> On 2017/11/14 18:31, Jeremie Courreges-Anglas wrote: > > On Sun, Nov 12 2017, sunil+po...@nimmagadda.net wrote: > > > Hi, > > > > Hi Sunil, > > > > > This diff replaces a system(3) call to insert an address into a pf > > > table with ioctl(DIOCADDADDRS) which allows removal of "proc exec" > > > from the pledge promises. > > > > Interesting. So DIOCRADDADDRS isn't restricted by pledge(2)? > > It looks like it would be restricted, it's not on the list of permitted > ioctls in the PLEDGE_PF section of kern_pledge.c. OTOH, DIOCRSETADDRS > and DIOCRCLRADDRS *are* permitted, so I don't think it would be > unreasonable to permit the remaining DIOCRxxxADDRS. > > One reason for a port to call out to pfctl for PF-related operations > is to insulate it from kernel ABI changes (pfctl is more likely to be > up to date than packages after an update). I suppose at least for > sshlockout, it would fail open rather than closed if there were a > problem like this, so not likely to be a huge annoyance.
absolutely. Don't do the ioctl by hand. As to DIOCRADDADDRS and other ioctl, did you even test your diff before sending it???