1 files changed, 25 insertions, 9 deletions

diff --git a/plugins-root/check_icmp.c b/plugins-root/check_icmp.c
index 5bfb5cb5..1390a03e 100644
--- a/plugins-root/check_icmp.c
+++ b/plugins-root/check_icmp.c
@@ -277,15 +277,6 @@ typedef struct {
         check_icmp_config config;
 } check_icmp_config_wrapper;
 check_icmp_config_wrapper process_arguments(int argc, char **argv) {
-        /* get calling name the old-fashioned way for portability instead
-         * of relying on the glibc-ism __progname */
-        char *ptr = strrchr(argv[0], '/');
-        if (ptr) {
-                progname = &ptr[1];
-        } else {
-                progname = argv[0];
-        }
-
         check_icmp_config_wrapper result = {
                 .errorcode = OK,
                 .config = check_icmp_config_init(),
@@ -821,6 +812,15 @@ void parse_address(const struct sockaddr_storage *addr, char *dst, socklen_t siz
 }
 
 int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+        /* - rpath is required to read --extra-opts (given up later)
+         * - inet is required for sockets
+         * - dns is required for name lookups (given up later)
+         * - id is required for temporary privilege drops in configparsing and for
+         *   permanent privilege dropping after opening the socket (given up later) */
+        pledge("stdio rpath inet dns id", NULL);
+#endif // __OpenBSD__
+
         setlocale(LC_ALL, "");
         bindtextdomain(PACKAGE, LOCALEDIR);
         textdomain(PACKAGE);
@@ -828,6 +828,14 @@ int main(int argc, char **argv) {
         /* POSIXLY_CORRECT might break things, so unset it (the portable way) */
         environ = NULL;
 
+        /* determine program- and service-name quickly */
+        progname = strrchr(argv[0], '/');
+        if (progname != NULL) {
+                progname++;
+        } else {
+                progname = argv[0];
+        }
+
         /* Parse extra opts if any */
         argv = np_extra_opts(&argc, argv, progname);
 
@@ -837,6 +845,10 @@ int main(int argc, char **argv) {
                 crash("failed to parse config");
         }
 
+#ifdef __OpenBSD__
+        pledge("stdio inet dns id", NULL);
+#endif // __OpenBSD__
+
         const check_icmp_config config = tmp_config.config;
 
         if (config.output_format_is_set) {
@@ -899,6 +911,10 @@ int main(int argc, char **argv) {
                 return 1;
         }
 
+#ifdef __OpenBSD__
+        pledge("stdio inet", NULL);
+#endif // __OpenBSD__
+
         if (sockset.socket4) {
                 int result = setsockopt(sockset.socket4, SOL_IP, IP_TTL, &config.ttl, sizeof(config.ttl));
                 if (debug) {