On Sat, Jul 22 2017, Rob Pierce <r...@2keys.ca> wrote:
> On Sun, Jul 23, 2017 at 12:26:53AM +0200, Jeremie Courreges-Anglas wrote:
>> On Sat, Jul 22 2017, Rob Pierce <r...@2keys.ca> wrote:
>> > With the most recent commit ifstated can now be pledged in a straight
>> > forward
>> > manner. A better pledge is possible with more work.
>> >
>> > Does it make sense to get this one in now?
>>
>> Regress tests pass. I think this is the way to go. ok jca@
>
> I just realized that we can do a stricter pledge with route instead of inet.
This sounds looks even better.
> Rob
>
> Index: ifstated.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ifstated/ifstated.c,v
> retrieving revision 1.53
> diff -u -p -r1.53 ifstated.c
> --- ifstated.c 22 Jul 2017 19:52:01 -0000 1.53
> +++ ifstated.c 22 Jul 2017 23:36:15 -0000
> @@ -159,6 +159,9 @@ main(int argc, char *argv[])
> &rtfilter, sizeof(rtfilter)) == -1) /* not fatal */
> log_warn("%s: setsockopt tablefilter", __func__);
>
> + if (pledge("stdio rpath route proc exec", NULL) == -1)
> + fatal("pledge");
> +
> signal_set(&sigchld_ev, SIGCHLD, sigchld_handler, NULL);
> signal_add(&sigchld_ev, NULL);
>
>
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
