"Theo de Raadt" <dera...@openbsd.org> wrote:
> > On 2017/11/14 18:31, Jeremie Courreges-Anglas wrote:
> > > On Sun, Nov 12 2017, sunil+po...@nimmagadda.net wrote:
> > > > Hi,
> > >
> > > Hi Sunil,
> > >
> > > > This diff replaces a system(3) call to insert an address into a pf
> > > > table with ioctl(DIOCADDADDRS) which allows removal of "proc exec"
> > > > from the pledge promises.
> > >
> > > Interesting. So DIOCRADDADDRS isn't restricted by pledge(2)?
> >
> > It looks like it would be restricted, it's not on the list of permitted
> > ioctls in the PLEDGE_PF section of kern_pledge.c. OTOH, DIOCRSETADDRS
> > and DIOCRCLRADDRS *are* permitted, so I don't think it would be
> > unreasonable to permit the remaining DIOCRxxxADDRS.
> >
> > One reason for a port to call out to pfctl for PF-related operations
> > is to insulate it from kernel ABI changes (pfctl is more likely to be
> > up to date than packages after an update). I suppose at least for
> > sshlockout, it would fail open rather than closed if there were a
> > problem like this, so not likely to be a huge annoyance.
>
> absolutely. Don't do the ioctl by hand.
As this program needs to run with elevated privileges, I was looking
for a way to reduce pledge promises. I didn't know ioctl(2) by hand
was discouraged.
>
> As to DIOCRADDADDRS and other ioctl, did you even test your diff
> before sending it???
Yes, I did but I did it wrong and I now realized my mistake. I
forgot to make update-patches and was testing system("pfctl -tlockout
-Tadd x.x.x.x") assuming it was ioctl(2).
I installed a clean snapshot, ports tree and sshlockout with this
diff promptly crashes as ioctl(2) isn't allowed by pledge and syslogd
restarts sshlockout. Sorry for the noise. I will drop this diff.
