Grüzi!
The ports already contain icinga2 which includes the `icinga2 console`
feature:
$ icinga2 console
Icinga 2 (version: r2.13.5-1)
Type $help to view available commands.
<1> => 1 + 1
2.000000
<2> =>
I'm building a (free) "icinga2 console as a service" via -long story
short- JS, websocket, FastCGI and forkpty(3).
To maximally sandbox each icinga2 console, I use pledge(2) and
unveil(2). Unfortunately pledge(2) requires not only
execpromises="stdio error", but also "rpath" for loading the libs. OK, I
can live with it as I can unveil(2) across execvpe(3). To unveil(2) only
as much as needed, I'm trying to unveil(2) only step-by-step until
success. I use ld error messages as signposts, i.e.:
Me: unveil("/usr/local/lib/icinga2/sbin/icinga2", "x"), unveil(0, 0)
execve: cannot load /usr/libexec/ld.so
Me: unveil("/usr/libexec/ld.so", "r")
ld.so: icinga2: can't load library 'libcurses.so.14.0'
Me: unveil("/usr/lib", "r")
ld.so: icinga2: can't load library 'libboost_date_time-mt.so.21.0'
Me: unveil("/usr/local/lib", "r")
ld.so: icinga2: can't load library 'libbz2.so.10.4'
That's interesting:
/usr/local/lib/libboost_date_time-mt.so.21.0 and
/usr/local/lib/libbz2.so.10.4 are in the same dir, but only one can be
loaded.
Has anyone an idea why? Btw. no unveil(2) at all works.
Best,
A/K
