Hi
I was just trying to pledge(2) spamd(8), nevertheless came across 2
priviliges kern_pledge.c is missing for this to work.
First spamd(8) needs to read sysctl kern.maxfiles in order to see if it
can launch with that value or not, and second if the multicast options
are passed as parameters then it also needs IP_MULTICAST_TTL since
spamd(8) calls setsockopt(2) with that option set:
Index: kern_pledge.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.89
diff -u -p -u -r1.89 kern_pledge.c
--- kern_pledge.c 28 Oct 2015 15:33:44 -0000 1.89
+++ kern_pledge.c 28 Oct 2015 16:13:31 -0000
@@ -889,6 +889,9 @@ pledge_sysctl_check(struct proc *p, int
if (miblen == 3 && /* kern.cptime2 */
mib[0] == CTL_KERN && mib[1] == KERN_CPTIME2)
return (0);
+ if (miblen == 2 && /* kern.maxfiles */
+ mib[0] == CTL_KERN && mib[1] == KERN_MAXFILES)
+ return (0);
}
if ((p->p_p->ps_pledge & PLEDGE_PS)) {
@@ -1210,6 +1213,7 @@ pledge_sockopt_check(struct proc *p, int
case IP_RECVDSTPORT:
return (0);
case IP_MULTICAST_IF:
+ case IP_MULTICAST_TTL:
case IP_ADD_MEMBERSHIP:
case IP_DROP_MEMBERSHIP:
if (p->p_p->ps_pledge & PLEDGE_MCAST)
With this patch then spamd(8) works with the patch below (I used a lot
of options that I use on my servers like greylisting options, multicast,
certificate, stuttering etc). Bear in mind that this is just an initial
patch and the priviliges can be dropped further down the code and also
that I'm just beginning and sharing this more as a question if I can go
down this road than as a request:
Index: spamd.c
===================================================================
RCS file: /cvs/src/libexec/spamd/spamd.c,v
retrieving revision 1.130
diff -u -p -u -r1.130 spamd.c
--- spamd.c 10 Sep 2015 13:56:12 -0000 1.130
+++ spamd.c 28 Oct 2015 14:30:57 -0000
@@ -1211,6 +1211,9 @@ main(int argc, char *argv[])
char *tlskeyfile = NULL;
char *tlscertfile = NULL;
+ if (pledge("stdio rpath wpath inet dns ioctl id route mcast proc
flock ps", NULL) == -1)
+ err(1, "pledge");
+
tzset();
openlog_r("spamd", LOG_PID | LOG_NDELAY, LOG_DAEMON, &sdata);
@@ -1227,6 +1230,10 @@ main(int argc, char *argv[])
if (gethostname(hostname, sizeof hostname) == -1)
err(1, "gethostname");
maxfiles = get_maxfiles();
+
+ if (pledge("stdio rpath wpath inet dns ioctl id route mcast proc
flock", NULL) == -1)
+ err(1, "pledge");
+
if (maxcon > maxfiles)
maxcon = maxfiles;
if (maxblack > maxfiles)
Best regards,
Ricardo Mestre