> I was just trying to pledge(2) spamd(8), nevertheless came across 2
> priviliges kern_pledge.c is missing for this to work.
>
> First spamd(8) needs to read sysctl kern.maxfiles in order to see if it
> can launch with that value or not, and second if the multicast options
> are passed as parameters then it also needs IP_MULTICAST_TTL since
> spamd(8) calls setsockopt(2) with that option set:
I am not a fan of this approach. Your diff is very close to
pledge("everything")
That is a very small stopgap against a problem. Though you now have a
list of things being done in one process, and good argument for someone
to refactor this into privsep......
My gut reaction is to not allow these two operations. I normally wait
until I see evidence other programs need such operations, while being
very strongly protected from pledge. Not seeing that here.
