Hi,
This add pledge(2) to the main proc of relayd(8) with the following promises:
- rpath: load (and reload) the config file
- cpath: unlink the RELAYD_SOCKET
- inet/dns: the daemon deals with AF_INET sockets and also needs to resolve dns
- sendfd: send fds to its childs
- unix: additionaly if SNMP is configured it will also need to communicate with
it through an AF_UNIX socket
With this patch my relays with TLS and http(s) filters configured still work as
intended and can get/set information on it through relayctl(8).
Comments? OK?
Index: relayd.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v
retrieving revision 1.171
diff -u -p -u -r1.171 relayd.c
--- relayd.c 29 Nov 2017 15:24:50 -0000 1.171
+++ relayd.c 1 Aug 2018 09:34:17 -0000
@@ -221,6 +221,14 @@ main(int argc, char *argv[])
if (ps->ps_noaction == 0)
log_info("startup");
+ if (env->sc_conf.flags & F_SNMP) {
+ if (pledge("stdio rpath cpath inet unix dns sendfd", NULL) ==
-1)
+ err(1, "pledge");
+ } else {
+ if (pledge("stdio rpath cpath inet dns sendfd", NULL) == -1)
+ err(1, "pledge");
+ }
+
event_init();
signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
