> pledge() currently forbids IP_HDRINCL in setsockopt(). > > If I allow it in "inet", I can pledge /usr/ports/net/mtr (a traceroute tool) > to "stdio rpath inet dns tty". > > Is this safe? Should I require something else than "inet"?
No. It blocks it intentionally. We don't want "inet" programs in control of headers. You've found 1 program that wants this, but by allowing it you are permitting 300 others to suddenly gain it as a risk factor. > > Index: kern_pledge.c > =================================================================== > RCS file: /cvs/src/sys/kern/kern_pledge.c,v > retrieving revision 1.192 > diff -u -p -r1.192 kern_pledge.c > --- kern_pledge.c 23 Jan 2017 05:49:24 -0000 1.192 > +++ kern_pledge.c 11 Mar 2017 08:33:19 -0000 > @@ -1414,6 +1414,7 @@ pledge_sockopt(struct proc *p, int set, > case IP_PORTRANGE: > case IP_RECVDSTADDR: > case IP_RECVDSTPORT: > + case IP_HDRINCL: > return (0); > case IP_MULTICAST_IF: > case IP_ADD_MEMBERSHIP: >