/usr/ports/infrastructure/db/systrace.filter has these:
native-recvmsg: permit
native-sendmsg: sockaddr match "/tmp" then permit
native-sendmsg: sockaddr match "/var/tmp" then permit
native-sendmsg: sockaddr match "/tmp" then permit
native-sendmsg: sockaddr match "/usr/ports/pobj/unzip-6.0" then permit
native-sendmsg: sockaddr match "/<non-existent filename>: *" then
deny[enoent]
We could add this I think:
native-sendmsg: sockaddr eq "<unknown>" then permit
On Thu, Jun 04, 2015 at 10:47:47PM +0100, Nicholas Marriott wrote:
> Hi
>
> On Thu, Jun 04, 2015 at 03:39:45PM -0600, Theo de Raadt wrote:
> > > Is it just to avoid adding sendmsg to the ports systrace policy? Why not
> > > add it - maybe not globally but just for file?
> >
> > sendmsg with a CMSG fd passing in/out of such a jail is a bad thing.
>
> The systrace policy already allows recvmsg(). So we can get new fds in,
> why not send them out?
>
> Any fd we have inside to send out will have had to have passed the
> open(), bind() etc systrace rules already.
>
> >
> > However.
> >
> > It is likely that a ports configure test may try to test this interface.
> > Not just CMSG, but sendmsg itself.
> >
> > It suspect it needs to find that it works.
> >
> > I doubt this is a system call that can be blocked.
> >
> > It sounds like a great idea to limit the build environment substantially,
> > but an eye must be kept on fallout from being too strict. That's the
> > problem with systrace; it is too easy to return an 'error' and a program
> > will continue...
> >
