===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/clientloop.c,v
retrieving revision 1.276
retrieving revision 1.277
diff -u -r1.276 -r1.277
--- src/usr.bin/ssh/clientloop.c	2015/10/20 03:36:35	1.276
+++ src/usr.bin/ssh/clientloop.c	2015/12/03 17:00:18	1.277
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
+/* $OpenBSD: clientloop.c,v 1.277 2015/12/03 17:00:18 semarie Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1472,6 +1472,36 @@
 	char buf[100];
 
 	debug("Entering interactive session.");
+
+	if (options.forward_x11 || options.permit_local_command) {
+		debug("pledge: exec");
+		if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty",
+		    NULL) == -1)
+			fatal("%s pledge(): %s", __func__, strerror(errno));
+
+	} else if (options.update_hostkeys) {
+		debug("pledge: filesystem full");
+		if (pledge("stdio rpath wpath cpath unix inet dns proc tty",
+		    NULL) == -1)
+			fatal("%s pledge(): %s", __func__, strerror(errno));
+
+	} else if (! option_clear_or_none(options.proxy_command)) {
+		debug("pledge: proc");
+		if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
+			fatal("%s pledge(): %s", __func__, strerror(errno));
+
+	} else if (options.control_master &&
+	    ! option_clear_or_none(options.control_path)) {
+		debug("pledge: filesystem create");
+		if (pledge("stdio cpath unix inet dns tty",
+		    NULL) == -1)
+			fatal("%s pledge(): %s", __func__, strerror(errno));
+
+	} else {
+		debug("pledge: network");
+		if (pledge("stdio unix inet dns tty", NULL) == -1)
+			fatal("%s pledge(): %s", __func__, strerror(errno));
+	}
 
 	start_time = get_current_time();