On Mon, Apr 04, 2016 at 04:12:26AM +0000, Philip Higgins wrote:
> Hi,
>
> When using 'udpsockmode' in dhcpd (-u flag), it first calls
> pledge("stdio rpath inet sendfd proc id", NULL) (in udpsock.c)
>
> then tries
> pledge("stdio inet route sendfd", NULL) (back in dhcpd.c)
>
> The "route" causes it to fail.
>
> eg.
> $ doas dhcpd -u -fd pppx0
> Listening on 255.255.255.255:67/udp.
> dhcpd: pledge: Operation not permitted
Thanks a lot for the report and the patch!
(for next time: bugs@ or tech@ would be better suited for this).
> "route" isn't defined in the pledge(2) man page,
Yes, the pledge man page is a bit out of sync with the actual system
call. The latter is still a moving target, so this is to be expected.
You can grep for PLEDGE_ROUTE in /sys/kern/kern_pledge.c
to see where it is used.
> but testing seems to indicate it is necessary.
Yes, it is needed, e.g. for the SIOCGIFADDR ioctl(2) in the
udpsock_handler().
> Index: udpsock.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/dhcpd/udpsock.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 udpsock.c
> --- udpsock.c 8 Feb 2016 02:06:07 -0000 1.5
> +++ udpsock.c 4 Apr 2016 04:09:14 -0000
> @@ -65,7 +65,7 @@ udpsock_startup(struct in_addr bindaddr)
> error("setsocketopt IP_RECVIF failed for udp: %s",
> strerror(errno));
>
> - if (pledge("stdio rpath inet sendfd proc id", NULL) == -1)
> + if (pledge("stdio rpath inet sendfd proc id route", NULL) == -1)
this is the correct fix, up to the order of the promises.
"route" belongs between "inet" and "sendfd".
With that, this patch is ok tb@
> error("pledge: %s", strerror(errno));
>
> sin4.sin_family = AF_INET;
>
>
> --
> -Phil
