> In many bpf-using programs, bpf is setup before privs are droppped, > then locked, and then no significant ioctl's are done after that. > > So please show the userland diffs that use this.
You're right. I was thinking of arp(8) but that code path is write only. I wrote it for the GSoC dhcpd which keeps a routing socket for interfaces arriving/departing (plugging USB NICs or adding vlan(4)s into your router really shouldn't make the dhcpd process die; even deleting interfaces will keep the rest of the system serving happily). It probably doesn't have to be there; the privileged part of the code fits on a screen anyway and only does the bare minimum. The uint64_t part still stands. Index: kern/kern_pledge.c =================================================================== RCS file: /cvs/src/sys/kern/kern_pledge.c,v retrieving revision 1.174 diff -u -p -r1.174 kern_pledge.c --- kern/kern_pledge.c 3 Jul 2016 04:36:08 -0000 1.174 +++ kern/kern_pledge.c 5 Jul 2016 17:35:04 -0000 @@ -79,7 +79,7 @@ #include "drm.h" #endif -int pledgereq_flags(const char *req); +uint64_t pledgereq_flags(const char *req); int canonpath(const char *input, char *buf, size_t bufsize); int substrcmp(const char *p1, size_t s1, const char *p2, size_t s2); int resolvpath(struct proc *p, char **rdir, size_t *rdirlen, char **cwd, @@ -404,7 +405,7 @@ sys_pledge(struct proc *p, void *v, regi if (SCARG(uap, request)) { size_t rbuflen; char *rbuf, *rp, *pn; - int f; + uint64_t f; rbuf = malloc(MAXPATHLEN, M_TEMP, M_WAITOK); error = copyinstr(SCARG(uap, request), rbuf, MAXPATHLEN, @@ -1514,7 +1534,7 @@ pledge_swapctl(struct proc *p) } /* bsearch over pledgereq. return flags value if found, 0 else */ -int +uint64_t pledgereq_flags(const char *req_name) { int base = 0, cmp, i, lim;