When you have yp(8) configured for group(5) and passwd(5) support
on your ports build machine, some programs, for example tar(1),
will call functions like getgrnam(3), descending into yp_bind(2),
clntudp_create(3), clntudp_bufcreate(3), bindresvport_sa(3), and
ultimately bind(2).
The following patch keeps systrace(1) from repeatedly throwing
the following warning:
systrace: deny
user: schwarze,
prog: /bin/tar,
pid: 17398(0)[18134],
policy: /usr/bin/make,
filters: 194,
syscall: native-bind(104),
sockaddr: inet-[0.0.0.0]:0
Lightly tested on i386 and sparc64 -current.
I'm not really sure the patch is correct and doesn't break
anything else - though i currently don't see why any port build
should be allowed to bind(2) inet(4) sockets.
In case the patch isn't correct, pointers to better solutions
are appreciated: If there are too many useless warnings,
there is a certain danger of missing relevant ones...
Index: systrace.filter
===================================================================
RCS file: /cvs/ports/infrastructure/db/systrace.filter,v
retrieving revision 1.25
diff -u -p -r1.25 systrace.filter
--- systrace.filter 4 Jun 2008 21:07:24 -0000 1.25
+++ systrace.filter 26 Dec 2008 00:58:46 -0000
@@ -7,6 +7,7 @@
native-bind: sockaddr match "${TMPDIR}" then permit
native-bind: sockaddr match "${WRKDIR}" then permit
native-bind: sockaddr match "/<non-existent filename>: *" then
deny[enoent]
+ native-bind: sockaddr eq "inet-[0.0.0.0]:0" then deny[eacces]
native-break: permit
native-chdir: permit
native-chflags: filename match "/tmp" then permit
