On Sun, Jul 23, 2017 at 12:26:53AM +0200, Jeremie Courreges-Anglas wrote:
> On Sat, Jul 22 2017, Rob Pierce <r...@2keys.ca> wrote:
> > With the most recent commit ifstated can now be pledged in a straight
> > forward
> > manner. A better pledge is possible with more work.
> >
> > Does it make sense to get this one in now?
>
> Regress tests pass. I think this is the way to go. ok jca@
I just realized that we can do a stricter pledge with route instead of inet.
Rob
Index: ifstated.c
===================================================================
RCS file: /cvs/src/usr.sbin/ifstated/ifstated.c,v
retrieving revision 1.53
diff -u -p -r1.53 ifstated.c
--- ifstated.c 22 Jul 2017 19:52:01 -0000 1.53
+++ ifstated.c 22 Jul 2017 23:36:15 -0000
@@ -159,6 +159,9 @@ main(int argc, char *argv[])
&rtfilter, sizeof(rtfilter)) == -1) /* not fatal */
log_warn("%s: setsockopt tablefilter", __func__);
+ if (pledge("stdio rpath route proc exec", NULL) == -1)
+ fatal("pledge");
+
signal_set(&sigchld_ev, SIGCHLD, sigchld_handler, NULL);
signal_add(&sigchld_ev, NULL);
