With the most recent commit ifstated can now be pledged in a straight forward
manner. A better pledge is possible with more work.
Does it make sense to get this one in now?
Rob
Index: ifstated.c
===================================================================
RCS file: /cvs/src/usr.sbin/ifstated/ifstated.c,v
retrieving revision 1.52
diff -u -p -r1.52 ifstated.c
--- ifstated.c 21 Jul 2017 16:32:18 -0000 1.52
+++ ifstated.c 22 Jul 2017 03:58:23 -0000
@@ -160,6 +160,9 @@ main(int argc, char *argv[])
&rtfilter, sizeof(rtfilter)) == -1) /* not fatal */
log_warn("%s: setsockopt tablefilter", __func__);
+ if (pledge("stdio rpath inet proc exec", NULL) == -1)
+ fatal("pledge");
+
signal_set(&sigchld_ev, SIGCHLD, sigchld_handler, NULL);
signal_add(&sigchld_ev, NULL);
