For the archives, if anyone else hits this issue.
Being killed with pledge sysctl 2 on a golang http.ListenAndServe, no longer
happens.
https://github.com/golang/go/issues/31927
On Mon, Feb 03, 2020 at 12:52:05AM +, Jimmy Brush wrote:
> No golang tcp server can be pledged without this change because it
> queries kern.somaxconn before it listens on a tcp socket[1][2][3].
>
> I cannot think of any advantage this change would give an attacker
> who has compromised a
No golang tcp server can be pledged without this change because it
queries kern.somaxconn before it listens on a tcp socket[1][2][3].
I cannot think of any advantage this change would give an attacker
who has compromised a pledged process.
[1] https://golang.org/src/net/sock_posix.go#L57
[2]