On 2017/11/14 18:31, Jeremie Courreges-Anglas wrote: > On Sun, Nov 12 2017, sunil+po...@nimmagadda.net wrote: > > Hi, > > Hi Sunil, > > > This diff replaces a system(3) call to insert an address into a pf > > table with ioctl(DIOCADDADDRS) which allows removal of "proc exec" > > from the pledge promises. > > Interesting. So DIOCRADDADDRS isn't restricted by pledge(2)?
It looks like it would be restricted, it's not on the list of permitted ioctls in the PLEDGE_PF section of kern_pledge.c. OTOH, DIOCRSETADDRS and DIOCRCLRADDRS *are* permitted, so I don't think it would be unreasonable to permit the remaining DIOCRxxxADDRS. One reason for a port to call out to pfctl for PF-related operations is to insulate it from kernel ABI changes (pfctl is more likely to be up to date than packages after an update). I suppose at least for sshlockout, it would fail open rather than closed if there were a problem like this, so not likely to be a huge annoyance.
