On Thu, Jan 16, 2020 at 12:13:27PM -0700, Theo de Raadt wrote:
> Your example is vaguely inprecise enough that I cannot reproduce the
> failure. If I could, I would ktrace it.
Here is more (precise) data:
----->
beta$ cd /tmp
beta$ ktrace -i dig @rhombus.centroid.eu +tcp delphinusdns.org aaaa
Abort trap (core dumped)
beta$ kdump | grep -4 PLDG
83401 dig RET kbind 0
83401 dig CALL setsockopt(20,41<ipv6>,42,0x7f7ffffdb1b0,4)
83401 dig RET setsockopt 0
83401 dig CALL setsockopt(20,6<tcp>,2,0x7f7ffffdb1b0,4)
83401 dig PLDG setsockopt, "inet", errno 1 Operation not permitted
83401 dig PSIG SIGABRT SIG_DFL
83401 dig NAMI "dig.core"
beta$ sysctl kern.version
kern.version=OpenBSD 6.6-current (GENERIC.MP) #603: Mon Jan 13 13:21:42 MST 2020
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
<-----
> dig is supposed to use SOCK_DNS, and then not bother doing additional
> stuff.
>
> 105 is setsockopt. We would investigate if the setsockopt being done
> is required, or if it can be removed. After all, the "bind as a library"
> code remaining no longer needs to serve "daemon functionality".
Thanks for that hint, that makes it easier, with the kdump and some grepping
I have located it (it's the only tcp setsockopt in dig's lib):
------->
beta$ grep -R setsockopt * | grep IPPROTO_TCP
grep: obj: Permission denied
lib/isc/unix/socket.c: (void)setsockopt(sock->fd, IPPROTO_TCP,
TCP_MAXSEG,
beta$ grep TCP_MAXSEG /usr/include/netinet/tcp.h
#define TCP_MAXSEG 0x02 /* set maximum segment size */
<------
I've not come across this setsockopt in my network programming, but I guess
the comment is good enough.
Best Regards,
-peter
> Peter J. Philipp <[email protected]> wrote:
>
> > I did a quick grep of dig's pledge:
> >
> > ---->
> > beta$ grep pledge *
> > dig.c: if (pledge("stdio rpath dns", NULL) == -1) {
> > dig.c: perror("pledge");
> > dig.c: if (pledge("stdio dns", NULL) == -1) {
> > dig.c: perror("pledge");
> > <----
> >
> > and noticed that there is no inet pledge. The problem is when I do
> > a dig @server +tcp example.com, dig gets killed with an inet pledge
> > recomendation.
> >
> > beta$ dmesg | tail -1
> > dig[42760]: pledge "inet", syscall 105
> >
> > I'm aware that dig was only recently upgraded and I don't want to step
> > on anyones toes. Is there a fix for the dns pledge or an addition to
> > dig's pledges foreseen?
> >
> > Best regards,
> > -peter
> >
