Ricardo Mestre (2017-07-04 18:22 +0200):
> What about applying the pledge early on only if snaplen is not being defined,
> but if it is then call pledge as well but only after the filter is applied
> (this is where the offending ioctl is called)?
I think there are two problems with this approach:
- It doesn't cover the case where -s has not been used, but the logfile
does have a nonstandard snaplen.
- If the logfile has a different snaplen, then the snaplen will have to
be changed for a second time later on, when the logfile has been
rotated. But at that point pledge has already been called.
> A better strategy probably would involve something similar to tcpdump to check
> if PRIV_INIT_DONE was reached and only apply the single pledge there, but that
> involves quite some restructure. So is the below OK? If not then the best for
> now is to put back the pledge inside #if 0.
>
> Index: pflogd.c
> ===================================================================
> RCS file: /cvs/src/sbin/pflogd/pflogd.c,v
> retrieving revision 1.53
> diff -u -p -u -r1.53 pflogd.c
> --- pflogd.c 16 Jan 2016 03:17:48 -0000 1.53
> +++ pflogd.c 4 Jul 2017 16:10:51 -0000
> @@ -557,6 +557,7 @@ main(int argc, char **argv)
> const char *errstr = NULL;
>
> ret = 0;
> + setsnaplen = 0;
>
> closefrom(STDERR_FILENO + 1);
>
> @@ -583,6 +584,7 @@ main(int argc, char **argv)
> snaplen = DEF_SNAPLEN;
> if (errstr)
> snaplen = PFLOGD_MAXSNAPLEN;
> + setsnaplen = 1;
> break;
> case 'x':
> Xflag = 1;
> Index: pflogd.h
> ===================================================================
> RCS file: /cvs/src/sbin/pflogd/pflogd.h,v
> retrieving revision 1.5
> diff -u -p -u -r1.5 pflogd.h
> --- pflogd.h 10 Oct 2015 22:36:06 -0000 1.5
> +++ pflogd.h 4 Jul 2017 16:10:51 -0000
> @@ -47,3 +47,4 @@ void send_fd(int, int);
> int receive_fd(int);
>
> extern int Debug;
> +int setsnaplen;
> Index: privsep.c
> ===================================================================
> RCS file: /cvs/src/sbin/pflogd/privsep.c,v
> retrieving revision 1.25
> diff -u -p -u -r1.25 privsep.c
> --- privsep.c 12 Jun 2017 23:37:44 -0000 1.25
> +++ privsep.c 4 Jul 2017 16:10:51 -0000
> @@ -118,8 +118,10 @@ priv_init(void)
> setproctitle("[priv]");
> close(socks[1]);
>
> - if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1)
> - err(1, "pledge");
> + if (setsnaplen == 0) {
> + if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) ==
> -1)
> + err(1, "pledge");
> + }
>
> while (!gotsig_chld) {
> if (may_read(socks[0], &cmd, sizeof(int)))
> @@ -185,6 +187,9 @@ set_snaplen(int snap)
>
> hpcap->snapshot = snap;
> set_pcap_filter();
> +
> + if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1)
> + err(1, "pledge");
>
> return 0;
> }
