
 int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+        /* - rpath is required to read --extra-opts (given up later)
+         * - inet is required for sockets
+         * - dns is required for name lookups (given up later)
+         * - id is required for temporary privilege drops in configparsing and for
+         *   permanent privilege dropping after opening the socket (given up later) */
+        pledge("stdio rpath inet dns id", NULL);
+#endif // __OpenBSD__
+
         setlocale(LC_ALL, "");
         bindtextdomain(PACKAGE, LOCALEDIR);
         textdomain(PACKAGE);
@@ -836,6 +845,10 @@ int main(int argc, char **argv) {
                 crash("failed to parse config");
         }
 
+#ifdef __OpenBSD__
+        pledge("stdio inet dns id", NULL);
+#endif // __OpenBSD__
+
         const check_icmp_config config = tmp_config.config;
 
         if (config.output_format_is_set) {
@@ -898,6 +911,10 @@ int main(int argc, char **argv) {
                 return 1;
         }
 
+#ifdef __OpenBSD__
+        pledge("stdio inet", NULL);
+#endif // __OpenBSD__
+
         if (sockset.socket4) {
                 int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));
                 if (debug) {