On Mon, 16 Jan 2017, Theo de Raadt wrote:
There's a small piece some people have missed. pledge doesn't block port 53. It is blocked unless you use SOCK_DNS. That was a step taken seperate "hostname/dns lookup" pieces of code from "internet speaking" pieces of code. That step allowed pledge to do something really cool.
Based on that, my earlier comment about the socket(2) manpage is wrong. Apologies. My comment about port 53 being hard-coded into 'asr_run (3)' does however still stand.
Yes, we changed unix.
It will be 50 years old soon so that will start to be more common. Mind you, some of the networking is only just over 30 years old.
Someone could write a diff, and test it well...
Is it that simple? or should one look at doing a replacement library along the lines of 'asr_run(3)' first.
As an aside, the 'host' command, the simple version of dig, does a pledge with 'inet' included.
Regards - Damian Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037 Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here Views & opinions here are mine and not those of any past or present employer
