On Wed, Apr 18, 2018 at 07:13:49PM +0200, Florian Obser wrote:
> So I was puzzled why route(8) pledges rpath. As far as I can work out
> it's because asr tries to open /etc/networks in getnetnamadr_async.c
> (line 183).
>
> If we whitelist that file like all the other things asr needs we can
> drop the rpath pledge in route(8).
>
> Thoughts?
previous diff was missing route/show.c
diff --git sbin/route/route.c sbin/route/route.c
index 9c85f70de78..cb3078427ca 100644
--- sbin/route/route.c
+++ sbin/route/route.c
@@ -243,7 +243,7 @@ main(int argc, char **argv)
break;
}
- if (pledge("stdio rpath dns", NULL) == -1)
+ if (pledge("stdio dns", NULL) == -1)
err(1, "pledge");
switch (kw) {
@@ -342,7 +342,7 @@ flushroutes(int argc, char **argv)
break;
}
- if (pledge("stdio rpath dns", NULL) == -1)
+ if (pledge("stdio dns", NULL) == -1)
err(1, "pledge");
if (verbose) {
@@ -1108,7 +1108,7 @@ monitor(int argc, char *argv[])
char msg[2048];
time_t now;
- if (pledge("stdio rpath dns", NULL) == -1)
+ if (pledge("stdio dns", NULL) == -1)
err(1, "pledge");
verbose = 1;
diff --git sbin/route/show.c sbin/route/show.c
index 913baf6cdb6..c4e3655b91b 100644
--- sbin/route/show.c
+++ sbin/route/show.c
@@ -147,7 +147,7 @@ p_rttables(int af, u_int tableid, int hastable, char prio)
break;
}
- if (pledge("stdio rpath dns", NULL) == -1)
+ if (pledge("stdio dns", NULL) == -1)
err(1, "pledge");
printf("Routing tables\n");
diff --git sys/kern/kern_pledge.c sys/kern/kern_pledge.c
index d0886473414..7bdfcbc6612 100644
--- sys/kern/kern_pledge.c
+++ sys/kern/kern_pledge.c
@@ -634,6 +634,8 @@ pledge_namei(struct proc *p, struct nameidata *ni, char
*origpath)
return (0);
if (strcmp(path, "/etc/services") == 0)
return (0);
+ if (strcmp(path, "/etc/networks") == 0)
+ return (0);
}
if ((ni->ni_pledge == PLEDGE_RPATH) &&
--
I'm not entirely sure you are real.
